diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 958763bfbc..99aa1cfb42 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -20520,6 +20520,21 @@
"redirect_url": "/windows/client-management/mdm/configuration-service-provider-ddf",
"redirect_document_id": true
},
+ {
+ "source_path": "education/windows/education-scenarios-store-for-business.md",
+ "redirect_url": "/windows/resources",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "education/windows/teacher-get-minecraft.md",
+ "redirect_url": "/education/windows/get-minecraft-for-education",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "education/windows/school-get-minecraft.md",
+ "redirect_url": "/education/windows/get-minecraft-for-education",
+ "redirect_document_id": false
+ },
{
"source_path": "windows/security/identity-protection/credential-guard/dg-readiness-tool.md",
"redirect_url": "/windows/security/identity-protection/credential-guard/credential-guard",
diff --git a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
index bbfd85b95e..c8b17e2ff9 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
@@ -57,7 +57,7 @@ If you use Automatic Updates in your company, but want to stop your users from a
> The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-ie11-blocker-toolkit.yml).
- **Use an update management solution to control update deployment.**
- If you already use an update management solution, like [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [Microsoft Endpoint Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682129(v=technet.10)), you should use that instead of the Internet Explorer Blocker Toolkit.
+ If you already use an update management solution, like [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [Microsoft Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682129(v=technet.10)), you should use that instead of the Internet Explorer Blocker Toolkit.
> [!NOTE]
> If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company.
@@ -66,7 +66,7 @@ Additional information on Internet Explorer 11, including a Readiness Toolkit, t
## Availability of Internet Explorer 11
-Automatic Updates will start to distribute Internet Explorer 11 shortly after the final release of the product and will distribute it through the Microsoft Endpoint Manager and WSUS.
+Automatic Updates will start to distribute Internet Explorer 11 shortly after the final release of the product and will distribute it through the Microsoft Configuration Manager and WSUS.
## Prevent automatic installation of Internet Explorer 11 with WSUS
diff --git a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
index c0fb369154..1dd3438086 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
@@ -50,7 +50,7 @@ Internet Explorer 11 gives you some new Group Policy settings to help you manage
| Turn off the ability to launch report site problems using a menu option | Administrative Templates\Windows Components\Internet Explorer\Browser menus | Internet Explorer 11 | This policy setting allows you to manage whether users can start the **eport Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu.If you enable this policy setting, users won’t be able to start the **Report Site Problems** dialog box from the Internet Explorer settings or the Tools menu.
If you disable or don’t configure this policy setting, users will be able to start the **Report Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu. |
| Turn off the flip ahead with page prediction feature | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | At least Internet Explorer 10 on Windows 8 | This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.
If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn’t loaded into the background.
If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.
If you don’t configure this setting, users can turn this behavior on or off, using the **Settings** charm.
**Note**
Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn’t available for Internet Explorer for the desktop. |
| Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | IE11 on Windows 10 | This policy setting determines whether IE11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.
If you enable this policy setting, IE11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
If you disable this policy setting, IE11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
If you don't configure this policy setting, users can turn this feature on or off using IE settings. This feature is turned off by default.
**Important**
When using 64-bit processes, some ActiveX controls and toolbars might not be available. |
-| Turn on Site Discovery WMI output | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to manage the WMI output functionality of the Internet Explorer Site Discovery Toolkit.
If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an WMI class, which can be aggregated by using a client-management solution, such as Microsoft Endpoint Configuration Manager.
If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an WMI class.
**Note:**
Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. |
+| Turn on Site Discovery WMI output | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to manage the WMI output functionality of the Internet Explorer Site Discovery Toolkit.
If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an WMI class, which can be aggregated by using a client-management solution, such as Microsoft Configuration Manager.
If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an WMI class.
**Note:**
Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. |
| Turn on Site Discovery XML output | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to manage the XML output functionality of the Internet Explorer Site Discovery Toolkit.
If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an XML file, stored in your specified location.
If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an XML file.
**Note:**
Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. |
| Use the Enterprise Mode IE website list | Administrative Templates\Windows Components\Internet Explorer | IE11 on Windows 10, version 1511 | This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode, instead of Standard mode, because of compatibility issues. Users can’t edit this list.
If you enable this policy setting, Internet Explorer downloads the Enterprise Mode website list from the `HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE`\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode hive, opening all included websites using Enterprise Mode. We recommend storing and downloading your list from a secure web server `(https://)`, to help protect against data tampering.
If you disable or don’t configure this policy setting, Internet Explorer opens all websites using **Standard** mode. |
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
index 7015595563..2090ed72ef 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
@@ -33,7 +33,7 @@ Before you begin, you should:
- **Check the operating system requirements.** Check that the requirements for the computer you're building your installation package from, and the computers you're installing IE11 to, all meet the system requirements for IEAK 11 and IE11. For Internet Explorer requirements, see [System requirements and language support for Internet Explorer 11 (IE11)](system-requirements-and-language-support-for-ie11.md). For IEAK 11 requirements, see [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md).
-- **Decide on your distribution method.** Decide how to distribute your custom installation package: Windows Update, Microsoft Endpoint Configuration Manager, or your network.
+- **Decide on your distribution method.** Decide how to distribute your custom installation package: Windows Update, Microsoft Configuration Manager, or your network.
- **Gather URLs and branding and custom graphics.** Collect the URLs for your company's own **Home**, **Search**, and **Support** pages, plus any custom branding and graphic files for the browser toolbar button and the **Favorites** list icons.
diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md
index e41ec1ade3..8de6af0540 100644
--- a/education/includes/education-content-updates.md
+++ b/education/includes/education-content-updates.md
@@ -1,29 +1,18 @@
----
-ms.date: 10/24/2020
----
-## Week of January 09, 2023
+## Week of February 20, 2023
| Published On |Topic title | Change |
|------|------------|--------|
-| 1/12/2023 | [Configure federation between Google Workspace and Azure AD](/education/windows/configure-aad-google-trust) | added |
-
-
-## Week of December 19, 2022
-
-
-| Published On |Topic title | Change |
-|------|------------|--------|
-| 12/22/2022 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified |
-
-
-## Week of December 12, 2022
-
-
-| Published On |Topic title | Change |
-|------|------------|--------|
-| 12/13/2022 | [Configure Stickers for Windows 11 SE](/education/windows/edu-stickers) | modified |
+| 2/22/2023 | [Upgrade Windows Home to Windows Education on student-owned devices](/education/windows/change-home-to-edu) | modified |
+| 2/22/2023 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
+| 2/22/2023 | [Management functionalities for Surface devices](/education/windows/tutorial-school-deployment/manage-surface-devices) | modified |
+| 2/22/2023 | [Set up device management](/education/windows/tutorial-school-deployment/set-up-microsoft-intune) | modified |
+| 2/22/2023 | [Troubleshoot Windows devices](/education/windows/tutorial-school-deployment/troubleshoot-overview) | modified |
+| 2/23/2023 | Education scenarios Microsoft Store for Education | removed |
+| 2/23/2023 | [Get and deploy Minecraft Education](/education/windows/get-minecraft-for-education) | modified |
+| 2/23/2023 | For IT administrators get Minecraft Education Edition | removed |
+| 2/23/2023 | For teachers get Minecraft Education Edition | removed |
diff --git a/education/windows/TOC.yml b/education/windows/TOC.yml
index bc030c32e4..b732e77d6d 100644
--- a/education/windows/TOC.yml
+++ b/education/windows/TOC.yml
@@ -46,6 +46,8 @@ items:
href: configure-aad-google-trust.md
- name: Configure Shared PC
href: /windows/configuration/set-up-shared-or-guest-pc?context=/education/context/context
+ - name: Get and deploy Minecraft Education
+ href: get-minecraft-for-education.md
- name: Use the Set up School PCs app
href: use-set-up-school-pcs-app.md
- name: Change Windows edition
@@ -56,16 +58,6 @@ items:
href: change-to-pro-education.md
- name: Upgrade Windows Home to Windows Education on student-owned devices
href: change-home-to-edu.md
- - name: "Get and deploy Minecraft: Education Edition"
- items:
- - name: "Get Minecraft: Education Edition"
- href: get-minecraft-for-education.md
- - name: "For IT administrators: get Minecraft Education Edition"
- href: school-get-minecraft.md
- - name: "For teachers: get Minecraft Education Edition"
- href: teacher-get-minecraft.md
- - name: Work with Microsoft Store for Education
- href: education-scenarios-store-for-business.md
- name: Migrate from Chromebook to Windows
items:
- name: Chromebook migration guide
diff --git a/education/windows/change-home-to-edu.md b/education/windows/change-home-to-edu.md
index fea632b61a..f92de780a3 100644
--- a/education/windows/change-home-to-edu.md
+++ b/education/windows/change-home-to-edu.md
@@ -74,7 +74,7 @@ It's critical that MAKs are protected whenever they're used. The following proce
- Mobile Device Management (like Microsoft Intune) via [WindowsLicensing CSP](/windows/client-management/mdm/windowslicensing-csp);
> [!IMPORTANT]
> If you are using a Mobile Device Management product other than Microsoft Intune, ensure the key isn't accessible by students.
-- Operating System Deployment processes with tools such as Microsoft Deployment Toolkit or Microsoft Endpoint Configuration Manager.
+- Operating System Deployment processes with tools such as Microsoft Deployment Toolkit or Microsoft Configuration Manager.
For a full list of methods to perform a Windows edition upgrade and more details, see [Windows 10 edition upgrade](/windows/deployment/upgrade/windows-10-edition-upgrades).
@@ -117,7 +117,7 @@ These steps provide instructions on how to use Microsoft Intune to upgrade devic
These steps configure a filter that will only apply to devices running the *Windows Home edition*. This filter will ensure only devices running *Windows Home edition* are upgraded. For more information about filters, see [Create filters in Microsoft Intune](/mem/intune/fundamentals/filters).
-- Start in the [**Microsoft Endpoint Manager admin console**](https://endpoint.microsoft.com)
+- Start in the [**Microsoft Intune admin center**](https://go.microsoft.com/fwlink/?linkid=2109431)
- Select **Tenant administration** > **Filters**
- Select **Create**
- Specify a name for the filter (for example *Windows Home edition*)
@@ -142,7 +142,7 @@ These steps configure a filter that will only apply to devices running the *Wind
These steps create and assign a Windows edition upgrade policy. For more information, see [Windows 10/11 device settings to upgrade editions or enable S mode in Intune](/mem/intune/configuration/edition-upgrade-windows-settings).
-- Start in the [**Microsoft Endpoint Manager admin console**](https://endpoint.microsoft.com)
+- Start in the [**Microsoft Intune admin center**](https://go.microsoft.com/fwlink/?linkid=2109431)
- Select **Devices** > **Configuration profiles**
- Select **Create profile**
- Select the **Platform** as **Windows 10 or later**
@@ -177,9 +177,9 @@ The edition upgrade policy will now apply to all existing and new Windows Home e
### Step 3: Report on device edition
-You can check the Windows versions of managed devices in the Microsoft Endpoint Manager admin console.
+You can check the Windows versions of managed devices in the Microsoft Intune admin center.
-- Start in the **Microsoft Endpoint Manager admin console**
+- Start in the **Microsoft Intune admin center**
- Select **Devices** > **Windows**
- Select the **Columns** button
- Select **Sku Family**
diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
index 05c7db8963..969f81b3be 100644
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@@ -346,7 +346,7 @@ Table 5. Select on-premises AD DS, Azure AD, or hybrid
|--- |--- |--- |--- |
|Use Office 365||✔️|✔️|
|Use Intune for management||✔️|✔️|
-|Use Microsoft Endpoint Manager for management|✔️||✔️|
+|Use Microsoft Configuration Manager for management|✔️||✔️|
|Use Group Policy for management|✔️||✔️|
|Have devices that are domain-joined|✔️||✔️|
|Allow faculty and students to Bring Your Own Device (BYOD) which aren't domain-joined||✔️|✔️|
@@ -359,7 +359,7 @@ You may ask the question, “Why plan for device, user, and app management befor
Also, planning management before deployment is essential to being ready to support the devices as you deploy them. You want to have your management processes and technology in place when the first teachers, facility, or students start using their new Windows device.
-Table 6 is a decision matrix that lists the device, user, and app management products and technologies and the features supported by each product or technology. The primary device, user, and app management products and technologies include Group Policy, Microsoft Endpoint Configuration Manager, Intune, and the Microsoft Deployment Toolkit (MDT). Use this decision matrix to help you select the right combination of products and technologies for your plan.
+Table 6 is a decision matrix that lists the device, user, and app management products and technologies and the features supported by each product or technology. The primary device, user, and app management products and technologies include Group Policy, Microsoft Configuration Manager, Intune, and the Microsoft Deployment Toolkit (MDT). Use this decision matrix to help you select the right combination of products and technologies for your plan.
Table 6. Device, user, and app management products and technologies
@@ -464,7 +464,7 @@ Use the following Microsoft management systems and the deployment resources to p
- [Windows Autopilot](/mem/autopilot/windows-autopilot)
-- Microsoft Endpoint Configuration Manager [core infrastructure documentation](/mem/configmgr/core/)
+- Microsoft Configuration Manager [core infrastructure documentation](/mem/configmgr/core/)
- Provisioning packages:
diff --git a/education/windows/configure-aad-google-trust.md b/education/windows/configure-aad-google-trust.md
index 60ad9dce9e..2afa86f4c1 100644
--- a/education/windows/configure-aad-google-trust.md
+++ b/education/windows/configure-aad-google-trust.md
@@ -1,7 +1,7 @@
---
title: Configure federation between Google Workspace and Azure AD
description: Configuration of a federated trust between Google Workspace and Azure AD, with Google Workspace acting as an identity provider (IdP) for Azure AD.
-ms.date: 02/10/2023
+ms.date: 02/24/2023
ms.topic: how-to
---
@@ -24,7 +24,8 @@ To test federation, the following prerequisites must be met:
1. A Google Workspace environment, with users already created
> [!IMPORTANT]
- > Users require an email address defined in Google Workspace, which is used to match the users in Azure AD
+ > Users require an email address defined in Google Workspace, which is used to match the users in Azure AD.
+ > For more information about identity matching, see [Identity matching in Azure AD](federated-sign-in.md#identity-matching-in-azure-ad).
1. Individual Azure AD accounts already created: each Google Workspace user will require a matching account defined in Azure AD. These accounts are commonly created through automated solutions, for example:
- School Data Sync (SDS)
- Azure AD Connect sync for environment with on-premises AD DS
@@ -38,14 +39,14 @@ To test federation, the following prerequisites must be met:
1. Select **Add app > Search for apps** and search for *microsoft*
1. In the search results page, hover over the *Microsoft Office 365 - Web (SAML)* app and select **Select**
:::image type="content" source="images/google/google-admin-search-app.png" alt-text="Screenshot showing Google Workspace and the search button for Microsoft Office 365 SAML app.":::
-1. On the *Google Identity Provider details* page, select **Download Metadata** and take note of the location where the **IdP metadata** - *GoogleIDPMetadata.xml* - file is saved, as it will be used to setup Azure AD later
-1. On the *Service provider details* page
+1. On the **Google Identity Provider details** page, select **Download Metadata** and take note of the location where the **IdP metadata** - *GoogleIDPMetadata.xml* - file is saved, as it will be used to setup Azure AD later
+1. On the **Service provider detail*s** page
- Select the option **Signed response**
- Verify that the Name ID format is set to **PERSISTENT**
- Depending on how the Azure AD users have been provisioned in Azure AD, you may need to adjust the **Name ID** mapping.\
If using Google auto-provisioning, select **Basic Information > Primary email**
- Select **Continue**
-1. On the *Attribute mapping* page, map the Google attributes to the Azure AD attributes
+1. On the **Attribute mapping** page, map the Google attributes to the Azure AD attributes
|Google Directory attributes|Azure AD attributes|
|-|-|
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index 4935d37ed7..25b23567fd 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -1,6 +1,6 @@
---
title: Deploy Windows 10 in a school district (Windows 10)
-description: Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD), use Microsoft Endpoint Configuration Manager, Intune, and Group Policy to manage devices.
+description: Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD), use Microsoft Configuration Manager, Intune, and Group Policy to manage devices.
ms.topic: how-to
ms.date: 08/10/2022
appliesto:
@@ -9,7 +9,7 @@ appliesto:
# Deploy Windows 10 in a school district
-This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Endpoint Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you'll perform after initial deployment and the automated tools and built-in features of the operating system.
+This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you'll perform after initial deployment and the automated tools and built-in features of the operating system.
## Prepare for district deployment
@@ -125,7 +125,7 @@ Now that you've the plan (blueprint) for your district and individual schools an
The primary tool you'll use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI).
-You can use MDT as a stand-alone tool or integrate it with Microsoft Endpoint Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as Configuration Manager) but result in fully automated deployments.
+You can use MDT as a stand-alone tool or integrate it with Microsoft Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as Configuration Manager) but result in fully automated deployments.
This guide focuses on LTI deployments to deploy the reference device. You can use ZTI deployments with Configuration Manager or LTI deployments to deploy the reference images to your faculty and student devices. If you want to only use MDT, see [Deploy Windows 10 in a school](./deploy-windows-10-in-a-school.md).
@@ -163,7 +163,7 @@ The high-level process for deploying and configuring devices within individual c
6. On the reference devices, deploy Windows 10 and the Windows desktop apps on the device, and then capture the reference image from the devices.
-7. Import the captured reference images into MDT or Microsoft Endpoint Configuration Manager.
+7. Import the captured reference images into MDT or Microsoft Configuration Manager.
8. On the student and faculty devices, deploy Windows 10 to new or existing devices, or upgrade eligible devices to Windows 10.
@@ -191,9 +191,9 @@ Before you select the deployment and management methods, you need to review the
|Scenario feature |Cloud-centric|On-premises and cloud|
|---|---|---|
|Identity management | Azure AD (stand-alone or integrated with on-premises AD DS) | AD DS integrated with Azure AD |
-|Windows 10 deployment | MDT only | Microsoft Endpoint Manager with MDT |
+|Windows 10 deployment | MDT only | Microsoft Configuration Manager with MDT |
|Configuration setting management | Intune | Group Policy
Intune|
-|App and update management | Intune |Microsoft Endpoint Configuration Manager
Intune|
+|App and update management | Intune |Microsoft Configuration Manager
Intune|
*Table 1. Deployment and management scenarios*
@@ -205,19 +205,19 @@ These scenarios assume the need to support:
Some constraints exist in these scenarios. As you select the deployment and management methods for your device, keep the following constraints in mind:
* You can use Group Policy or Intune to manage configuration settings on a device but not both.
-* You can use Microsoft Endpoint Manager or Intune to manage apps and updates on a device but not both.
+* You can use Configuration Manager or Intune to manage apps and updates on a device but not both.
* You can't manage multiple users on a device with Intune if the device is AD DS domain joined.
Use the cloud-centric scenario and on-premises and cloud scenario as a guide for your district. You may need to customize these scenarios, however, based on your district. As you go through the [Select the deployment methods](#select-the-deployment-methods), [Select the configuration setting management methods](#select-the-configuration-setting-management-methods), and the [Select the app and update management products](#select-the-app-and-update-management-products) sections, remember these scenarios and use them as the basis for your district.
### Select the deployment methods
-To deploy Windows 10 and your apps, you can use MDT by itself or Microsoft Endpoint Manager and MDT together. For a district, there are a few ways to deploy Windows 10 to devices. Table 2 lists the methods that this guide describes and recommends. Use this information to determine which combination of deployment methods is right for your institution.
+To deploy Windows 10 and your apps, you can use MDT by itself or Microsoft Configuration Manager and MDT together. For a district, there are a few ways to deploy Windows 10 to devices. Table 2 lists the methods that this guide describes and recommends. Use this information to determine which combination of deployment methods is right for your institution.
|Method|Description|
|--- |--- |
|MDT|MDT is an on-premises solution that supports initial operating system deployment and upgrade. You can use MDT to deploy and upgrade Windows 10. In addition, you can initially deploy Windows desktop and Microsoft Store apps and software updates.
Select this method when you:
Want to deploy Windows 10 to institution-owned and personal devices. (Devices need not be domain joined.) Don’t have an existing AD DS infrastructure. Need to manage devices regardless of where they are (on or off premises).
The advantages of this method are that:
You can deploy Windows 10 operating systems You can manage device drivers during initial deployment. You can deploy Windows desktop apps (during initial deployment) It doesn’t require an AD DS infrastructure.It doesn’t have extra infrastructure requirements.MDT doesn’t incur extra cost: it’s a free tool.You can deploy Windows 10 operating systems to institution-owned and personal devices.
The disadvantages of this method are that it:
Can’t manage applications throughout entire application life cycle (by itself).Can’t manage software updates for Windows 10 and apps (by itself).Doesn’t provide antivirus and malware protection (by itself).Has limited scaling to large numbers of users and devices.|
-|Microsoft Endpoint Configuration Manager| Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle You can use Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Microsoft Store apps and software updates as well as provide antivirus and antimalware protection.
Select this method when you: Want to deploy Windows 10 to institution-owned devices that are domain joined (personal devices are typically not domain joined). Have an existing AD DS infrastructure (or plan to deploy an AD DS infrastructure). Typically deploy Windows 10 to on-premises devices.
The advantages of this method are that: You can deploy Windows 10 operating systems.You can manage (deploy) Windows desktop and Microsoft Store apps throughout entire application life cycle.You can manage software updates for Windows 10 and apps.You can manage antivirus and malware protection.It scales to large number of users and devices.
The disadvantages of this method are that it:Carries an extra cost for Microsoft Endpoint Manager server licenses (if the institution doesn't have Configuration Manager already).Can deploy Windows 10 only to domain-joined (institution-owned devices).Requires an AD DS infrastructure (if the institution doesn't have AD DS already).|
+|Microsoft Configuration Manager| Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle You can use Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Microsoft Store apps and software updates as well as provide antivirus and antimalware protection.
Select this method when you: Want to deploy Windows 10 to institution-owned devices that are domain joined (personal devices are typically not domain joined). Have an existing AD DS infrastructure (or plan to deploy an AD DS infrastructure). Typically deploy Windows 10 to on-premises devices.
The advantages of this method are that: You can deploy Windows 10 operating systems.You can manage (deploy) Windows desktop and Microsoft Store apps throughout entire application life cycle.You can manage software updates for Windows 10 and apps.You can manage antivirus and malware protection.It scales to large number of users and devices.
The disadvantages of this method are that it:Carries an extra cost for Microsoft Configuration Manager server licenses (if the institution doesn't have Configuration Manager already).Can deploy Windows 10 only to domain-joined (institution-owned devices).Requires an AD DS infrastructure (if the institution doesn't have AD DS already).|
*Table 2. Deployment methods*
@@ -226,7 +226,7 @@ Record the deployment methods you selected in Table 3.
|Selection | Deployment method|
|--------- | -----------------|
| |MDT by itself |
-| |Microsoft Endpoint Manager and MDT|
+| |Microsoft Configuration Manager and MDT|
*Table 3. Deployment methods selected*
@@ -260,9 +260,9 @@ Use the information in Table 6 to determine which combination of app and update
|Selection|Management method|
|--- |--- |
-|Microsoft Endpoint Configuration Manager|Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager. You can also manage Windows desktop and Microsoft Store applications. Select this method when you:Selected Configuration Manager to deploy Windows 10.Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).Want to manage AD DS domain-joined devices.Have an existing AD DS infrastructure.Typically manage on-premises devices.Want to deploy operating systems.Want to provide application management for the entire application life cycle.
The advantages of this method are that:You can deploy Windows 10 operating systems.You can manage applications throughout the entire application life cycle.You can manage software updates for Windows 10 and apps.You can manage antivirus and malware protection.It scales to large numbers of users and devices.
The disadvantages of this method are that it:Carries an extra cost for Configuration Manager server licenses (if the institution doesn't have Configuration Manager already).Carries an extra cost for Windows Server licenses and the corresponding server hardware.Can only manage domain-joined (institution-owned devices).Requires an AD DS infrastructure (if the institution doesn't have AD DS already).Typically manages on-premises devices (unless devices through VPN or DirectAccess).|
+|Microsoft Configuration Manager|Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager. You can also manage Windows desktop and Microsoft Store applications. Select this method when you:Selected Configuration Manager to deploy Windows 10.Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).Want to manage AD DS domain-joined devices.Have an existing AD DS infrastructure.Typically manage on-premises devices.Want to deploy operating systems.Want to provide application management for the entire application life cycle.
The advantages of this method are that:You can deploy Windows 10 operating systems.You can manage applications throughout the entire application life cycle.You can manage software updates for Windows 10 and apps.You can manage antivirus and malware protection.It scales to large numbers of users and devices.
The disadvantages of this method are that it:Carries an extra cost for Configuration Manager server licenses (if the institution doesn't have Configuration Manager already).Carries an extra cost for Windows Server licenses and the corresponding server hardware.Can only manage domain-joined (institution-owned devices).Requires an AD DS infrastructure (if the institution doesn't have AD DS already).Typically manages on-premises devices (unless devices through VPN or DirectAccess).|
|Intune|Intune is a cloud-based solution that allows you to manage apps and software updates for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
Select this method when you:Selected MDT only to deploy Windows 10.Want to manage institution-owned and personal devices that aren't domain joined.Want to manage Azure AD domain-joined devices.Need to manage devices regardless of where they are (on or off premises).Want to provide application management for the entire application life cycle.
The advantages of this method are that:You can manage institution-owned and personal devices.It doesn’t require that devices be domain joined.It doesn’t require on-premises infrastructure.vIt can manage devices regardless of their location (on or off premises).You can deploy keys to perform in-place Windows 10 upgrades (such as upgrading from Windows 10 Pro to Windows 10 Education edition).
The disadvantages of this method are that it:Carries an extra cost for Intune subscription licenses.can't deploy Windows 10 operating systems.|
-|Microsoft Endpoint Manager and Intune (hybrid)|Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.
Configuration Manager and Intune in the hybrid configuration allows you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices.
Select this method when you:Selected Microsoft Endpoint Manager to deploy Windows 10.Want to manage institution-owned and personal devices (doesn't require that the device be domain joined).Want to manage domain-joined devices.Want to manage Azure AD domain-joined devices.Have an existing AD DS infrastructure.Want to manage devices regardless of their connectivity.vWant to deploy operating systems.Want to provide application management for the entire application life cycle.
The advantages of this method are that:You can deploy operating systems.You can manage applications throughout the entire application life cycle.You can scale to large numbers of users and devices.You can support institution-owned and personal devices.It doesn’t require that devices be domain joined.It can manage devices regardless of their location (on or off premises).
The disadvantages of this method are that it:Carries an extra cost for Configuration Manager server licenses (if the institution doesn't have Configuration Manager already).Carries an extra cost for Windows Server licenses and the corresponding server hardware.Carries an extra cost for Intune subscription licenses.Requires an AD DS infrastructure (if the institution doesn't have AD DS already).|
+|Microsoft Configuration Manager and Intune (hybrid)|Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.
Configuration Manager and Intune in the hybrid configuration allows you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices.
Select this method when you:
Selected Microsoft Configuration Manager to deploy Windows 10.Want to manage institution-owned and personal devices (doesn't require that the device be domain joined).Want to manage domain-joined devices.Want to manage Azure AD domain-joined devices.Have an existing AD DS infrastructure.Want to manage devices regardless of their connectivity.vWant to deploy operating systems.Want to provide application management for the entire application life cycle.
The advantages of this method are that:You can deploy operating systems.You can manage applications throughout the entire application life cycle.You can scale to large numbers of users and devices.You can support institution-owned and personal devices.It doesn’t require that devices be domain joined.It can manage devices regardless of their location (on or off premises).
The disadvantages of this method are that it:Carries an extra cost for Configuration Manager server licenses (if the institution doesn't have Configuration Manager already).Carries an extra cost for Windows Server licenses and the corresponding server hardware.Carries an extra cost for Intune subscription licenses.Requires an AD DS infrastructure (if the institution doesn't have AD DS already).|
*Table 6. App and update management products*
@@ -270,9 +270,9 @@ Record the app and update management methods that you selected in Table 7.
|Selection | Management method|
|----------|------------------|
-| |Microsoft Endpoint Manager by itself|
+| |Microsoft Configuration Manager by itself|
| |Intune by itself|
-| |Microsoft Endpoint Manager and Intune (hybrid mode)|
+| |Microsoft Configuration Manager and Intune (hybrid mode)|
*Table 7. App and update management methods selected*
@@ -315,16 +315,16 @@ For more information about how to create a deployment share, see [Step 3-1: Crea
### Install the Configuration Manager console
> [!NOTE]
-> If you selected Microsoft Endpoint Manager to deploy Windows 10 or manage your devices (in the [Select the deployment methods](#select-the-deployment-methods) and [Select the configuration setting management methods](#select-the-configuration-setting-management-methods) sections, respectively), perform the steps in this section. Otherwise, skip this section and continue to the next.
+> If you selected Microsoft Configuration Manager to deploy Windows 10 or manage your devices (in the [Select the deployment methods](#select-the-deployment-methods) and [Select the configuration setting management methods](#select-the-configuration-setting-management-methods) sections, respectively), perform the steps in this section. Otherwise, skip this section and continue to the next.
You can use Configuration Manager to manage Windows 10 deployments, Windows desktop apps, Microsoft Store apps, and software updates. To manage Configuration Manager, you use the Configuration Manager console. You must install the Configuration Manager console on every device you use to manage Configuration Manager (specifically, the admin device). The Configuration Manager console is automatically installed when you install Configuration Manager primary site servers.
-For more information about how to install the Configuration Manager console, see [Install Microsoft Endpoint Manager consoles](/mem/configmgr/core/servers/deploy/install/installing-sites#bkmk_InstallConsole).
+For more information about how to install the Configuration Manager console, see [Install Microsoft Configuration Manager consoles](/mem/configmgr/core/servers/deploy/install/installing-sites#bkmk_InstallConsole).
### Configure MDT integration with the Configuration Manager console
> [!NOTE]
-> If you selected MDT only to deploy Windows 10 and your apps (and not Microsoft Endpoint Configuration Manager) in [Select the deployment methods](#select-the-deployment-methods), earlier in this article, then skip this section and continue to the next.
+> If you selected MDT only to deploy Windows 10 and your apps (and not Microsoft Configuration Manager) in [Select the deployment methods](#select-the-deployment-methods), earlier in this article, then skip this section and continue to the next.
You can use MDT with Configuration Manager to make ZTI operating system deployment easier. To configure MDT integration with Configuration Manager, run the Configure ConfigMgr Integration Wizard. This wizard is installed when you install MDT.
@@ -841,7 +841,7 @@ At the end of this section, you should know the Windows 10 editions and processo
## Prepare for deployment
-Before you can deploy Windows 10 and your apps to devices, you need to prepare your MDT environment, Windows Deployment Services, and Microsoft Endpoint Manager (if you selected it to do operating system deployment in the [Select the deployment methods](#select-the-deployment-methods) section). In this section, you ensure that the deployment methods you selected in the [Select the deployment methods](#select-the-deployment-methods) section have the necessary Windows 10 editions and versions, Windows desktop apps, Microsoft Store apps, and device drivers.
+Before you can deploy Windows 10 and your apps to devices, you need to prepare your MDT environment, Windows Deployment Services, and Microsoft Configuration Manager (if you selected it to do operating system deployment in the [Select the deployment methods](#select-the-deployment-methods) section). In this section, you ensure that the deployment methods you selected in the [Select the deployment methods](#select-the-deployment-methods) section have the necessary Windows 10 editions and versions, Windows desktop apps, Microsoft Store apps, and device drivers.
### Configure the MDT deployment share
@@ -851,17 +851,17 @@ The first step in preparing for Windows 10 deployment is to configure—that is,
|--- |--- |
|1. Import operating systems|Import the operating systems that you selected in the [Select the operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)|
|2. Import device drivers|Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device can't play sounds; without the proper camera driver, the device can't take photos or use video chat.
Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)|
-|3. Create MDT applications for Microsoft Store apps|Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10.
Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you'll use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you'll need to obtain the .appx files by performing one of the following tasks:For offline-licensed apps, download the .appx files from the Microsoft Store for Business.For apps that aren't offline licensed, obtain the .appx files from the app software vendor directly.
If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.
If you've Intune or Microsoft Endpoint Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) and [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager). This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.
In addition, you must prepare your environment for sideloading Microsoft Store apps. For more information about how to:Prepare your environment for sideloading, see [Try it out: sideload Microsoft Store apps](/previous-versions/windows/).Create an MDT application, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench).|
+|3. Create MDT applications for Microsoft Store apps|Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10.
Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you'll use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you'll need to obtain the .appx files by performing one of the following tasks:For offline-licensed apps, download the .appx files from the Microsoft Store for Business.For apps that aren't offline licensed, obtain the .appx files from the app software vendor directly.
If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.
If you've Intune or Microsoft Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) and [Deploy and manage apps by using Microsoft Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-configuration-manager). This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.
In addition, you must prepare your environment for sideloading Microsoft Store apps. For more information about how to:Prepare your environment for sideloading, see [Try it out: sideload Microsoft Store apps](/previous-versions/windows/).Create an MDT application, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench).|
|4. Create MDT applications for Windows desktop apps|You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you've sufficient licenses for them.
To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in[Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](/deployoffice/deploy-microsoft-365-apps-local-source).
If you've Intune, you can [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune), as described in the Deploy and manage apps by using Intune section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps.
This is the preferred method for deploying and managing Windows desktop apps.
**Note:** You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
For more information about how to create an MDT application for Windows desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt).|
|5. Create task sequences|You must create separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education, (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education, or (3) if you want to run deployments and upgrades for both 32-bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will:Deploy 64-bit Windows 10 Education to devices.Deploy 32-bit Windows 10 Education to devices.Upgrade existing devices to 64-bit Windows 10 Education.Upgrade existing devices to 32-bit Windows 10 Education.
Again, you'll create the task sequences based on the operating systems that you imported in step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench).|
|6. Update the deployment share|Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32-bit and 64-bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.
For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#UpdateaDeploymentShareintheDeploymentWorkbench).|
*Table 16. Tasks to configure the MDT deployment share*
-### Configure Microsoft Endpoint Configuration Manager
+### Configure Microsoft Configuration Manager
> [!NOTE]
-> If you've already configured your Microsoft Endpoint Manager infrastructure to support the operating system deployment feature or if you selected to deploy Windows 10 by using MDT only, then skip this section and continue to the next section.
+> If you've already configured your Microsoft Configuration Manager infrastructure to support the operating system deployment feature or if you selected to deploy Windows 10 by using MDT only, then skip this section and continue to the next section.
Before you can use Configuration Manager to deploy Windows 10 and manage your apps and devices, you must configure Configuration Manager to support the operating system deployment feature. If you don’t have an existing Configuration Manager infrastructure, you'll need to deploy a new infrastructure.
@@ -871,21 +871,21 @@ Deploying a new Configuration Manager infrastructure is beyond the scope of this
* [Start using Configuration Manager](/mem/configmgr/core/servers/deploy/start-using)
-#### To configure an existing Microsoft Endpoint Manager infrastructure for operating system deployment
+#### To configure an existing Microsoft Configuration Manager infrastructure for operating system deployment
1. Perform any necessary infrastructure remediation.
- Ensure that your existing infrastructure can support the operating system deployment feature. For more information, see [Infrastructure requirements for operating system deployment in Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/plan-design/infrastructure-requirements-for-operating-system-deployment).
+ Ensure that your existing infrastructure can support the operating system deployment feature. For more information, see [Infrastructure requirements for operating system deployment in Microsoft Configuration Manager](/mem/configmgr/osd/plan-design/infrastructure-requirements-for-operating-system-deployment).
2. Add the Windows PE boot images, Windows 10 operating systems, and other content.
You need to add the Windows PE boot images, Windows 10 operating system images, and other deployment content that you'll use to deploy Windows 10 with ZTI. To add this content, use the Create MDT Task Sequence Wizard.
- You can add this content by using Microsoft Endpoint Manager only (without MDT), but the Create MDT Task Sequence Wizard is the preferred method because the wizard prompts you for all the deployment content you need for a task sequence and provides a much more intuitive user experience. For more information, see [Create ZTI Task Sequences Using the Create MDT Task Sequence Wizard in Configuration Manager](/mem/configmgr/mdt/use-the-mdt#CreateZTITaskSequencesUsingtheCreateMDTTaskSequenceWizardinConfigurationManager).
+ You can add this content by using Microsoft Configuration Manager only (without MDT), but the Create MDT Task Sequence Wizard is the preferred method because the wizard prompts you for all the deployment content you need for a task sequence and provides a much more intuitive user experience. For more information, see [Create ZTI Task Sequences Using the Create MDT Task Sequence Wizard in Configuration Manager](/mem/configmgr/mdt/use-the-mdt#CreateZTITaskSequencesUsingtheCreateMDTTaskSequenceWizardinConfigurationManager).
3. Add device drivers.
You must add device drivers for the different device types in your district. For example, if you've a mixture of Surface, HP Stream, Dell Inspiron, and Lenovo Yoga devices, then you must have the device drivers for each device.
- Create a Microsoft Endpoint Manager driver package for each device type in your district. For more information, see [Manage drivers in Configuration Manager](/mem/configmgr/osd/get-started/manage-drivers).
+ Create a Microsoft Configuration Manager driver package for each device type in your district. For more information, see [Manage drivers in Configuration Manager](/mem/configmgr/osd/get-started/manage-drivers).
4. Add Windows apps.
Install the Windows apps (Windows desktop and Microsoft Store apps) that you want to deploy after the task sequence deploys your customized image (a thick, reference image that includes Windows 10 and your core Windows desktop apps). These apps are in addition to the apps included in your reference image. You can only deploy Microsoft Store apps after you deploy Windows 10 because you can't capture Microsoft Store apps in a reference image. Microsoft Store apps target users, not devices.
@@ -914,14 +914,14 @@ You can use Windows Deployment Services in conjunction with MDT to automatically
For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](/mem/configmgr/mdt/use-the-mdt#AddLTIBootImagestoWindowsDeploymentServices).
-### Configure Windows Deployment Services for Microsoft Endpoint Configuration Manager
+### Configure Windows Deployment Services for Microsoft Configuration Manager
> [!NOTE]
-> If you've already configured your Microsoft Endpoint Manager infrastructure to support PXE boot or selected to deploy Windows 10 by using MDT only, then skip this section and continue to the next.
+> If you've already configured your Microsoft Configuration Manager infrastructure to support PXE boot or selected to deploy Windows 10 by using MDT only, then skip this section and continue to the next.
You can use Windows Deployment Services in conjunction with Configuration Manager to automatically initiate boot images on target devices. These boot images are Windows PE images that you use to boot the target devices, and then initiate Windows 10, app, and device driver deployment.
-#### To configure Windows Deployment Services for Microsoft Endpoint Configuration Manager
+#### To configure Windows Deployment Services for Microsoft Configuration Manager
1. Set up and configure Windows Deployment Services.
@@ -944,7 +944,7 @@ You can use Windows Deployment Services in conjunction with Configuration Manage
#### Summary
-Your MDT deployment share and Microsoft Endpoint Manager are now ready for deployment. Windows Deployment Services is ready to initiate the LTI or ZTI deployment process. You've set up and configured Windows Deployment Services for MDT and for Configuration Manager. You've also ensured that your boot images are available to Windows Deployment Services (for LTI) or the distribution points (for ZTI and Configuration Manager). Now, you’re ready to capture the reference images for the different devices you've in your district.
+Your MDT deployment share and Microsoft Configuration Manager are now ready for deployment. Windows Deployment Services is ready to initiate the LTI or ZTI deployment process. You've set up and configured Windows Deployment Services for MDT and for Configuration Manager. You've also ensured that your boot images are available to Windows Deployment Services (for LTI) or the distribution points (for ZTI and Configuration Manager). Now, you’re ready to capture the reference images for the different devices you've in your district.
## Capture the reference image
@@ -1015,7 +1015,7 @@ Both the Deployment Workbench and the Configuration Manager console have wizards
For more information about how to import the reference image into:
* An MDT deployment share, see [Import a Previously Captured Image of a Reference Computer](/mem/configmgr/mdt/use-the-mdt#ImportaPreviouslyCapturedImageofaReferenceComputer).
-* Microsoft Endpoint Configuration Manager, see [Manage operating system images with Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/get-started/manage-operating-system-images) and [Customize operating system images with Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/get-started/customize-operating-system-images).
+* Microsoft Configuration Manager, see [Manage operating system images with Microsoft Configuration Manager](/mem/configmgr/osd/get-started/manage-operating-system-images) and [Customize operating system images with Microsoft Configuration Manager](/mem/configmgr/osd/get-started/customize-operating-system-images).
### Create a task sequence to deploy the reference image
@@ -1026,10 +1026,10 @@ As you might expect, both the Deployment Workbench and the Configuration Manager
For more information about how to create a task sequence in the:
* Deployment Workbench for a deployment share, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench).
-* Configuration Manager console, see [Create a task sequence to install an operating system in Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/create-a-task-sequence-to-install-an-operating-system).
+* Configuration Manager console, see [Create a task sequence to install an operating system in Microsoft Configuration Manager](/mem/configmgr/osd/deploy-use/create-a-task-sequence-to-install-an-operating-system).
#### Summary
-In this section, you customized the MDT deployment share to deploy Windows 10 and desktop apps to one or more reference devices by creating and customizing MDT applications, device drivers, and applications. Next, you ran the task sequence, which deploys Windows 10, deploys your apps, deploys the appropriate device drivers, and captures an image of the reference device. Then, you imported the captured reference image into a deployment share or Microsoft Endpoint Configuration Manager. Finally, you created a task sequence to deploy your captured reference image to faculty and student devices. At this point in the process, you’re ready to deploy Windows 10 and your apps to your devices.
+In this section, you customized the MDT deployment share to deploy Windows 10 and desktop apps to one or more reference devices by creating and customizing MDT applications, device drivers, and applications. Next, you ran the task sequence, which deploys Windows 10, deploys your apps, deploys the appropriate device drivers, and captures an image of the reference device. Then, you imported the captured reference image into a deployment share or Microsoft Configuration Manager. Finally, you created a task sequence to deploy your captured reference image to faculty and student devices. At this point in the process, you’re ready to deploy Windows 10 and your apps to your devices.
## Prepare for device management
@@ -1095,7 +1095,7 @@ For more information about Intune, see [Microsoft Intune Documentation](/intune/
### Deploy and manage apps by using Intune
-If you selected to deploy and manage apps by using Microsoft Endpoint Manager and Intune in a hybrid configuration, then skip this section and continue to the [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager) section.
+If you selected to deploy and manage apps by using Microsoft Configuration Manager and Intune in a hybrid configuration, then skip this section and continue to the [Deploy and manage apps by using Microsoft Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-configuration-manager) section.
You can use Intune to deploy Microsoft Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you to deploy apps to companion devices (such as iOS or Android devices). Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that aren't enrolled in Intune or that another solution manages.
@@ -1106,9 +1106,9 @@ For more information about how to configure Intune to manage your apps, see the
- [Protect apps and data with Microsoft Intune](/mem/intune/apps/app-protection-policy)
- [Help protect your data with full or selective wipe using Microsoft Intune](/mem/intune/remote-actions/devices-wipe)
-### Deploy and manage apps by using Microsoft Endpoint Configuration Manager
+### Deploy and manage apps by using Microsoft Configuration Manager
-You can use Microsoft Endpoint Manager to deploy Microsoft Store and Windows desktop apps. Configuration Manager allows you to create a Configuration Manager application that you can use to deploy apps to different devices (such as Windows 10 desktop, iOS, or Android devices) by using *deployment types*. You can think of a Configuration Manager application as a box. You can think of deployment types as one or more sets of installation files and installation instructions within that box.
+You can use Microsoft Configuration Manager to deploy Microsoft Store and Windows desktop apps. Configuration Manager allows you to create a Configuration Manager application that you can use to deploy apps to different devices (such as Windows 10 desktop, iOS, or Android devices) by using *deployment types*. You can think of a Configuration Manager application as a box. You can think of deployment types as one or more sets of installation files and installation instructions within that box.
For example, you could create a Skype application that contains a deployment type for Windows 10 desktop, iOS, and Android. You can deploy the one application to multiple device types.
@@ -1121,7 +1121,7 @@ For more information about how to configure Configuration Manager to deploy and
### Manage updates by using Intune
-If you selected to manage updates by using Configuration Manager and Intune in a hybrid configuration, then skip this section and continue to the [Manage updates by using Microsoft Endpoint Configuration Manager](#manage-updates-by-using-microsoft-endpoint-configuration-manager) section.
+If you selected to manage updates by using Configuration Manager and Intune in a hybrid configuration, then skip this section and continue to the [Manage updates by using Microsoft Configuration Manager](#manage-updates-by-using-microsoft-configuration-manager) section.
To help ensure that your users have the most current features and security protection, keep Windows 10 and your apps current with updates. To configure Windows 10 and app updates, use the **Updates** workspace in Intune.
@@ -1133,7 +1133,7 @@ For more information about how to configure Intune to manage updates and malware
- [Keep Windows PCs up to date with software updates in Microsoft Intune](/mem/intune/protect/windows-update-for-business-configure)
- [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](/mem/intune/protect/endpoint-protection-configure)
-### Manage updates by using Microsoft Endpoint Configuration Manager
+### Manage updates by using Microsoft Configuration Manager
To ensure that your users have the most current features and security protection, use the software updates feature in Configuration Manager to manage updates. The software updates feature works in conjunction with WSUS to manage updates for Windows 10 devices.
@@ -1146,7 +1146,7 @@ For more information about how to configure Configuration Manager to manage Wind
#### Summary
-In this section, you prepared your institution for device management. You identified the configuration settings that you want to use to manage your users and devices. You configured Group Policy or Intune to manage these configuration settings. You configured Intune or Microsoft Endpoint Manager to manage your apps. Finally, you configured Intune or Microsoft Endpoint Manager to manage software updates for Windows 10 and your apps.
+In this section, you prepared your institution for device management. You identified the configuration settings that you want to use to manage your users and devices. You configured Group Policy or Intune to manage these configuration settings. You configured Intune or Microsoft Configuration Manager to manage your apps. Finally, you configured Intune or Microsoft Configuration Manager to manage software updates for Windows 10 and your apps.
## Deploy Windows 10 to devices
@@ -1159,7 +1159,7 @@ Prior to deployment of Windows 10, complete the tasks in Table 18. Most of these
| | Task |
|:---|:---|
|**1.** |Ensure that the target devices have sufficient system resources to run Windows 10.|
-|**2.** |Identify the necessary devices drivers, and then import them into the MDT deployment share or Microsoft Endpoint Configuration Manager.|
+|**2.** |Identify the necessary devices drivers, and then import them into the MDT deployment share or Microsoft Configuration Manager.|
|**3.** |For each Microsoft Store and Windows desktop app, create an MDT application or Configuration Manager application.|
|**4.** |Notify the students and faculty about the deployment.|
@@ -1243,11 +1243,11 @@ Table 19 lists the school and individual classroom maintenance tasks, the resour
|Verify that Windows Update is active and current with operating system and software updates.
For more information about completing this task when you have:Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](/mem/intune/protect/windows-update-for-business-configure)Group Policy, see [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).WSUS, see [Windows Server Update Services](/windows/deployment/deploy-whats-new).
Neither Intune, Group Policy, nor WSUS, see "Install, upgrade, & activate" in Windows 10 help.|✔️|✔️|✔️|
|Verify that Windows Defender is active and current with malware Security intelligence.
For more information about completing this task, see [Turn Windows Defender on or off](/mem/intune/user-help/turn-on-defender-windows) and [Updating Windows Defender](/mem/intune/user-help/turn-on-defender-windows).|✔️|✔️|✔️|
|Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.
For more information about completing this task, see the “How do I find and remove a virus?” topic in [Protect my PC from viruses](https://support.microsoft.com/help/17228/windows-protect-my-pc-from-viruses).|✔️|✔️|✔️|
-|Download and approve updates for Windows 10, apps, device driver, and other software.
For more information, see:[Manage updates by using Intune](#manage-updates-by-using-intune)[Manage updates by using Microsoft Endpoint Configuration Manager](#manage-updates-by-using-microsoft-endpoint-configuration-manager)|✔️|✔️|✔️|
+|Download and approve updates for Windows 10, apps, device driver, and other software.
For more information, see:[Manage updates by using Intune](#manage-updates-by-using-intune)[Manage updates by using Microsoft Configuration Manager](#manage-updates-by-using-microsoft-configuration-manager)|✔️|✔️|✔️|
|Verify that you’re using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).
For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options](/windows/deployment/update/).||✔️|✔️|
|Refresh the operating system and apps on devices.
For more information about completing this task, see the following resources:[Prepare for deployment](#prepare-for-deployment)[Capture the reference image](#capture-the-reference-image)[Deploy Windows 10 to devices](#deploy-windows-10-to-devices)||✔️|✔️|
-|Install any new Windows desktop apps, or update any Windows desktop apps used in the curriculum.
For more information, see:[Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)[Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||✔️|✔️|
-|Install new or update existing Microsoft Store apps used in the curriculum.
Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.
You can also deploy Microsoft Store apps directly to devices by using Intune, Microsoft Endpoint Configuration Manager, or both in a hybrid configuration.
For more information, see:[Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)[Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||✔️|✔️|
+|Install any new Windows desktop apps, or update any Windows desktop apps used in the curriculum.
For more information, see:[Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)[Deploy and manage apps by using Microsoft Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-configuration-manager)||✔️|✔️|
+|Install new or update existing Microsoft Store apps used in the curriculum.
Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.
You can also deploy Microsoft Store apps directly to devices by using Intune, Microsoft Configuration Manager, or both in a hybrid configuration.
For more information, see:[Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)[Deploy and manage apps by using Microsoft Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-configuration-manager)||✔️|✔️|
|Remove unnecessary user accounts (and corresponding licenses) from AD DS and Office 365 (if you've an on-premises AD DS infrastructure).
For more information about how to:Remove unnecessary user accounts, see [Active Directory Administrative Center](/windows-server/identity/ad-ds/get-started/adac/active-directory-administrative-center) Remove licenses, see [Add users and assign licenses](/microsoft-365/admin/add-users/add-users)||✔️|✔️|
|Add new accounts (and corresponding licenses) to AD DS (if you've an on-premises AD DS infrastructure).
For more information about how to:Add user accounts, see [Bulk-import user and group accounts into AD DS](#bulk-import-user-and-group-accounts-into-ad-ds)Assign licenses, see [Add users and assign licenses](/microsoft-365/admin/add-users/add-users)||✔️|✔️|
|Remove unnecessary user accounts (and corresponding licenses) from Office 365 (if you don't have an on-premises AD DS infrastructure).
For more information about how to:Remove unnecessary user accounts, see [Delete or restore users](/microsoft-365/admin/add-users/delete-a-user) Remove licenses, [Assign or remove licenses for Microsoft 365](/microsoft-365/admin/add-users/add-users).||✔️|✔️|
diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md
index 1655458c44..34726cf380 100644
--- a/education/windows/deploy-windows-10-in-a-school.md
+++ b/education/windows/deploy-windows-10-in-a-school.md
@@ -79,13 +79,13 @@ Now that you've the plan (blueprint) for your classroom, you’re ready to learn
The primary tool you'll use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI).
-You can use MDT as a stand-alone tool or integrate it with Microsoft Endpoint Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as Configuration Manager) but result in fully automated deployments.
+You can use MDT as a stand-alone tool or integrate it with Microsoft Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as Configuration Manager) but result in fully automated deployments.
MDT includes the Deployment Workbench—a console from which you can manage the deployment of Windows 10 and your apps. You configure the deployment process in the Deployment Workbench, including the management of operating systems, device drivers, apps, and migration of user settings on existing devices.
LTI performs deployment from a *deployment share*—a network-shared folder on the device where you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You'll learn more about MDT in the [Prepare the admin device](#prepare-the-admin-device) section.
-The focus of MDT is deployment, so you also need tools that help you manage your Windows 10 devices and apps. You can manage Windows 10 devices and apps with [Microsoft Endpoint Manager](/mem/), the Compliance Management feature in Office 365, or Group Policy in AD DS. You can use any combination of these tools based on your school requirements.
+The focus of MDT is deployment, so you also need tools that help you manage your Windows 10 devices and apps. You can manage Windows 10 devices and apps with [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), [Configuration Manager](/mem/configmgr/core/understand/introduction), the Compliance Management feature in Office 365, or Group Policy in AD DS. You can use any combination of these tools based on your school requirements.
The configuration process requires the following devices:
diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md
deleted file mode 100644
index 1a86e4e1c4..0000000000
--- a/education/windows/education-scenarios-store-for-business.md
+++ /dev/null
@@ -1,144 +0,0 @@
----
-title: Education scenarios Microsoft Store for Education
-description: Learn how IT admins and teachers can use Microsoft Store for Education to acquire and manage apps in schools.
-ms.topic: article
-ms.date: 08/10/2022
-appliesto:
- - ✅ Windows 10 and later
----
-
-# Working with Microsoft Store for Education
-
-Learn about education scenarios for Microsoft Store for Education. IT admins and teachers can use Microsoft Store to find, acquire, distribute, and manage apps.
-
-Many of the [settings in Microsoft Store for Business](/microsoft-store/settings-reference-microsoft-store-for-business) also apply in Microsoft Store for Education. Several of the items in this topic are unique to Microsoft Store for Education.
-
-## Basic Purchaser role
-Applies to: IT admins
-
-By default, when a teacher with a work or school account signs up for Microsoft Store for Education, the **Basic Purchaser** role is assigned to them. **Basic Purchaser** role allows teachers to:
-- View the Minecraft: Education Edition product description page
-- Acquire and manage Minecraft: Education Edition, and other apps from Store for Education
-- Use info on **Support** (including links to documentation and access to support through customer service)
-
-> [!NOTE]
-> People with the **Basic Purchaser** role can only manage (assign and reclaim licenses) for apps that they purchased. They can't manage apps purchased by people with **Purchaser** or **Admin** roles.
-
-Admins can control whether or not teachers are automatically assigned the **Basic Purchaser** role. You can configure this with **Make everyone a Basic Purchaser**. You'll find this on **Settings**, with **Shop** settings.
-
-**To manage Make everyone a Basic Purchaser**
-1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com)
-2. Click **Manage**, and then click **Settings**.
-3. On **Shop**, select or clear **Make everyone a Basic Purchaser**.
-
-> [!NOTE]
-> **Make everyone a Basic Purchaser** is on by default.
-
-When **Make everyone a Basic Purchaser** is turned off, admins can manually assign the role to teachers.
-
-**To assign Basic Purchaser role**
-
-1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com)
-2. Click **Manage**, and then choose **Permissions**.
-3. On **Roles**, click **Assign roles**, type and select a name, choose the role you want to assign, and then click **Save**.
-
-
-**Blocked Basic Purchasers**
-
-When **Make everyone a Basic Purchaser** is on, admins can still manage which users have the **Basic Purchaser** role. An admin can unassign the **Basic Purchaser** role from a user, and the user is added to a list of **Blocked Basic Purchasers**. Admins can review who are **Basic Purchasers** and **Blocked Basic Purchasers** on **Permissions**.
-
-## Private store
-
-Applies to: IT admins
-
-When you create your Microsoft Store for Education account, you'll have a set of apps included for free in your private store. Apps in your private store are available for all people in your organization to install and use.
-
-These apps will automatically be in your private store:
-- Word mobile
-- Excel mobile
-- PowerPoint mobile
-- OneNote
-- Sway
-- Fresh Paint
-- Minecraft: Education Edition
-
-As an admin, you can remove any of these apps from the private store if you'd prefer to control how apps are distributed.
-
-## Manage domain settings
-
-Applies to: IT admins
-
-### Self-service sign up
-Self-service sign-up makes it easier for users in your organization to sign up for online services from Microsoft. We call this sign up process "self-service sign-up" because your users can sign up to use services paid by your subscription, or use free services, without asking you to take action on their behalf. For more information on self-service sign up, see [Using self-service sign up in your organization](https://support.office.com/article/Using-self-service-sign-up-in-your-organization-4f8712ff-9346-4c6c-bb63-a21ad7a62cbd?ui=en-US&rs=en-US&ad=US).
-
-### Domain verification
-For education organizations, domain verification ensures you are on the academic verification list. As an admin, you might need to verify your domain using the Microsoft 365 admin center. For more information, see [Verify your Office 365 domain to prove ownership, nonprofit or education status](https://support.office.com/article/Verify-your-Office-365-domain-to-prove-ownership-nonprofit-or-education-status-or-to-activate-Yammer-87d1844e-aa47-4dc0-a61b-1b773fd4e590?ui=en-US&rs=en-US&ad=US).
-
-## Acquire apps
-Applies to: IT admins and teachers
-
-Find apps for your school using Microsoft Store for Business. Admins in an education setting can use the same processes as Admins in an enterprise setting to find and acquire apps.
-
-**To acquire apps**
-- For info on how to acquire apps, see [Acquire apps in Microsoft Store for Business](/microsoft-store/acquire-apps-windows-store-for-business#acquire-apps)
-
-**To add a payment method - debit or credit card**
-
-If the app you purchase has a price, you’ll need to provide a payment method.
-- During your purchase, click **Get started! Add a way to pay.** Provide the info needed for your debit or credit card.
-
-For more information on payment options, see [payment options](/microsoft-store/acquire-apps-windows-store-for-business#payment-options).
-
-For more information on tax rates, see [tax information](/microsoft-store/update-windows-store-for-business-account-settings#organization-tax-information).
-
-## Manage apps and software
-Applies to: IT admins and teachers
-
-## Manage purchases
-IT admins and teachers in educational settings can purchase apps from Microsoft Store for Education. Teachers need to have the Basic purchaser role, but if they've acquired Minecraft: Education Edition, they have the role by default.
-
-While both groups can purchase apps, they can't manage purchases made by the other group.
-
-Admins can:
-- Manage and distribute apps they purchased and apps purchased by other admins in the organization.
-- View apps purchased by teachers.
-- View and manage apps on **Manage**, under **Apps & software**.
-
-Teachers can:
-- Manage and distribute apps they purchased.
-- View and manage apps on **Manage**, under **Apps & software**.
-
-> [!NOTE]
-> Teachers with the Basic purchaser role can't manage or view apps purchased by other teachers, or purchased by admins. Teachers can only work with the apps they purchased.
-
-## Distribute apps
-
-**To manage and distribute apps**
-- For info on how to manage and distribute apps, see [App inventory management - Microsoft Store for Business](/microsoft-store/app-inventory-management-windows-store-for-business)
-
-**To assign an app to a student**
-
-1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com).
-2. Click **Manage**, and then choose **Apps & software**.
-3. Find an app, click the ellipses under **Action**, and then choose **Assign to people**.
-4. Type the email address, or name for the student that you're assigning the app to, and click **Assign**.
-
-Employees will receive an email with a link that will install the app on their device. Click the link to start the Microsoft Store app, and then click **Install**. Also, in the Microsoft Store app, they can find the app under **My Library**.
-
-### Purchase more licenses
-Applies to: IT admins and teachers
-
-You can manage current app licenses, or purchase more licenses for apps in **Apps & software**.
-
-**To purchase additional app licenses**
-1. Click **Manage**, click **Apps & software**, and then click an app.
-2. Click **Buy more** to purchase more licenses
-
-You'll have a summary of current license availability.
-
-## Manage order history
-Applies to: IT admins and teachers
-
-You can manage your orders through Microsoft Store for Business. For info on order history and how to refund an order, see [Manage app orders in Microsoft Store for Business](/microsoft-store/manage-orders-microsoft-store-for-business).
-
-It can take up to 24 hours after a purchase, before a receipt is available on your **Order history page**.
diff --git a/education/windows/federated-sign-in.md b/education/windows/federated-sign-in.md
index 0ea3ad5e3d..eefe5ce3e3 100644
--- a/education/windows/federated-sign-in.md
+++ b/education/windows/federated-sign-in.md
@@ -1,20 +1,21 @@
---
title: Configure federated sign-in for Windows devices
-description: Description of federated sign-in feature for Windows 11 SE and how to configure it via Intune
-ms.date: 01/12/2023
+description: Description of federated sign-in feature for the Education SKUs of Windows 11 and how to configure it via Intune or provisioning packages.
+ms.date: 02/24/2023
ms.topic: how-to
appliesto:
- - ✅ Windows 11 SE
+ - ✅ Windows 11
ms.collection:
- highpri
- tier1
- education
---
-
-# Configure federated sign-in for Windows 11 SE
+# Configure federated sign-in for Windows devices
-Starting in Windows 11 SE, version 22H2, you can enable your users to sign-in using a SAML 2.0 identity provider (IdP). This feature is called *federated sign-in*. Federated sign-in is a great way to simplify the sign-in process for your users: instead of having to remember a username and password defined in Azure AD, they can sign-in using their existing credentials from the IdP. For example, students and educators can use QR code badges to sign-in.
+Starting in Windows 11 SE, version 22H2 and Windows 11 Pro Edu/Education, version 22H2 with [KB5022913][KB-1], you can enable your users to sign-in using a federated identity provider (IdP) via web sign-in.\
+This feature is called *federated sign-in*.\
+Federated sign-in is a great way to simplify the sign-in process for your users: instead of having to remember a username and password defined in Azure AD, they can sign-in using their existing credentials from the IdP. For example, students and educators can use QR code badges to sign-in.
## Benefits of federated sign-in
@@ -27,33 +28,44 @@ With fewer credentials to remember and a simplified sign-in process, students ar
To implement federated sign-in, the following prerequisites must be met:
-1. An Azure AD tenant, with one or multiple domains federated to a third-party SAML 2.0 IdP. For more information, see [Use a SAML 2.0 Identity Provider (IdP) for Single Sign On][AZ-1]
+1. An Azure AD tenant, with one or multiple domains federated to a third-party IdP. For more information, see [What is federation with Azure AD?][AZ-1] and [Use a SAML 2.0 IdP for Single Sign On][AZ-4]
>[!NOTE]
>If your organization uses a third-party federation solution, you can configure single sign-on to Azure Active Directory if the solution is compatible with Azure Active Directory. For questions regarding compatibility, contact your identity provider. If you're an IdP, and would like to validate your solution for interoperability, refer to these [guidelines][MSFT-1].
- >
- >For a step-by-step guide on how to configure Google Workspace as an identity provider for Azure AD, see [Configure federation between Google Workspace and Azure AD](configure-aad-google-trust.md).
+
+ - For a step-by-step guide on how to configure **Google Workspace** as an identity provider for Azure AD, see [Configure federation between Google Workspace and Azure AD](configure-aad-google-trust.md)
+ - For a step-by-step guide on how to configure **Clever** as an identity provider for Azure AD, see [Setup guide for Badges into Windows and Azure AD][EXT-1]
1. Individual IdP accounts created: each user will require an account defined in the third-party IdP platform
1. Individual Azure AD accounts created: each user will require a matching account defined in Azure AD. These accounts are commonly created through automated solutions, for example:
- [School Data Sync (SDS)][SDS-1]
- [Azure AD Connect sync][AZ-3] for environment with on-premises AD DS
- PowerShell scripts that call the [Microsoft Graph API][GRAPH-1]
- provisioning tools offered by the IdP
+
+ For more information about identity matching, see [Identity matching in Azure AD](#identity-matching-in-azure-ad).
1. Licenses assigned to the Azure AD user accounts. It's recommended to assign licenses to a dynamic group: when new users are provisioned in Azure AD, the licenses are automatically assigned. For more information, see [Assign licenses to users by group membership in Azure Active Directory][AZ-2]
-1. Enable federated sign-in on the Windows devices that the users will be using
- > [!IMPORTANT]
- > This feature is exclusively available for Windows 11 SE, version 22H2.
+1. Enable federated sign-in on the Windows devices
To use federated sign-in, the devices must have Internet access. This feature won't work without it, as the authentication is done over the Internet.
-## Enable federated sign-in on devices
-
-
-To sign-in with a SAML 2.0 identity provider, your devices must be configured with different policies, which can be configured using Microsoft Intune.
+To configure federated sign-in using Microsoft Intune, [create a custom profile][MEM-1] with the following settings:
[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)]
@@ -69,25 +81,25 @@ To sign-in with a SAML 2.0 identity provider, your devices must be configured wi
[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)]
[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)]
-
## How to use federated sign-in
@@ -106,24 +118,62 @@ Federated sign-in doesn't work on devices that have the following settings enabl
- **EnableSharedPCMode**, which is part of the [SharedPC CSP][WIN-1]
- **Interactive logon: do not display last signed in**, which is a security policy part of the [Policy CSP][WIN-2]
-- **Take a Test**, since it leverages the security policy above
+- **Take a Test**, since it uses the security policy above
+
+### Identity matching in Azure AD
+
+When an Azure AD user is federated, the user's identity from the IdP must match an existing user object in Azure AD.
+After the token sent by the IdP is validated, Azure AD searches for a matching user object in the tenant by using an attribute called *ImmutableId*.
+
+> [!NOTE]
+> The ImmutableId is a string value that **must be unique** for each user in the tenant, and it shouldn't change over time. For example, the ImmutableId could be the student ID or SIS ID. The ImmutableId value should be based on the federation setup and configuration with your IdP, so confirm with your IdP before setting it.
+
+If the matching object is found, the user is signed-in. If not, the user is presented with an error message. The following picture shows that a user with the ImmutableId *260051* can't be found:
+
+:::image type="content" source="images/federation/user-match-lookup-failure.png" alt-text="Azure AD sign-in error: a user with a matching ImmutableId can't be found in the tenant." lightbox="images/federation/user-match-lookup-failure.png":::
+
+> [!IMPORTANT]
+> The ImmutableId matching is case-sensitive.
+
+The ImmutableId is typically configured when the user is created in Azure AD, but it can also be updated later.\
+In a scenario where a user is federated and you want to change the ImmutableId, you must:
+
+1. Convert the federated user to a cloud-only user (update the UPN to a non-federated domain)
+1. Update the ImmutableId
+1. Convert the user back to a federated user
+
+Here's a PowerShell example to update the ImmutableId for a federated user:
+
+```powershell
+#1. Convert the user from federated to cloud-only
+Get-AzureADUser -SearchString alton@example.com | Set-AzureADUser -UserPrincipalName alton@example.onmicrosoft.com
+
+#2. Convert the user back to federated, while setting the immutableId
+Get-AzureADUser -SearchString alton@example.onmicrosoft.com | Set-AzureADUser -UserPrincipalName alton@example.com -ImmutableId '260051'
+```
## Troubleshooting
- The user can exit the federated sign-in flow by pressing Ctrl+Alt+Delete to get back to the standard Windows sign-in screen
- Select the *Other User* button, and the standard username/password credentials are available to log into the device
-[AZ-1]: /azure/active-directory/hybrid/how-to-connect-fed-saml-idp
+
+
+[AZ-1]: /azure/active-directory/hybrid/whatis-fed
[AZ-2]: /azure/active-directory/enterprise-users/licensing-groups-assign
[AZ-3]: /azure/active-directory/hybrid/how-to-connect-sync-whatis
+[AZ-4]: /azure/active-directory/hybrid/how-to-connect-fed-saml-idp
[GRAPH-1]: /graph/api/user-post-users?tabs=powershell
+[EXT-1]: https://support.clever.com/hc/s/articles/000001546
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
[MSFT-1]: https://www.microsoft.com/download/details.aspx?id=56843
[SDS-1]: /schooldatasync
+[KB-1]: https://support.microsoft.com/kb/5022913
+
[WIN-1]: /windows/client-management/mdm/sharedpc-csp
[WIN-2]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin
\ No newline at end of file
diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md
index 53ac374a11..0c1e50cd52 100644
--- a/education/windows/get-minecraft-for-education.md
+++ b/education/windows/get-minecraft-for-education.md
@@ -1,8 +1,8 @@
---
-title: Get Minecraft Education Edition
-description: Learn how to get and distribute Minecraft Education Edition.
+title: Get and deploy Minecraft Education
+description: Learn how to obtain and distribute Minecraft Education to Windows devices.
ms.topic: how-to
-ms.date: 08/10/2022
+ms.date: 02/23/2023
appliesto:
- ✅ Windows 10 and later
ms.collection:
@@ -11,20 +11,139 @@ ms.collection:
- tier2
---
-# Get Minecraft: Education Edition
+# Get and deploy Minecraft Education
-[Minecraft: Education Edition](https://education.minecraft.net/) is built for learning. Watch this video to learn more about Minecraft.
+Minecraft Education is a game-based platform that inspires creative and inclusive learning through play. Explore blocky worlds that unlock new ways to tackle any subject or challenge. Dive into subjects like reading, math, history, and coding with lessons and standardized curriculum designed for all types of learners. Or explore and build together in creative open worlds.
-
+**Use it your way**: with hundreds of ready-to-teach lessons, creative challenges, and blank canvas worlds, there are lots of ways to make Minecraft Education work for your students. It's easy to get started, no gaming experience necessary.
-Teachers and IT administrators can now get access to **Minecraft: Education Edition** and add it their Microsoft Admin Center for distribution.
+**Prepare students for the future**: learners develop key skills like problem solving, collaboration, digital citizenship, and critical thinking to help them thrive now and in the future workplace. Spark a passion for STEM.
-## Prerequisites
-
-- For a complete list of Operating Systems supported by **Minecraft: Education Edition**, see [here](https://educommunity.minecraft.net/hc/articles/360047556591-System-Requirements).
-- Trials or subscriptions of **Minecraft: Education Edition** are offered to education tenants that are managed by Azure Active Directory (Azure AD).
- - If your school doesn't have an Azure AD tenant, the [IT administrator can set one up](school-get-minecraft.md) as part of the process of getting **Minecraft: Education Edition**.
- - Office 365 Education, which includes online versions of Office apps plus 1 TB online storage. [Sign up your school for Office 365 Education.](https://www.microsoft.com/education/products/office)
- - If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](/windows/client-management/mdm/register-your-free-azure-active-directory-subscription)
+**Game based learning**: unlock creativity and deep learning with immersive content created with partners including BBC Earth, NASA, and the Nobel Peace Center. Inspire students to engage in real-world topics, with culturally relevant lessons and build challenges.
-[Learn how IT administrators can get and distribute **Minecraft: Education Edition**](school-get-minecraft.md), and how to manage permissions for Minecraft.
+## Minecraft Education key features
+
+- Multiplayer mode enables collaboration in-game across platforms, devices, and hybrid environments
+- Code Builder supports block-based coding, JavaScript, and Python with intuitive interface and in-game execution
+- Immersive Reader helps players read and translate text
+- Camera and Book & Quill items allow documentation and export of in-game creations
+- Integration with Microsoft Teams and Flipgrid supports assessment and teacher controls
+
+## Try or purchase Minecraft Education
+
+Users in a Microsoft-verified academic organization with Microsoft 365 accounts have [access to a free trial][EDU-1] for Minecraft Education. This grants faculty accounts 25 free logins, and student accounts 10 free logins before a paid license is required to continue playing. Users in non-Microsoft-verified academic organizations have 10 free logins.
+
+Organizations can [purchase subscriptions][EDU-2] directly in the *Microsoft 365 admin center*, via volume licensing agreements, or through partner resellers.
+
+When you sign up for a Minecraft Education trial, or purchase a subscription, Minecraft Education licenses are linked to your Azure Active Directory (Azure AD) tenant. If you don't have an Azure AD tenant:
+
+- Microsoft-verified academic organizations can set up a free [Office 365 Education subscription][EDU-3], which includes an Azure AD tenant
+- Non-Microsoft-verified academic organizations can set up a free Azure AD tenant when they [purchase Minecraft Education commercial licenses][EDU-4]
+
+### Direct purchase
+
+To purchase direct licenses:
+
+1. Go to [https://education.minecraft.net/](https://education.minecraft.net/) and select **How to Buy** in the top navigation bar
+1. Scroll down and select **Buy Now** under **Direct Purchase**
+1. In the *purchase* page, sign in with an account that has *Billing Admin* privileges in your organization
+1. If necessary, fill in any requested organization or payment information
+1. Select the quantity of licenses you'd like to purchase and select **Place Order**
+1. After you've purchased licenses, you'll need to [assign Minecraft Education licenses to your users](#assign-minecraft-education-licenses)
+
+If you need more licenses for Minecraft Education, see [Buy or remove subscription licenses](/microsoft-365/commerce/licenses/buy-licenses).
+
+### Volume licensing
+
+Qualified education institutions can purchase Minecraft Education licenses through their Microsoft channel partner. Schools need to be part of the *Enrollment for Education Solutions* (EES) volume licensing program. Educational institutions should work with their channel partner to determine which Minecraft Education licensing offer is best for their institution. The process looks like this:
+
+1. Your channel partner will submit and process your volume license order
+1. Your licenses will show on [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx)
+1. After you've purchased licenses, you'll need to [assign Minecraft Education licenses to your users](#assign-minecraft-education-licenses)
+
+### Payment options
+
+You can pay for Minecraft Education with a debit or credit card, or with an invoice.
+
+#### Debit or credit cards
+
+During the purchase, select **Add a new payment method**. Provide the information needed for your debit or credit card.
+
+#### Invoices
+
+Invoices are a supported payment method for Minecraft Education. There are a few requirements:
+
+- $500 invoice minimum for your initial purchase
+- $15,000 invoice maximum (for all invoices within your organization)
+
+To pay with an invoice:
+
+1. During the purchase, select **Add a new payment method.**
+2. Select the **Invoice** option, and provide the information needed for an invoice. The **PO number** item allows you to add a tracking number or info that is meaningful to your organization.
+
+For more information about invoices and how to pay by invoice, see [Payment options for your Microsoft subscription][M365-1].
+
+## Assign Minecraft Education licenses
+
+You can assign and manage Minecraft Education licenses from the Microsoft 365 admin center.\
+You must be a *Global*, *License*, or *User admin* to assign licenses. For more information, see [About Microsoft 365 admin roles][M365-2].
+
+1. Go to [https://admin.microsoft.com](https://admin.microsoft.com) and sign in with an account that can assign licenses in your organization
+1. From the left-hand menu in Microsoft Admin Center, select *Users*
+1. From the Users list, select the users you want to add or remove for Minecraft Education access
+1. Add the relevant Minecraft Education, A1 for device or A3/A5 license if it not assigned already
+ > [!Note]
+ > If you add a faculty license, the user will be assigned a *teacher* role in the application and will have elevated permissions.
+1. If you've assigned a Microsoft 365 A3 or A5 license, after selecting the product license, ensure to toggle *Minecraft Education* on
+ > [!Note]
+ > If you turn off this setting after students have been using Minecraft Education, they will have up to 30 more days to use Minecraft Education before they don't have access
+
+:::image type="content" source="images/minecraft/admin-center-minecraft-license.png" alt-text="Screenshot of the Microsoft 365 admin center - assignment of a Minecraft Education license to a user." lightbox="images/minecraft/admin-center-minecraft-license.png":::
+
+For more information about license assignment, see [Manage Licenses in the Admin Center][EDU-5].
+
+## Distribute Minecraft Education
+
+There are different ways to install Minecraft Education on Windows devices. You can manually install the app on each device, or you can use a deployment tool to distribute the app to multiple devices.
+If you're using Microsoft Intune to manage your devices, follow these steps to deploy Minecraft Education:
+
+1. Go to the Microsoft Intune admin center
+1. Select **Apps > Windows > Add**
+1. Under *App type*, select **Microsoft Store app (new)** and choose **Select**
+1. Select **Search the Microsoft Store app (new)** and search for **Minecraft Education**
+1. Select the app and choose **Select**
+1. On the *App information* screen, select **Next**
+1. On the *Assignments* screen, choose how you want to target the installation of Minecraft Education
+ - *Required* means that Intune installs the app without user interaction
+ - *Available* enables Minecraft Education in the Company Portal, where users can install the app on-demand
+1. Select **Next**
+1. On the *Review + Create* screen, select **Create**
+
+Intune will install Minecraft Education at the next device check-in, or will make it available in Company Portal for on-demand installs.
+
+:::image type="content" source="images/minecraft/win11-minecraft-education.png" alt-text="Screenshot of Minecraft Education executing on a Windows 11 device.":::
+
+For more information how to deploy Minecraft Education, see:
+
+- [Windows installation guide][EDU-6]
+- [Chromebook installation guide][EDU-7]
+- [iOS installation guide][EDU-8]
+- [macOS installation guide][EDU-9]
+
+If you're having trouble installing the app, you can get more help on the [Minecraft Education support page][AKA-1].
+
+
+[EDU-1]: https://educommunity.minecraft.net/hc/articles/360047116432
+[EDU-2]: https://educommunity.minecraft.net/hc/articles/360061371532
+[EDU-3]: https://www.microsoft.com/education/products/office
+[EDU-4]: https://educommunity.minecraft.net/hc/articles/360061369812
+[EDU-6]: https://educommunity.minecraft.net/hc/articles/13106858087956
+[EDU-5]: https://educommunity.minecraft.net/hc/articles/360047118672
+[EDU-7]: https://educommunity.minecraft.net/hc/articles/4404625978516
+[EDU-8]: https://educommunity.minecraft.net/hc/articles/360047556351
+[EDU-9]: https://educommunity.minecraft.net/hc/articles/360047118792
+
+[M365-1]: /microsoft-365/commerce/billing-and-payments/pay-for-your-subscription
+[M365-2]: /microsoft-365/admin/add-users/about-admin-roles
+
+[AKA-1]: https://aka.ms/minecraftedusupport
diff --git a/education/windows/images/federated-sign-in-settings-ppkg.png b/education/windows/images/federated-sign-in-settings-ppkg.png
new file mode 100644
index 0000000000..553c40b0dd
Binary files /dev/null and b/education/windows/images/federated-sign-in-settings-ppkg.png differ
diff --git a/education/windows/images/federation/user-match-lookup-failure.png b/education/windows/images/federation/user-match-lookup-failure.png
new file mode 100644
index 0000000000..93fc3a4aa2
Binary files /dev/null and b/education/windows/images/federation/user-match-lookup-failure.png differ
diff --git a/education/windows/images/minecraft/admin-center-minecraft-license.png b/education/windows/images/minecraft/admin-center-minecraft-license.png
new file mode 100644
index 0000000000..ef96f3ef69
Binary files /dev/null and b/education/windows/images/minecraft/admin-center-minecraft-license.png differ
diff --git a/education/windows/images/minecraft/mcee-invoice-info.png b/education/windows/images/minecraft/mcee-invoice-info.png
deleted file mode 100644
index f4bf29f8b2..0000000000
Binary files a/education/windows/images/minecraft/mcee-invoice-info.png and /dev/null differ
diff --git a/education/windows/images/minecraft/win11-minecraft-education.png b/education/windows/images/minecraft/win11-minecraft-education.png
new file mode 100644
index 0000000000..84a8d86b96
Binary files /dev/null and b/education/windows/images/minecraft/win11-minecraft-education.png differ
diff --git a/education/windows/includes/intune-custom-settings-1.md b/education/windows/includes/intune-custom-settings-1.md
index a8d82dfea6..c5eee0e2a8 100644
--- a/education/windows/includes/intune-custom-settings-1.md
+++ b/education/windows/includes/intune-custom-settings-1.md
@@ -1,13 +1,13 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 11/08/2022
+ms.date: 02/22/2022
ms.topic: include
---
To configure devices with Microsoft Intune, use a custom policy:
-1. Go to the Microsoft Endpoint Manager admin center
+1. Go to the Microsoft Intune admin center
2. Select **Devices > Configuration profiles > Create profile**
3. Select **Platform > Windows 10 and later** and **Profile type > Templates > Custom**
4. Select **Create**
diff --git a/education/windows/index.yml b/education/windows/index.yml
index a84e4b3961..49ca3b7f40 100644
--- a/education/windows/index.yml
+++ b/education/windows/index.yml
@@ -12,6 +12,7 @@ metadata:
ms.collection:
- education
- highpri
+ - tier1
author: paolomatarazzo
ms.author: paoloma
ms.date: 08/10/2022
@@ -100,5 +101,5 @@ landingContent:
url: edu-take-a-test-kiosk-mode.md
- text: Configure Shared PC
url: /windows/configuration/set-up-shared-or-guest-pc?context=/education/context/context
- - text: "Deploy Minecraft: Education Edition"
+ - text: Get and deploy Minecraft Education
url: get-minecraft-for-education.md
\ No newline at end of file
diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md
deleted file mode 100644
index 150285950b..0000000000
--- a/education/windows/school-get-minecraft.md
+++ /dev/null
@@ -1,100 +0,0 @@
----
-title: For IT administrators get Minecraft Education Edition
-description: Learn how IT admins can get and distribute Minecraft in their schools.
-ms.topic: how-to
-ms.date: 08/10/2022
-appliesto:
- - ✅ Windows 10
-ms.collection:
- - highpri
- - education
- - tier2
----
-
-# For IT administrators - get Minecraft: Education Edition
-
-When you sign up for a [Minecraft: Education Edition](https://education.minecraft.net) trial, or purchase a [Minecraft: Education Edition](https://education.minecraft.net) subscription, Minecraft: Education Edition will be added to the inventory in your Microsoft Admin Center which is associated with your Azure Active Directory (Azure AD) tenant. Your Microsoft Admin Center is only displayed to members of your organization with administrative roles.
-
->[!Note]
->If you don't have an Azure AD or Office 365 tenant, you can set up a free Office 365 Education subscription when you purchase Minecraft: Education Edition. For more information, see [Office 365 Education plans and pricing](https://products.office.com/academic/compare-office-365-education-plans).
-
-## Settings for Microsoft 365 A3 or Microsoft 365 A5 customers
-
-Schools that purchased Microsoft 365 A3 or Microsoft 365 A5 have an extra option for making Minecraft: Education Edition available to their students:
-
-If your school has these products in your tenant, admins can choose to enable Minecraft: Education Edition for students using Microsoft 365 A3 or Microsoft 365 A5. From the left-hand menu in Microsoft Admin Center, select Users. From the Users list, select the users you want to add or remove for Minecraft: Education Edition access. Add the relevant A3 or A5 license if it hasn't been assigned already.
-
-> [!Note]
-> If you add a faculty license, the user will be assigned an instructor role in the application and will have elevated permissions.
-
-After selecting the appropriate product license, ensure Minecraft: Education Edition is toggled on or off, depending on if you want to add or remove Minecraft: Education Edition from the user (it will be on by default).
-
-If you turn off this setting after students have been using Minecraft: Education Edition, they will have up to 30 more days to use Minecraft: Education Edition before they don't have access.
-
-## How to get Minecraft: Education Edition
-
-Users in a Microsoft verified academic institution account will have access to the free trial limited logins for Minecraft: Education Edition. This grants faculty accounts 25 free logins and student accounts 10 free logins. To purchase direct licenses, see [Minecraft: Education Edition - direct purchase](#individual-copies).
-
-If you've been approved and are part of the Enrollment for Education Solutions volume license program, you can purchase a volume license for Minecraft: Education Edition. For more information, see [Minecraft: Education Edition - volume license](#volume-license).
-
-### Minecraft: Education Edition - direct purchase
-
-1. Go to [https://education.minecraft.net/](https://education.minecraft.net/) and select **How to Buy** in the top navigation bar.
-
-2. Scroll down and select **Buy Now** under Direct Purchase.
-
-3. This will route you to the purchase page in the Microsoft Admin center. You will need to log in to your Administrator account.
-
-4. If necessary, fill in any requested organization or payment information.
-
-5. Select the quantity of licenses you would like to purchase and select **Place Order**.
-
-6. After you've purchased licenses, you'll need to [assign them to users in the Admin Center](/microsoft-365/admin/manage/assign-licenses-to-users).
-
-If you need additional licenses for **Minecraft: Education Edition**, see [Buy or remove subscription licenses](/microsoft-365/commerce/licenses/buy-licenses).
-
-### Minecraft: Education Edition - volume licensing
-
-Qualified education institutions can purchase Minecraft: Education Edition licenses through their Microsoft channel partner. Schools need to be part of the Enrollment for Education Solutions (EES) volume licensing program. Educational institutions should work with their channel partner to determine which Minecraft: Education Edition licensing offer is best for their institution. The process looks like this:
-
-- Your channel partner will submit and process your volume license order, your licenses will be shown on [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx), and the licenses will be available in your [Microsoft Store for Education](https://www.microsoft.com/business-store) inventory.
-- You'll receive an email with a link to Microsoft Store for Education.
-- Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com) to distribute and manage the Minecraft: Education Edition licenses. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft)
-
-## Minecraft: Education Edition payment options
-
-You can pay for Minecraft: Education Edition with a debit or credit card, or with an invoice.
-
-### Debit or credit cards
-
-During the purchase, click **Add a new payment method**. Provide the info needed for your debit or credit card.
-
-### Invoices
-
-Invoices are now a supported payment method for Minecraft: Education Edition. There are a few requirements:
-
-- Admins only (not supported for Teachers)
-- $500 invoice minimum for your initial purchase
-- $15,000 invoice maximum (for all invoices within your organization)
-
-**To pay with an invoice**
-
-1. During the purchase, click **Add a new payment method.**
-
-2. Select the Invoice option, and provide the info needed for an invoice. The **PO number** item allows you to add a tracking number or info that is meaningful to your organization.
-
- 
-
-For more info on invoices and how to pay by invoice, see [How to pay for your subscription](/microsoft-365/commerce/billing-and-payments/pay-for-your-subscription?).
-
-## Distribute Minecraft
-
-After Minecraft: Education Edition is added to your Microsoft Admin Center inventory, you can [assign these licenses to your users](/microsoft-365/admin/manage/assign-licenses-to-users) or [download the app](https://aka.ms/downloadmee).
-
-## Learn more
-
-[About Intune Admin roles in the Microsoft 365 admin center](/microsoft-365/business-premium/m365bp-intune-admin-roles-in-the-mac)
-
-## Related topics
-
-[Get Minecraft: Education Edition](get-minecraft-for-education.md)
diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md
deleted file mode 100644
index f11f1f684a..0000000000
--- a/education/windows/teacher-get-minecraft.md
+++ /dev/null
@@ -1,41 +0,0 @@
----
-title: For teachers get Minecraft Education Edition
-description: Learn how teachers can obtain and distribute Minecraft.
-ms.topic: how-to
-ms.date: 08/10/2022
-appliesto:
- - ✅ Windows 10 and later
-ms.collection:
- - highpri
- - education
- - tier2
----
-
-# For teachers - get Minecraft: Education Edition
-
-The following article describes how teachers can get and distribute Minecraft: Education Edition at their school. Minecraft: Education Edition is available for anyone to trial, and subscriptions can be purchased by qualified educational institutions directly in the [Microsoft Admin Center by IT Admins](/education/windows/school-get-minecraft), via volume licensing agreements and through partner resellers.
-
-
-## Try Minecraft: Education Edition for Free
-
-Minecraft: Education Edition is available for anyone to try for free! The free trial is fully functional but limited by the number of logins (25 for teachers and 10 for students) before a paid license will be required to continue playing.
-
-To learn more and get started, [download the Minecraft: Education Edition app here.](https://aka.ms/download)
-
-## Purchase Minecraft: Education Edition for Teachers and Students
-
-As a teacher, you will need to have your IT Admin purchase licenses for you and your students directly through the Microsoft Admin Center, or you may already have access to licenses at your school (through a volume license agreement) if you have an Office 365 subscription.
-
-M:EE is included in many volume license agreements, however, only the administrators at your school will be able to assign and manage those licenses. If you have an Office 365 account, check with your school administration or IT administrator prior to purchasing M:EE directly.
-
-
-#### Troubleshoot
-
-If you're having trouble installing the app, you can get more help on our [Support page](https://aka.ms/minecraftedusupport).
-
-## Related topics
-
-[Get Minecraft: Education Edition](get-minecraft-for-education.md)
-[For IT admins: get Minecraft: Education Edition](school-get-minecraft.md)
-
-
diff --git a/education/windows/tutorial-school-deployment/configure-device-settings.md b/education/windows/tutorial-school-deployment/configure-device-settings.md
index f70081a995..5b63ea0b0b 100644
--- a/education/windows/tutorial-school-deployment/configure-device-settings.md
+++ b/education/windows/tutorial-school-deployment/configure-device-settings.md
@@ -70,7 +70,7 @@ To create a Windows Update policy:
For more information, see [Updates and upgrade][INT-6].
> [!NOTE]
-> If you require a more complex Windows Update policy, you can create it in Microsoft Endpoint Manager. For more information:
+> If you require a more complex Windows Update policy, you can create it in Microsoft Intune. For more information:
> - [What is Windows Update for Business?][WIN-1]
> - [Manage Windows software updates in Intune][MEM-1]
@@ -92,7 +92,7 @@ To create a security policy:
For more information, see [Security][INT-4].
> [!NOTE]
-> If you require more sophisticated security policies, you can create them in Microsoft Endpoint Manager. For more information:
+> If you require more sophisticated security policies, you can create them in Microsoft Intune. For more information:
> - [Antivirus][MEM-2]
> - [Disk encryption][MEM-3]
> - [Firewall][MEM-4]
diff --git a/education/windows/tutorial-school-deployment/enroll-autopilot.md b/education/windows/tutorial-school-deployment/enroll-autopilot.md
index 01394b420a..32ff8c37ed 100644
--- a/education/windows/tutorial-school-deployment/enroll-autopilot.md
+++ b/education/windows/tutorial-school-deployment/enroll-autopilot.md
@@ -54,7 +54,7 @@ Here are the steps for creating a dynamic group for the devices that have an ass
1. Select **Create group**
:::image type="content" source="./images/intune-education-autopilot-group.png" alt-text="Intune for Education - creation of a dynamic group for Autopilot devices" border="true":::
-More advanced dynamic membership rules can be created from Microsoft Endpoint Manager admin center. For more information, see [Create an Autopilot device group using Intune][MEM-3].
+More advanced dynamic membership rules can be created from Microsoft Intune admin center. For more information, see [Create an Autopilot device group using Intune][MEM-3].
> [!TIP]
> You can use these dynamic groups not only to assign Autopilot profiles, but also to target applications and settings.
@@ -76,7 +76,7 @@ To create an Autopilot deployment profile:
1. Ensure that **User account type** is configured as **Standard**
1. Select **Save**
-While Intune for Education offers simple options for Autopilot configurations, more advanced deployment profiles can be created from Microsoft Endpoint Manager admin center. For more information, see [Windows Autopilot deployment profiles][MEM-4].
+While Intune for Education offers simple options for Autopilot configurations, more advanced deployment profiles can be created from Microsoft Intune admin center. For more information, see [Windows Autopilot deployment profiles][MEM-4].
### Configure an Enrollment Status Page
@@ -87,7 +87,7 @@ An Enrollment Status Page (ESP) is a greeting page displayed to users while enro
> [!NOTE]
> Some Windows Autopilot deployment profiles **require** the ESP to be configured.
-To deploy the ESP to devices, you need to create an ESP profile in Microsoft Endpoint Manager.
+To deploy the ESP to devices, you need to create an ESP profile in Microsoft Intune.
> [!TIP]
> While testing the deployment process, you can configure the ESP to:
diff --git a/education/windows/tutorial-school-deployment/index.md b/education/windows/tutorial-school-deployment/index.md
index 98574366e1..a23afe72b0 100644
--- a/education/windows/tutorial-school-deployment/index.md
+++ b/education/windows/tutorial-school-deployment/index.md
@@ -29,8 +29,8 @@ This content provides a comprehensive path for schools to deploy and manage new
Historically, school IT administrators and educators have struggled to find an easy-to-use, flexible, and secure way to manage the lifecycle of the devices in their schools. In response, Microsoft has developed integrated suites of products for streamlined, cost-effective device lifecycle management.
-Microsoft 365 Education provides tools and services that enable simplified management of all devices through Microsoft Endpoint Manager (MEM). With Microsoft's solutions, IT administrators have the flexibility to support diverse scenarios, including school-owned devices and bring-your-own devices.
-Microsoft Endpoint Manager services include:
+Microsoft 365 Education provides tools and services that enable simplified management of all devices through Microsoft Intune services. With Microsoft's solutions, IT administrators have the flexibility to support diverse scenarios, including school-owned devices and bring-your-own devices.
+Microsoft Intune services include:
- [Microsoft Intune][MEM-1]
- [Microsoft Intune for Education][INT-1]
diff --git a/education/windows/tutorial-school-deployment/manage-surface-devices.md b/education/windows/tutorial-school-deployment/manage-surface-devices.md
index e374fd8f7d..94efd0d46b 100644
--- a/education/windows/tutorial-school-deployment/manage-surface-devices.md
+++ b/education/windows/tutorial-school-deployment/manage-surface-devices.md
@@ -17,25 +17,25 @@ Surface devices use a Unified Extensible Firmware Interface (UEFI) setting that
DFCI supports zero-touch provisioning, eliminates BIOS passwords, and provides control of security settings for boot options, cameras and microphones, built-in peripherals, and more. For more information, see [Manage DFCI on Surface devices][SURF-1] and [Manage DFCI with Windows Autopilot][MEM-1], which includes a list of requirements to use DFCI.
-:::image type="content" source="./images/dfci-profile.png" alt-text="Creation of a DFCI profile from Microsoft Endpoint Manager" lightbox="./images/dfci-profile-expanded.png" border="true":::
+:::image type="content" source="./images/dfci-profile.png" alt-text="Creation of a DFCI profile from Microsoft Intune" lightbox="./images/dfci-profile-expanded.png" border="true":::
## Microsoft Surface Management Portal
-Located in the Microsoft Endpoint Manager admin center, the Microsoft Surface Management Portal enables you to self-serve, manage, and monitor your school's Intune-managed Surface devices at scale. Get insights into device compliance, support activity, warranty coverage, and more.
+Located in the Microsoft Intune admin center, the Microsoft Surface Management Portal enables you to self-serve, manage, and monitor your school's Intune-managed Surface devices at scale. Get insights into device compliance, support activity, warranty coverage, and more.
When Surface devices are enrolled in cloud management and users sign in for the first time, information automatically flows into the Surface Management Portal, giving you a single pane of glass for Surface-specific administration activities.
To access and use the Surface Management Portal:
-1. Sign in to Microsoft Endpoint Manager admin center
-1. Select **All services** > **Surface Management Portal**
- :::image type="content" source="./images/surface-management-portal.png" alt-text="Surface Management Portal within Microsoft Endpoint Manager" lightbox="./images/surface-management-portal-expanded.png" border="true":::
-1. To obtain insights for all your Surface devices, select **Monitor**
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+2. Select **All services** > **Surface Management Portal**
+ :::image type="content" source="./images/surface-management-portal.png" alt-text="Surface Management Portal within Microsoft Intune" lightbox="./images/surface-management-portal-expanded.png" border="true":::
+3. To obtain insights for all your Surface devices, select **Monitor**
- Devices that are out of compliance or not registered, have critically low storage, require updates, or are currently inactive, are listed here
-1. To obtain details on each insights category, select **View report**
+4. To obtain details on each insights category, select **View report**
- This dashboard displays diagnostic information that you can customize and export
-1. To obtain the device's warranty information, select **Device warranty and coverage**
-1. To review a list of support requests and their status, select **Support requests**
+5. To obtain the device's warranty information, select **Device warranty and coverage**
+6. To review a list of support requests and their status, select **Support requests**
diff --git a/education/windows/tutorial-school-deployment/set-up-azure-ad.md b/education/windows/tutorial-school-deployment/set-up-azure-ad.md
index d27616f71e..899b8298dd 100644
--- a/education/windows/tutorial-school-deployment/set-up-azure-ad.md
+++ b/education/windows/tutorial-school-deployment/set-up-azure-ad.md
@@ -30,7 +30,7 @@ For more information, see [Create your Office 365 tenant account][M365-1]
The **Microsoft 365 admin center** is the hub for all administrative consoles for the Microsoft 365 cloud. To access the Microsoft Entra admin center, sign in with the same global administrator account when you [created the Microsoft 365 tenant](#create-a-microsoft-365-tenant).
-From the Microsoft 365 admin center, you can access different administrative dashboards: Azure Active Directory, Microsoft Endpoint Manager, Intune for Education, and others:
+From the Microsoft 365 admin center, you can access different administrative dashboards: Azure Active Directory, Microsoft Intune, Intune for Education, and others:
:::image type="content" source="./images/m365-admin-center.png" alt-text="*All admin centers* page in *Microsoft 365 admin center*" lightbox="./images/m365-admin-center.png" border="true":::
diff --git a/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md b/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md
index f4d3b44e2e..8d1b84254e 100644
--- a/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md
+++ b/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md
@@ -7,9 +7,9 @@ ms.topic: tutorial
# Set up Microsoft Intune
-Without the proper tools and resources, managing hundreds or thousands of devices in a school environment can be a complex and time-consuming task. Microsoft Endpoint Manager provides a collection of services that simplifies the management of devices at scale.
+Without the proper tools and resources, managing hundreds or thousands of devices in a school environment can be a complex and time-consuming task. Microsoft Intune is a collection of services that simplifies the management of devices at scale.
-Microsoft Intune is one of the services provided by Microsoft Endpoint Manager. The Microsoft Intune service can be managed in different ways, and one of them is **Intune for Education**, a web portal designed for education environments.
+The Microsoft Intune service can be managed in different ways, and one of them is **Intune for Education**, a web portal designed for education environments.
:::image type="content" source="./images/intune-education-portal.png" alt-text="Intune for Education dashboard" lightbox="./images/intune-education-portal.png" border="true":::
@@ -44,13 +44,13 @@ With enrollment restrictions, you can prevent certain types of devices from bein
To block personally owned Windows devices from enrolling:
-1. Sign in to the Microsoft Endpoint Manager admin center
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Devices** > **Enroll devices** > **Enrollment device platform restrictions**
1. Select the **Windows restrictions** tab
1. Select **Create restriction**
1. On the **Basics** page, provide a name for the restriction and, optionally, a description > **Next**
1. On the **Platform settings** page, in the **Personally owned devices** field, select **Block** > **Next**
- :::image type="content" source="./images/enrollment-restrictions.png" alt-text="Device enrollment restriction page in Microsoft Endpoint Manager admin center" lightbox="./images/enrollment-restrictions.png" border="true":::
+ :::image type="content" source="./images/enrollment-restrictions.png" alt-text="This screenshot is of the device enrollment restriction page in Microsoft Intune admin center." lightbox="./images/enrollment-restrictions.png":::
1. Optionally, on the **Scope tags** page, add scope tags > **Next**
1. On the **Assignments** page, select **Add groups**, and then use the search box to find and choose groups to which you want to apply the restriction > **Next**
1. On the **Review + create** page, select **Create** to save the restriction
@@ -63,13 +63,13 @@ Windows Hello for Business is a biometric authentication feature that allows use
It's suggested to disable Windows Hello for Business on Windows devices at the tenant level, and enabling it only for devices that need it, for example for teachers and staff devices.
To disable Windows Hello for Business at the tenant level:
-1. Sign in to the Microsoft Endpoint Manager admin center
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Devices** > **Windows** > **Windows Enrollment**
1. Select **Windows Hello for Business**
1. Ensure that **Configure Windows Hello for Business** is set to **disabled**
1. Select **Save**
-:::image type="content" source="./images/whfb-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Endpoint Manager admin center." border="true" lightbox="./images/whfb-disable.png":::
+:::image type="content" source="./images/whfb-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="./images/whfb-disable.png":::
For more information how to enable Windows Hello for Business on specific devices, see [Create a Windows Hello for Business policy][MEM-4].
diff --git a/education/windows/tutorial-school-deployment/troubleshoot-overview.md b/education/windows/tutorial-school-deployment/troubleshoot-overview.md
index dd9817a5b9..a58a7f2d9a 100644
--- a/education/windows/tutorial-school-deployment/troubleshoot-overview.md
+++ b/education/windows/tutorial-school-deployment/troubleshoot-overview.md
@@ -1,6 +1,6 @@
---
title: Troubleshoot Windows devices
-description: Learn how to troubleshoot Windows devices from Intune and contact Microsoft Support for issues related to Intune and other Endpoint Manager services.
+description: Learn how to troubleshoot Windows devices from Intune and contact Microsoft Support for issues related to Intune and other services.
ms.date: 08/31/2022
ms.topic: tutorial
appliesto:
@@ -9,7 +9,7 @@ appliesto:
# Troubleshoot Windows devices
-Microsoft Endpoint Manager provides many tools that can help you troubleshoot Windows devices.
+Microsoft Intune provides many tools that can help you troubleshoot Windows devices.
Here's a collection of resources to help you troubleshoot Windows devices managed by Intune:
- [Troubleshooting device enrollment in Intune][MEM-2]
@@ -27,11 +27,12 @@ Here's a collection of resources to help you troubleshoot Windows devices manage
Microsoft provides global technical, pre-sales, billing, and subscription support for cloud-based device management services. This support includes Microsoft Intune, Configuration Manager, Windows 365, and Microsoft Managed Desktop.
-Follow these steps to obtain support in Microsoft Endpoint Manager:
+Follow these steps to obtain support in Microsoft Intune provides many tools that can help you troubleshoot Windows devices.
+:
-- Sign in to the Microsoft Endpoint Manager admin center
+- Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
- Select **Troubleshooting + support** > **Help and support**
- :::image type="content" source="images/advanced-support.png" alt-text="Screenshot that shows how to obtain support from Microsoft Endpoint Manager." lightbox="images/advanced-support.png":::
+ :::image type="content" source="images/advanced-support.png" alt-text="Screenshot that shows how to obtain support from Microsoft Intune." lightbox="images/advanced-support.png":::
- Select the required support scenario: Configuration Manager, Intune, Co-management, or Windows 365
- Above **How can we help?**, select one of three icons to open different panes: *Find solutions*, *Contact support*, or *Service requests*
- In the **Find solutions** pane, use the text box to specify a few details about your issue. The console may offer suggestions based on what you've entered. Depending on the presence of specific keywords, the console provides help like:
@@ -43,7 +44,7 @@ Follow these steps to obtain support in Microsoft Endpoint Manager:
> When opening a case, be sure to include as many details as possible in the *Description* field. Such information includes: timestamp and date, device ID, device model, serial number, OS version, and any other details relevant to the issue.
- To review your case history, select the **Service requests** pane. Active cases are at the top of the list, with closed issues also available for review
-For more information, see [Microsoft Endpoint Manager support page][MEM-1]
+For more information, see [Microsoft Intune support page][MEM-1]
[MEM-1]: /mem/get-support
diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md
index 05dbf61f4b..301a6d1da2 100644
--- a/education/windows/use-set-up-school-pcs-app.md
+++ b/education/windows/use-set-up-school-pcs-app.md
@@ -13,7 +13,7 @@ IT administrators and technical teachers can use the **Set up School PCs** app t
Set up School PCs also:
* Joins each student PC to your organization's Office 365 and Azure Active Directory tenant.
* Enables the optional Autopilot Reset feature, to return devices to a fully configured or known IT-approved state.
-* Utilizes Windows Update and maintenance hours to keeps student PCs up-to-date, without interfering with class time.
+* Utilizes Windows Update and maintenance hours to keep student PCs up-to-date, without interfering with class time.
* Locks down the student PC to prevent activity that isn't beneficial to their education.
This article describes how to fill out your school's information in the Set up School PCs app. To learn more about the app's functionality, start with the [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md).
@@ -23,8 +23,6 @@ Before you begin, make sure that you, your computer, and your school's network a
* Office 365 and Azure Active Directory
* [Latest Set up School PCs app](https://www.microsoft.com/store/apps/9nblggh4ls40)
-* Permission to buy apps in Microsoft Store for Education
-* Set up School PCs app has permission to access the Microsoft Store for Education
* A NTFS-formatted USB drive that is at least 1 GB, if not installing Office; and at least 8 GB, if installing Office
* Student PCs must either:
* Be within range of the Wi-Fi network that you configured in the app.
@@ -170,9 +168,9 @@ The following table describes each setting and lists the applicable Windows 10 v
|---------|---------|---------|---------|---------|---------|---------|
|Remove apps pre-installed by the device manufacturer |X|X|X|X| Uninstalls apps that came loaded on the computer by the device's manufacturer. |Adds about 30 minutes to the provisioning process.|
|Allow local storage (not recommended for shared devices) |X|X|X|X| Lets students save files to the Desktop and Documents folder on the Student PC. |Not recommended if the device will be shared between different students.|
-|Optimize device for a single student, instead of a shared cart or lab |X|X|X|X|Optimizes the device for use by a single student, rather than many students. |Recommended if the device will be shared between different students. Single-optimized accounts are set to expire, and require a signin, 180 days after setup. This setting increases the maximum PC storage to 100% of the available disk space. In this case, student accounts aren't deleted unless the account has been inactive for 180 days. |
+|Optimize device for a single student, instead of a shared cart or lab |X|X|X|X|Optimizes the device for use by a single student, rather than many students. |Recommended if the device will be shared between different students. Single-optimized accounts are set to expire, and require a sign-in, 180 days after setup. This setting increases the maximum PC storage to 100% of the available disk space. In this case, student accounts aren't deleted unless the account has been inactive for 180 days. |
|Let guests sign in to these PCs |X|X|X|X|Allows guests to use student PCs without a school account. |Common to use within a public, shared space, such as a library. Also used when a student loses their password. Adds a **Guest** account to the PC sign-in screen that anyone can sign in to.|
-|Enable Autopilot Reset |Not available|X|X|X|Lets you remotely reset a student’s PC from the lock screen, apply the device’s original settings, and enroll it in device management (Azure AD and MDM). |Requires Windows 10, version 1709 and WinRE must be enabled on the PC. Setup will fail if both requirements aren't met.|
+|Enable Autopilot Reset |Not available|X|X|X|Lets you remotely reset a student's PC from the lock screen, apply the device's original settings, and enroll it in device management (Azure AD and MDM). |Requires Windows 10, version 1709 and WinRE must be enabled on the PC. Setup will fail if both requirements aren't met.|
|Lock screen background|X|X|X|X|Change the default screen lock background to a custom image.|Click **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png.|
After you've made your selections, click **Next**.
diff --git a/education/windows/windows-11-se-settings-list.md b/education/windows/windows-11-se-settings-list.md
index 36e841ae91..b338b51a2f 100644
--- a/education/windows/windows-11-se-settings-list.md
+++ b/education/windows/windows-11-se-settings-list.md
@@ -53,7 +53,7 @@ The following settings can't be changed.
| Allowed Account Types | Microsoft accounts and Azure AD accounts are allowed. |
| Virtual Desktops | Virtual Desktops are blocked. |
| Microsoft Store | The Microsoft Store is blocked. |
-| Administrative tools | Administrative tools, such as the command prompt and Windows PowerShell, can't be opened. Windows PowerShell scripts deployed using Microsoft Endpoint Manager can run. |
+| Administrative tools | Administrative tools, such as the command prompt and Windows PowerShell, can't be opened. Windows PowerShell scripts deployed using Microsoft Intune can run. |
| Apps | Only certain apps are allowed to run on Windows 11 SE. For more info on what apps can run on Windows 11 SE, see [Windows 11 SE for Education overview](windows-11-se-overview.md). |
## Next steps
diff --git a/store-for-business/acquire-apps-microsoft-store-for-business.md b/store-for-business/acquire-apps-microsoft-store-for-business.md
index d6bbee15ca..e4d5e9ef2e 100644
--- a/store-for-business/acquire-apps-microsoft-store-for-business.md
+++ b/store-for-business/acquire-apps-microsoft-store-for-business.md
@@ -16,7 +16,7 @@ ms.date: 07/21/2021
# Acquire apps in Microsoft Store for Business and Education
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
> [!IMPORTANT]
> Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
diff --git a/store-for-business/add-profile-to-devices.md b/store-for-business/add-profile-to-devices.md
index 4ea7713429..d2cf5a3906 100644
--- a/store-for-business/add-profile-to-devices.md
+++ b/store-for-business/add-profile-to-devices.md
@@ -19,7 +19,7 @@ ms.localizationpriority: medium
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Windows Autopilot simplifies device set up for IT Admins. For an overview of benefits, scenarios, and prerequisites, see [Overview of Windows Autopilot](/windows/deployment/windows-autopilot/windows-10-autopilot).
diff --git a/store-for-business/app-inventory-management-microsoft-store-for-business.md b/store-for-business/app-inventory-management-microsoft-store-for-business.md
index 3555366945..926aa750f9 100644
--- a/store-for-business/app-inventory-management-microsoft-store-for-business.md
+++ b/store-for-business/app-inventory-management-microsoft-store-for-business.md
@@ -20,7 +20,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
You can manage all apps that you've acquired on your **Apps & software** page. This page shows all of the content you've acquired, including apps that from Microsoft Store, and line-of-business (LOB) apps that you've accepted into your inventory. After LOB apps are submitted to your organization, you'll see a notification on your **Apps & software** page. On the **New LOB apps** tab, you can accept, or reject the LOB apps. For more information on LOB apps, see [Working with line-of-business apps](working-with-line-of-business-apps.md). The inventory page includes apps acquired by all people in your organization with the Store for Business Admin role.
diff --git a/store-for-business/apps-in-microsoft-store-for-business.md b/store-for-business/apps-in-microsoft-store-for-business.md
index f59d3fa018..661d98861a 100644
--- a/store-for-business/apps-in-microsoft-store-for-business.md
+++ b/store-for-business/apps-in-microsoft-store-for-business.md
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Microsoft Store for Business and Education has thousands of apps from many different categories.
diff --git a/store-for-business/assign-apps-to-employees.md b/store-for-business/assign-apps-to-employees.md
index 7225de9903..c296c8f37d 100644
--- a/store-for-business/assign-apps-to-employees.md
+++ b/store-for-business/assign-apps-to-employees.md
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Admins, Purchasers, and Basic Purchasers can assign online-licensed apps to employees or students in their organization.
diff --git a/store-for-business/billing-payments-overview.md b/store-for-business/billing-payments-overview.md
index a258d9af7e..5205cbadba 100644
--- a/store-for-business/billing-payments-overview.md
+++ b/store-for-business/billing-payments-overview.md
@@ -17,7 +17,7 @@ manager: dansimp
# Billing and payments
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Access invoices and managed your payment methods.
diff --git a/store-for-business/billing-profile.md b/store-for-business/billing-profile.md
index 77f5fa0713..82581997ea 100644
--- a/store-for-business/billing-profile.md
+++ b/store-for-business/billing-profile.md
@@ -17,7 +17,7 @@ manager: dansimp
# Understand billing profiles
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
For commercial customers purchasing software or hardware products from Microsoft using a Microsoft customer agreement, billing profiles let you customize what products are included on your invoice, and how you pay your invoices.
diff --git a/store-for-business/billing-understand-your-invoice-msfb.md b/store-for-business/billing-understand-your-invoice-msfb.md
index d3b06dbe77..e500732cc9 100644
--- a/store-for-business/billing-understand-your-invoice-msfb.md
+++ b/store-for-business/billing-understand-your-invoice-msfb.md
@@ -16,7 +16,7 @@ manager: dansimp
# Understand your Microsoft Customer Agreement invoice
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
The invoice provides a summary of your charges and provides instructions for payment. It's available for
download in the Portable Document Format (.pdf) for commercial customers from Microsoft Store for Business [Microsoft Store for Business - Invoice](https://businessstore.microsoft.com/manage/payments-billing/invoices) or can be sent via email. This article applies to invoices generated for a Microsoft Customer Agreement billing account. Check if you have a [Microsoft Customer Agreement](https://businessstore.microsoft.com/manage/organization/agreements).
diff --git a/store-for-business/configure-mdm-provider-microsoft-store-for-business.md b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md
index 70adfcef94..190b9be3e6 100644
--- a/store-for-business/configure-mdm-provider-microsoft-store-for-business.md
+++ b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Microsoft Store for Business inventory to manage apps with offline licenses. Store for Business management tool services work with your third-party management tool to manage content.
@@ -45,6 +45,6 @@ After your management tool is added to your Azure AD directory, you can configur
Your MDM tool is ready to use with Microsoft Store. To learn how to configure synchronization and deploy apps, see these topics:
- [Manage apps you purchased from Microsoft Store for Business with Microsoft Intune](/mem/intune/apps/windows-store-for-business)
-- [Manage apps from Microsoft Store for Business with Microsoft Endpoint Configuration Manager](/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
+- [Manage apps from Microsoft Store for Business with Microsoft Configuration Manager](/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
For third-party MDM providers or management servers, check your product documentation.
\ No newline at end of file
diff --git a/store-for-business/distribute-apps-from-your-private-store.md b/store-for-business/distribute-apps-from-your-private-store.md
index 2cc25547e0..b443e48e71 100644
--- a/store-for-business/distribute-apps-from-your-private-store.md
+++ b/store-for-business/distribute-apps-from-your-private-store.md
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
The private store is a feature in Microsoft Store for Business and Education that organizations receive during the signup process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in Microsoft Store app, and is usually named for your company or organization. Only apps with online licenses can be added to the private store.
diff --git a/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md b/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md
index 39518d2c87..7f88c7212e 100644
--- a/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md
+++ b/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Distribute apps to your employees from Microsoft Store for Business and Microsoft Store for Education. You can assign apps to employees, or let employees install them from your private store.
diff --git a/store-for-business/distribute-apps-with-management-tool.md b/store-for-business/distribute-apps-with-management-tool.md
index 8bde8ed28d..90e4939804 100644
--- a/store-for-business/distribute-apps-with-management-tool.md
+++ b/store-for-business/distribute-apps-with-management-tool.md
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
You can configure a mobile device management (MDM) tool to synchronize your Microsoft Store for Business or Microsoft Store for Education inventory. Microsoft Store management tool services work with MDM tools to manage content.
diff --git a/store-for-business/distribute-offline-apps.md b/store-for-business/distribute-offline-apps.md
index b1b43828f9..765f0b39ce 100644
--- a/store-for-business/distribute-offline-apps.md
+++ b/store-for-business/distribute-offline-apps.md
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
>
Offline licensing is a new licensing option for Windows 10 with Microsoft Store for Business and Microsoft Store for Education. With offline licenses, organizations can download apps and their licenses to deploy within their network, or on devices that are not connected to the Internet. ISVs or devs can opt-in their apps for offline licensing when they submit them to the Windows Dev Center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Microsoft Store for Business and Microsoft Store for Education. This model allows organizations to deploy apps when users or devices do not have connectivity to the Store.
@@ -45,7 +45,7 @@ You can't distribute offline-licensed apps directly from Microsoft Store. Once y
- **Create provisioning package**. You can use Windows Imaging and Configuration Designer (ICD) to create a provisioning package for your offline app. Once you have the package, there are options to [apply the provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package). For more information, see [Provisioning Packages for Windows 10](/windows/configuration/provisioning-packages/provisioning-packages).
- **Mobile device management provider or management server.** You can use a mobile device management (MDM) provider or management server to distribute offline apps. For more information, see these topics:
- - [Manage apps from Microsoft Store for Business with Microsoft Endpoint Configuration Manager](/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
+ - [Manage apps from Microsoft Store for Business with Microsoft Configuration Manager](/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
- [Manage apps from Microsoft Store for Business with Microsoft Intune](/mem/intune/apps/windows-store-for-business)
For third-party MDM providers or management servers, check your product documentation.
diff --git a/store-for-business/find-and-acquire-apps-overview.md b/store-for-business/find-and-acquire-apps-overview.md
index 0a239cee50..ad4b5f621a 100644
--- a/store-for-business/find-and-acquire-apps-overview.md
+++ b/store-for-business/find-and-acquire-apps-overview.md
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Use the Microsoft Store for Business and Education to find apps for your organization. You can also work with developers to create line-of-business apps that are only available to your organization.
diff --git a/store-for-business/index.md b/store-for-business/index.md
index 82901c7ebe..369336371c 100644
--- a/store-for-business/index.md
+++ b/store-for-business/index.md
@@ -20,7 +20,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Welcome to the Microsoft Store for Business and Education! You can use Microsoft Store to find, acquire, distribute, and manage apps for your organization or school.
diff --git a/store-for-business/manage-access-to-private-store.md b/store-for-business/manage-access-to-private-store.md
index 84c39959bb..2b8c3e26f4 100644
--- a/store-for-business/manage-access-to-private-store.md
+++ b/store-for-business/manage-access-to-private-store.md
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
You can manage access to your private store in Microsoft Store for Business and Microsoft Store for Education.
diff --git a/store-for-business/manage-apps-microsoft-store-for-business-overview.md b/store-for-business/manage-apps-microsoft-store-for-business-overview.md
index 855e3839ed..706e1bc726 100644
--- a/store-for-business/manage-apps-microsoft-store-for-business-overview.md
+++ b/store-for-business/manage-apps-microsoft-store-for-business-overview.md
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Manage products and services in Microsoft Store for Business and Microsoft Store for Education. This includes apps, software, products, devices, and services available under **Products & services**.
diff --git a/store-for-business/manage-orders-microsoft-store-for-business.md b/store-for-business/manage-orders-microsoft-store-for-business.md
index 4b6f8bd99e..dfc9b3d00d 100644
--- a/store-for-business/manage-orders-microsoft-store-for-business.md
+++ b/store-for-business/manage-orders-microsoft-store-for-business.md
@@ -16,7 +16,7 @@ manager: dansimp
# Manage app orders in Microsoft Store for Business and Education
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
After you've acquired apps, you can review order information and invoices on **Order history**. On this page, you can view invoices, and request refunds.
diff --git a/store-for-business/manage-private-store-settings.md b/store-for-business/manage-private-store-settings.md
index b7765c7ea3..218f2b5aac 100644
--- a/store-for-business/manage-private-store-settings.md
+++ b/store-for-business/manage-private-store-settings.md
@@ -21,7 +21,7 @@ ms.localizationpriority: medium
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
The private store is a feature in Microsoft Store for Business and Education that organizations receive during the sign up process. When admins add apps to the private store, all people in the organization can view and download the apps. Only online-licensed apps can be distributed from your private store.
diff --git a/store-for-business/manage-settings-microsoft-store-for-business.md b/store-for-business/manage-settings-microsoft-store-for-business.md
index 37505459c3..e3d9147262 100644
--- a/store-for-business/manage-settings-microsoft-store-for-business.md
+++ b/store-for-business/manage-settings-microsoft-store-for-business.md
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
You can add users and groups, as well as update some of the settings associated with the Azure Active Directory (AD) tenant.
diff --git a/store-for-business/manage-users-and-groups-microsoft-store-for-business.md b/store-for-business/manage-users-and-groups-microsoft-store-for-business.md
index de70959d59..36ec4938f9 100644
--- a/store-for-business/manage-users-and-groups-microsoft-store-for-business.md
+++ b/store-for-business/manage-users-and-groups-microsoft-store-for-business.md
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Microsoft Store for Business and Education manages permissions with a set of roles. Currently, you can [assign these roles to individuals in your organization](roles-and-permissions-microsoft-store-for-business.md), but not to groups.
diff --git a/store-for-business/microsoft-store-for-business-education-powershell-module.md b/store-for-business/microsoft-store-for-business-education-powershell-module.md
index a5149c0b1e..3318a1ca0c 100644
--- a/store-for-business/microsoft-store-for-business-education-powershell-module.md
+++ b/store-for-business/microsoft-store-for-business-education-powershell-module.md
@@ -19,7 +19,7 @@ manager: dansimp
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Microsoft Store for Business and Education PowerShell module (preview) is now available on [PowerShell Gallery](https://go.microsoft.com/fwlink/?linkid=853459).
diff --git a/store-for-business/microsoft-store-for-business-overview.md b/store-for-business/microsoft-store-for-business-overview.md
index 6516ad323c..a7009160fa 100644
--- a/store-for-business/microsoft-store-for-business-overview.md
+++ b/store-for-business/microsoft-store-for-business-overview.md
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
> [!IMPORTANT]
> Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
diff --git a/store-for-business/notifications-microsoft-store-business.md b/store-for-business/notifications-microsoft-store-business.md
index 548f8ecce0..264f2228e9 100644
--- a/store-for-business/notifications-microsoft-store-business.md
+++ b/store-for-business/notifications-microsoft-store-business.md
@@ -23,7 +23,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Microsoft Store for Business and Microsoft Store for Education use a set of notifications to alert admins if there is an issue or outage with Microsoft Store.
diff --git a/store-for-business/payment-methods.md b/store-for-business/payment-methods.md
index b0d445d780..b56a2ebe5e 100644
--- a/store-for-business/payment-methods.md
+++ b/store-for-business/payment-methods.md
@@ -17,7 +17,7 @@ manager: dansimp
# Payment methods
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
You can purchase products and services from Microsoft Store for Business using your credit card. You can enter your credit card information on **Payment methods**, or when you purchase an app. We currently accept these credit cards:
- VISA
diff --git a/store-for-business/prerequisites-microsoft-store-for-business.md b/store-for-business/prerequisites-microsoft-store-for-business.md
index 59d4c2b19b..0dd6457beb 100644
--- a/store-for-business/prerequisites-microsoft-store-for-business.md
+++ b/store-for-business/prerequisites-microsoft-store-for-business.md
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
> [!IMPORTANT]
> Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md
index 5d9ea05e6c..e1fd90b393 100644
--- a/store-for-business/release-history-microsoft-store-business-education.md
+++ b/store-for-business/release-history-microsoft-store-business-education.md
@@ -15,7 +15,7 @@ manager: dansimp
# Microsoft Store for Business and Education release history
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Microsoft Store for Business and Education regularly releases new and improved features. Here's a summary of new or updated features in previous releases.
diff --git a/store-for-business/roles-and-permissions-microsoft-store-for-business.md b/store-for-business/roles-and-permissions-microsoft-store-for-business.md
index 6b9ac86995..1ca0ec4692 100644
--- a/store-for-business/roles-and-permissions-microsoft-store-for-business.md
+++ b/store-for-business/roles-and-permissions-microsoft-store-for-business.md
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
> [!IMPORTANT]
> Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
diff --git a/store-for-business/settings-reference-microsoft-store-for-business.md b/store-for-business/settings-reference-microsoft-store-for-business.md
index 4a44723dd6..f29dace9ef 100644
--- a/store-for-business/settings-reference-microsoft-store-for-business.md
+++ b/store-for-business/settings-reference-microsoft-store-for-business.md
@@ -17,7 +17,7 @@ ms.date: 07/21/2021
# Settings reference: Microsoft Store for Business and Education
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
The Microsoft Store for Business and Education has a group of settings that admins use to manage the store.
diff --git a/store-for-business/sign-up-microsoft-store-for-business-overview.md b/store-for-business/sign-up-microsoft-store-for-business-overview.md
index 32cdba4b8f..4c4e855373 100644
--- a/store-for-business/sign-up-microsoft-store-for-business-overview.md
+++ b/store-for-business/sign-up-microsoft-store-for-business-overview.md
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
IT admins can sign up for Microsoft Store for Business and Education, and get started working with apps.
diff --git a/store-for-business/troubleshoot-microsoft-store-for-business.md b/store-for-business/troubleshoot-microsoft-store-for-business.md
index 074a34eb0f..f9154689ca 100644
--- a/store-for-business/troubleshoot-microsoft-store-for-business.md
+++ b/store-for-business/troubleshoot-microsoft-store-for-business.md
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Troubleshooting topics for Microsoft Store for Business.
@@ -53,7 +53,7 @@ The private store for your organization is a page in Microsoft Store app that co
-## Troubleshooting Microsoft Store for Business integration with Microsoft Endpoint Configuration Manager
+## Troubleshooting Microsoft Store for Business integration with Microsoft Configuration Manager
If you encounter any problems when integrating Microsoft Store for Business with Configuration Manager, use the [troubleshooting guide](/troubleshoot/mem/configmgr/troubleshoot-microsoft-store-for-business-integration).
diff --git a/store-for-business/update-microsoft-store-for-business-account-settings.md b/store-for-business/update-microsoft-store-for-business-account-settings.md
index b277705e60..78cd7532b8 100644
--- a/store-for-business/update-microsoft-store-for-business-account-settings.md
+++ b/store-for-business/update-microsoft-store-for-business-account-settings.md
@@ -17,7 +17,7 @@ manager: dansimp
# Update Billing account settings
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
A billing account contains defining information about your organization.
diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md
index ee29b9c93f..bc329afe4d 100644
--- a/store-for-business/whats-new-microsoft-store-business-education.md
+++ b/store-for-business/whats-new-microsoft-store-business-education.md
@@ -15,7 +15,7 @@ manager: dansimp
# What's new in Microsoft Store for Business and Education
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Microsoft Store for Business and Education regularly releases new and improved features.
diff --git a/store-for-business/working-with-line-of-business-apps.md b/store-for-business/working-with-line-of-business-apps.md
index 92b489f6ab..0a71365353 100644
--- a/store-for-business/working-with-line-of-business-apps.md
+++ b/store-for-business/working-with-line-of-business-apps.md
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Your company or school can make line-of-business (LOB) applications available through Microsoft Store for Business or Microsoft Store for Education. These apps are custom to your school or organization – they might be internal apps, or apps specific to your school, business, or industry.
diff --git a/template.md b/template.md
index 6049d2ff6d..c9529e25a3 100644
--- a/template.md
+++ b/template.md
@@ -290,4 +290,4 @@ Always include alt text for accessibility, and always end it with a period.
## docs.ms extensions
> [!div class="nextstepaction"]
-> [Microsoft Endpoint Configuration Manager documentation](https://learn.microsoft.com/mem/configmgr)
+> [Microsoft Configuration Manager documentation](https://learn.microsoft.com/mem/configmgr)
diff --git a/windows/application-management/add-apps-and-features.md b/windows/application-management/add-apps-and-features.md
index 96f2e3ec05..2ae9fdd4fd 100644
--- a/windows/application-management/add-apps-and-features.md
+++ b/windows/application-management/add-apps-and-features.md
@@ -1,15 +1,16 @@
---
title: Add or hide optional apps and features on Windows devices | Microsoft Docs
description: Learn how to add Windows 10 and Windows 11 optional features using the Apps & features page in the Settings app. Also see the group policy objects (GPO) and MDM policies that show or hide Apps and Windows Features in the Settings app. Use Windows PowerShell to show or hide specific features in Windows Features.
-ms.prod: windows-client
author: nicholasswhite
ms.author: nwhite
manager: aaroncz
-ms.localizationpriority: medium
ms.date: 08/30/2021
-ms.reviewer:
ms.topic: article
+ms.prod: windows-client
ms.technology: itpro-apps
+ms.localizationpriority: medium
+ms.collection: tier2
+ms.reviewer:
---
# Add or hide features on the Windows client OS
diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md
index 506b43cbea..523ee3c2d8 100644
--- a/windows/application-management/apps-in-windows-10.md
+++ b/windows/application-management/apps-in-windows-10.md
@@ -1,15 +1,16 @@
---
title: Learn about the different app types in Windows 10/11 | Microsoft Docs
description: Learn more and understand the different types of apps that run on Windows 10 and Windows 11. For example, learn more about UWP, WPF, Win32, and Windows Forms apps, including the best way to install these apps.
-ms.prod: windows-client
author: nicholasswhite
ms.author: nwhite
manager: aaroncz
-ms.date: 12/07/2017
-ms.reviewer:
-ms.localizationpriority: medium
+ms.date: 02/09/2023
ms.topic: article
+ms.prod: windows-client
ms.technology: itpro-apps
+ms.localizationpriority: medium
+ms.collection: tier2
+ms.reviewer:
---
# Overview of apps on Windows client devices
diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md
index f55199f3a5..19c8ec6649 100644
--- a/windows/application-management/enterprise-background-activity-controls.md
+++ b/windows/application-management/enterprise-background-activity-controls.md
@@ -1,14 +1,16 @@
---
title: Remove background task resource restrictions
description: Allow enterprise background tasks unrestricted access to computer resources.
-ms.prod: windows-client
author: nicholasswhite
ms.author: nwhite
manager: aaroncz
ms.date: 10/03/2017
-ms.reviewer:
ms.topic: article
+ms.prod: windows-client
ms.technology: itpro-apps
+ms.localizationpriority: medium
+ms.collection: tier2
+ms.reviewer:
---
# Remove background task resource restrictions
diff --git a/windows/application-management/includes/app-v-end-life-statement.md b/windows/application-management/includes/app-v-end-life-statement.md
index 87c9ec2b04..14de444ad4 100644
--- a/windows/application-management/includes/app-v-end-life-statement.md
+++ b/windows/application-management/includes/app-v-end-life-statement.md
@@ -3,9 +3,10 @@ author: nicholasswhite
ms.author: nwhite
manager: aaroncz
ms.date: 09/20/2021
-ms.reviewer:
-ms.prod: w10
ms.topic: include
+ms.prod: w10
+ms.collection: tier1
+ms.reviewer:
---
Application Virtualization will be [end of life in April 2026](/lifecycle/announcements/mdop-extended). We recommend looking at Azure Virtual Desktop with MSIX app attach. For more information, see [What is Azure Virtual Desktop?](/azure/virtual-desktop/overview) and [Set up MSIX app attach with the Azure portal](/azure/virtual-desktop/app-attach-azure-portal).
diff --git a/windows/application-management/includes/applies-to-windows-client-versions.md b/windows/application-management/includes/applies-to-windows-client-versions.md
index b26f9904a6..13ec789f1d 100644
--- a/windows/application-management/includes/applies-to-windows-client-versions.md
+++ b/windows/application-management/includes/applies-to-windows-client-versions.md
@@ -3,9 +3,12 @@ author: nicholasswhite
ms.author: nwhite
manager: aaroncz
ms.date: 09/28/2021
-ms.reviewer:
-ms.prod: w10
ms.topic: include
+ms.prod: windows-client
+ms.technology: itpro-apps
+ms.localizationpriortiy: medium
+ms.collection: tier1
+ms.reviewer:
---
**Applies to**:
diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml
index 73c14c4195..da969d420b 100644
--- a/windows/application-management/index.yml
+++ b/windows/application-management/index.yml
@@ -6,14 +6,15 @@ summary: Learn about managing applications in Windows client, including how to r
metadata:
title: Windows application management
description: Learn about managing applications in Windows 10 and Windows 11.
- ms.topic: landing-page
- ms.prod: windows-client
- ms.collection:
- - highpri
author: nicholasswhite
ms.author: nwhite
manager: aaroncz
ms.date: 08/24/2021
+ ms.topic: landing-page
+ ms.prod: windows-client
+ ms.collection:
+ - tier1
+ - highpri
landingContent:
# Cards and links should be based on top customer tasks or top subjects
diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md
index 56381683e9..d094fba726 100644
--- a/windows/application-management/per-user-services-in-windows.md
+++ b/windows/application-management/per-user-services-in-windows.md
@@ -1,18 +1,24 @@
---
title: Per-user services in Windows 10 and Windows Server
description: Learn about per-user services, how to change the template service Startup Type, and manage per-user services through Group Policy and security templates.
-ms.prod: windows-client
author: nicholasswhite
ms.author: nwhite
manager: aaroncz
ms.date: 09/14/2017
-ms.reviewer:
+ms.topic: article
+ms.prod: windows-client
ms.technology: itpro-apps
+ms.localizationpriority: medium
+ms.collection: tier2
+ms.reviewer:
---
# Per-user services in Windows 10 and Windows Server
-> Applies to: Windows 10, Windows Server
+**Applies to**:
+
+- Windows 10
+- Windows Server
Per-user services are services that are created when a user signs into Windows or Windows Server and are stopped and deleted when that user signs out. These services run in the security context of the user account - this provides better resource management than the previous approach of running these kinds of services in Explorer, associated with a preconfigured account, or as tasks.
diff --git a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
index e9d56cf86b..5b0372ddb2 100644
--- a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
+++ b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
@@ -4,11 +4,13 @@ description: Use the Company Portal app in Windows 11 devices to access the priv
author: nicholasswhite
ms.author: nwhite
manager: aaroncz
-ms.reviewer: amanh
-ms.prod: windows-client
ms.date: 09/15/2021
-ms.localizationpriority: medium
+ms.topic: article
+ms.prod: windows-client
ms.technology: itpro-apps
+ms.localizationpriority: medium
+ms.collection: tier2
+ms.reviewer: amanh
---
# Private app repository in Windows 11
@@ -63,7 +65,7 @@ To install the Company Portal app, you have some options:
- **Use Windows Autopilot**: Windows Autopilot automatically provisions devices, registers them in your Azure AD organization (tenant), and gets them ready for production. If you're purchasing new devices, then we recommend using Windows Autopilot to preconfigure the devices, and get them ready for use.
- - In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), you add the Company Portal app from the Microsoft Store. Once it's added, the app can be included in your Windows Autopilot deployment. When the device turns on and is getting ready, the Company Portal app is also installed, before users sign in.
+ - In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), you add the Company Portal app from the Microsoft Store. Once it's added, the app can be included in your Windows Autopilot deployment. When the device turns on and is getting ready, the Company Portal app is also installed, before users sign in.
- When the Company Portal app is installed from the Microsoft Store app, by default, it's automatically updated. Users can also open the Microsoft Store app, go to the **Library**, and check for updates.
@@ -80,17 +82,17 @@ To install the Company Portal app, you have some options:
## Customize the Company Portal app
-Many organizations customize the Company Portal app to include their specific information. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), you can customize the Company Portal app. For example, you can add a brand logo, include support information, add self-service device actions, and more.
+Many organizations customize the Company Portal app to include their specific information. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), you can customize the Company Portal app. For example, you can add a brand logo, include support information, add self-service device actions, and more.
For more information, see [Configure the Intune Company Portal app](/mem/intune/apps/company-portal-app).
## Add your organization apps to the Company Portal app
-When you add an app in the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), there's a **Show this as a featured app in the Company Portal** setting. Be sure you use this setting.
+When you add an app in the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), there's a **Show this as a featured app in the Company Portal** setting. Be sure you use this setting.
On co-managed devices (Microsoft Intune + Configuration Manager together), your Configuration Manager apps can also be shown in the Company Portal app. For more information, see [Use the Company Portal app on co-managed devices](/mem/configmgr/comanage/company-portal).
-When the apps are shown, users can select and download the apps on their devices. You can add Microsoft Store apps, web apps, Microsoft 365 apps, LOB apps, Win32 apps, and sideload apps. For more information on adding apps to the Endpoint Manager admin center, see:
+When the apps are shown, users can select and download the apps on their devices. You can add Microsoft Store apps, web apps, Microsoft 365 apps, LOB apps, Win32 apps, and sideload apps. For more information on adding apps to the Intune admin center, see:
- [Add Microsoft 365 apps using Intune](/mem/intune/apps/apps-add-office365)
- [Add web apps using Intune](/mem/intune/apps/web-app)
diff --git a/windows/application-management/provisioned-apps-windows-client-os.md b/windows/application-management/provisioned-apps-windows-client-os.md
index fb6660fbcf..80dcf53c89 100644
--- a/windows/application-management/provisioned-apps-windows-client-os.md
+++ b/windows/application-management/provisioned-apps-windows-client-os.md
@@ -1,15 +1,16 @@
---
title: Get the provisioned apps on Windows client operating system | Microsoft Docs
-ms.reviewer:
+description: Use the Windows PowerShell Get-AppxProvisionedPackage command to get a list off the provisioned apps installed in Windows OS. See a list of some common provisioned apps installed a Windows Enterprise client computer or device, including Windows 10/11.
author: nicholasswhite
ms.author: nwhite
manager: aaroncz
-ms.date: 12/07/2017
-description: Use the Windows PowerShell Get-AppxProvisionedPackage command to get a list off the provisioned apps installed in Windows OS. See a list of some common provisioned apps installed a Windows Enterprise client computer or device, including Windows 10/11.
-ms.prod: windows-client
-ms.localizationpriority: medium
+ms.date: 01/12/2023
ms.topic: article
+ms.prod: windows-client
ms.technology: itpro-apps
+ms.localizationpriority: medium
+ms.collection: tier1
+ms.reviewer:
---
# Provisioned apps installed with the Windows client OS
diff --git a/windows/application-management/remove-provisioned-apps-during-update.md b/windows/application-management/remove-provisioned-apps-during-update.md
index 57b52fce28..195ee09977 100644
--- a/windows/application-management/remove-provisioned-apps-during-update.md
+++ b/windows/application-management/remove-provisioned-apps-during-update.md
@@ -1,17 +1,22 @@
---
title: How to keep apps removed from Windows 10 from returning during an update
description: How to keep provisioned apps that were removed from your machine from returning during an update.
-ms.prod: windows-client
author: nicholasswhite
ms.author: nwhite
manager: aaroncz
ms.date: 05/25/2018
-ms.reviewer:
+ms.topic: article
+ms.prod: windows-client
ms.technology: itpro-apps
+ms.localizationpriority: medium
+ms.collection: tier1
+ms.reviewer:
---
# How to keep apps removed from Windows 10 from returning during an update
-> Applies to: Windows 10 (General Availability Channel)
+**Applies to**:
+
+- Windows 10
When you update a computer running Windows 10, version 1703 or 1709, you might see provisioned apps that you previously removed post-update. This can happen if the computer was offline when you removed the apps. Windows 10, version 1803 has fixed this issue.
diff --git a/windows/application-management/sideload-apps-in-windows-10.md b/windows/application-management/sideload-apps-in-windows-10.md
index f4ab632036..30203efdaf 100644
--- a/windows/application-management/sideload-apps-in-windows-10.md
+++ b/windows/application-management/sideload-apps-in-windows-10.md
@@ -1,15 +1,16 @@
---
title: Sideload LOB apps in Windows client OS | Microsoft Docs
description: Learn how to sideload line-of-business (LOB) apps in Windows client operating systems, including Windows 10/11. When you sideload an app, you deploy a signed app package to a device.
-ms.reviewer:
author: nicholasswhite
ms.author: nwhite
manager: aaroncz
ms.date: 12/07/2017
-ms.prod: windows-client
-ms.localizationpriority: medium
-ms.technology: itpro-apps
ms.topic: article
+ms.prod: windows-client
+ms.technology: itpro-apps
+ms.localizationpriority: medium
+ms.collection: tier2
+ms.reviewer:
---
# Sideload line of business (LOB) apps in Windows client devices
diff --git a/windows/application-management/svchost-service-refactoring.md b/windows/application-management/svchost-service-refactoring.md
index 692bae2fe3..f5c9589209 100644
--- a/windows/application-management/svchost-service-refactoring.md
+++ b/windows/application-management/svchost-service-refactoring.md
@@ -1,18 +1,23 @@
---
title: Service Host service refactoring in Windows 10 version 1703
description: Learn about the SvcHost Service Refactoring introduced in Windows 10 version 1703.
-ms.prod: windows-client
author: nicholasswhite
ms.author: nwhite
manager: aaroncz
ms.date: 07/20/2017
-ms.reviewer:
+ms.topic: article
+ms.prod: windows-client
ms.technology: itpro-apps
+ms.localizationpriority: medium
+ms.colletion: tier1
+ms.reviewer:
---
# Changes to Service Host grouping in Windows 10
-> Applies to: Windows 10
+**Applies to**:
+
+- Windows 10
The **Service Host (svchost.exe)** is a shared-service process that serves as a shell for loading services from DLL files. Services are organized into related host groups, and each group runs inside a different instance of the Service Host process. In this way, a problem in one instance doesn't affect other instances. Service Host groups are determined by combining the services with matching security requirements. For example:
diff --git a/windows/application-management/system-apps-windows-client-os.md b/windows/application-management/system-apps-windows-client-os.md
index 6cfbbac63c..efc4c311ec 100644
--- a/windows/application-management/system-apps-windows-client-os.md
+++ b/windows/application-management/system-apps-windows-client-os.md
@@ -1,15 +1,16 @@
---
title: Get the system apps on Windows client operating system | Microsoft Docs
-ms.reviewer:
+description: Use the Windows PowerShell Get-AppxPackage command to get a list off the system apps installed in Windows OS. See a list of some common system apps installed a Windows Enterprise client computer or device, including Windows 10/11.
author: nicholasswhite
ms.author: nwhite
manager: aaroncz
-ms.date: 12/07/2017
-description: Use the Windows PowerShell Get-AppxPackage command to get a list off the system apps installed in Windows OS. See a list of some common system apps installed a Windows Enterprise client computer or device, including Windows 10/11.
-ms.prod: windows-client
-ms.localizationpriority: medium
+ms.date: 2/14/2023
ms.topic: article
+ms.prod: windows-client
ms.technology: itpro-apps
+ms.localizationpriority: medium
+ms.collection: tier1
+ms.reviewer:
---
# System apps installed with the Windows client OS
diff --git a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
index af610cec3c..cc058826be 100644
--- a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
+++ b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
@@ -11,12 +11,12 @@ ms.reviewer:
manager: aaroncz
---
-# Azure AD and Microsoft Intune: Automatic MDM enrollment in the Endpoint Manager admin center
+# Azure AD and Microsoft Intune: Automatic MDM enrollment in the Intune admin center
Microsoft Intune can be accessed directly using its own admin center. For more information, go to:
-- [Tutorial: Walkthrough Intune in Microsoft Endpoint Manager admin center](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
-- Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+- [Tutorial: Walkthrough Intune in Microsoft Intune admin center](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
+- Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
If you use the Azure portal, then you can access Intune using the following steps:
diff --git a/windows/client-management/config-lock.md b/windows/client-management/config-lock.md
index 04d9be81f2..56b72cdf0a 100644
--- a/windows/client-management/config-lock.md
+++ b/windows/client-management/config-lock.md
@@ -41,7 +41,7 @@ Config lock isn't enabled by default, or turned on by the OS during boot. Rather
The steps to turn on config lock using Microsoft Intune are as follows:
1. Ensure that the device to turn on config lock is enrolled in Microsoft Intune.
-1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Configuration Profiles** > **Create a profile**.
+1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Configuration Profiles** > **Create a profile**.
1. Select the following and press **Create**:
- **Platform**: Windows 10 and later
- **Profile type**: Templates
diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md
index 2636c0f68e..46796cc58d 100644
--- a/windows/client-management/mdm/policy-csp-audit.md
+++ b/windows/client-management/mdm/policy-csp-audit.md
@@ -2774,7 +2774,7 @@ This policy setting allows you to audit events generated by attempts to access t
- If you do not configure this policy setting, no audit event is generated when an attempt to access a kernel object is made.
> [!NOTE]
-> Only the System Access Control List (SACL) for SAM_SERVER can be modified. Volume High on domain controllers. For information about reducing the amount of events generated in this subcategory, see [article 841001 in the Microsoft Knowledge Base](https://go.microsoft.com/fwlink/?LinkId=121698).
+> Only the System Access Control List (SACL) for SAM_SERVER can be modified. Volume High on domain controllers. For information about SACL, see [Access control lists](/windows/win32/secauthz/access-control-lists).
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md
index d4bee876d5..e46c94e961 100644
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@@ -1767,7 +1767,7 @@ _**Turn syncing off by default but don’t disable**_
-Organizational messages allow Administrators to deliver messages to their end users on selected Windows 11 experiences. Organizational messages are available to Administrators via services like Microsoft Endpoint Manager. By default, this policy is disabled.
+Organizational messages allow Administrators to deliver messages to their end users on selected Windows 11 experiences. Organizational messages are available to Administrators via services like Microsoft Intune. By default, this policy is disabled.
- If you enable this policy, these experiences will show content booked by Administrators. Enabling this policy will have no impact on existing MDM policy settings governing delivery of content from Microsoft on Windows experiences.
diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md
index adb471edb7..8dab751eb2 100644
--- a/windows/client-management/quick-assist.md
+++ b/windows/client-management/quick-assist.md
@@ -122,13 +122,13 @@ For more information, visit [Install Quick Assist](https://support.microsoft.com
Before installing Quick Assist, you'll need to set up synchronization between Intune and Microsoft Store for Business. If you've already set up sync, log into [Microsoft Store for Business](https://businessstore.microsoft.com) and skip to step 5.
-1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Tenant administration** / **Connectors and tokens** / **Microsoft Store for Business** and verify that **Microsoft Store for Business sync** is set to **Enable**.
+1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Tenant administration** / **Connectors and tokens** / **Microsoft Store for Business** and verify that **Microsoft Store for Business sync** is set to **Enable**.
1. Using your Global Admin account, log into [Microsoft Store for Business](https://businessstore.microsoft.com).
1. Select **Manage** / **Settings** and turn on **Show offline apps**.
1. Choose the **Distribute** tab and verify that **Microsoft Intune** is **Active**. You may need to use the **+Add management tool** link if it's not.
1. Search for **Quick Assist** and select it from the Search results.
1. Choose the **Offline** license and select **Get the app**
-1. In the Endpoint Manager admin center, choose **Sync**.
+1. In the Intune admin center, choose **Sync**.
1. Navigate to **Apps** / **Windows** and you should see **Quick Assist (Offline)** in the list.
1. Select it to view its properties. By default, the app won't be assigned to anyone or any devices, select the **Edit** link.
1. Assign the app to the required group of devices and choose **Review + save** to complete the application install.
diff --git a/windows/configuration/customize-start-menu-layout-windows-11.md b/windows/configuration/customize-start-menu-layout-windows-11.md
index 0fa0a01630..7ef410564c 100644
--- a/windows/configuration/customize-start-menu-layout-windows-11.md
+++ b/windows/configuration/customize-start-menu-layout-windows-11.md
@@ -132,7 +132,7 @@ This section shows you how to create a pinned list policy in Intune. There isn't
To deploy this policy, the devices must be enrolled, and managed by your organization. For more information, see [What is device enrollment?](/mem/intune/enrollment/device-enrollment).
-1. Sign in to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** > **Configuration profiles** > **Create profile**.
3. Enter the following properties:
diff --git a/windows/configuration/customize-taskbar-windows-11.md b/windows/configuration/customize-taskbar-windows-11.md
index dfcaee8191..a97023b5d9 100644
--- a/windows/configuration/customize-taskbar-windows-11.md
+++ b/windows/configuration/customize-taskbar-windows-11.md
@@ -29,7 +29,7 @@ For example, you can override the default set of apps with your own a set of pin
To add apps you want pinned to the taskbar, you use an XML file. You can use an existing XML file, or create a new file. If you have an XML file that's used on Windows 10 devices, you can also use it on Windows 11 devices. You may have to update the App IDs.
-This article shows you how to create the XML file, add apps to the XML, and deploy the XML file.
+This article shows you how to create the XML file, add apps to the XML, and deploy the XML file. To learn how to customize the taskbar buttons, see [CSP policies to customize Windows 11 taskbar buttons](supported-csp-taskbar-windows.md#csp-policies-to-customize-windows-11-taskbar-buttons).
## Before you begin
@@ -170,7 +170,7 @@ MDM providers can deploy policies to devices managed by the organization, includ
Use the following steps to create an Intune policy that deploys your taskbar XML file:
-1. Sign in to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** > **Configuration profiles** > **Create profile**.
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
index ff5c66875f..ebd6bb9d28 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
@@ -55,7 +55,7 @@ Two features enable Start layout control:
The following example uses Microsoft Intune to configure an MDM policy that applies a customized Start layout:
-1. Sign in to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** > **Configuration profiles** > **Create profile**.
diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md
index 874a5657cc..7600808ed5 100644
--- a/windows/configuration/start-secondary-tiles.md
+++ b/windows/configuration/start-secondary-tiles.md
@@ -90,7 +90,7 @@ You can apply the customized Start layout with images for secondary tiles by usi
In Microsoft Intune, you create a device restrictions policy to apply to device group. For other MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`.
-1. Sign in to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** > **Configuration profiles** > **Create profile**.
3. Enter the following properties:
diff --git a/windows/configuration/supported-csp-taskbar-windows.md b/windows/configuration/supported-csp-taskbar-windows.md
index b51d7becb9..a24ff5885a 100644
--- a/windows/configuration/supported-csp-taskbar-windows.md
+++ b/windows/configuration/supported-csp-taskbar-windows.md
@@ -18,53 +18,65 @@ ms.topic: article
- Windows 11
-The Windows OS exposes CSPs that are used by MDM providers, like [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). In an MDM policy, these CSPs are settings that you configure. When the policy is ready, you deploy the policy to your devices.
-
-This article lists the CSPs that are available to customize the Taskbar for Windows 11 devices. Windows 11 uses the [Policy CSP - Start](/windows/client-management/mdm/policy-csp-start).
+The Windows OS exposes CSPs that are used by MDM providers, like [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). In an MDM policy, these CSPs are settings that you configure. When the policy is ready, you deploy the policy to your devices. This article lists the CSPs that are available to customize the Taskbar for Windows 11 devices.
For more general information, see [Configuration service provider (CSP) reference](/windows/client-management/mdm/configuration-service-provider-reference).
+## CSP policies to customize Windows 11 taskbar buttons
+
+- [Search/ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode)
+ - Group policy: `Computer Configuration\Administrative Templates\Windows Components\Search\Configures search on the taskbar`
+ - Local setting: Settings > Personalization > Taskbar > Search
+
+- [Start/HideTaskViewButton](/windows/client-management/mdm/policy-csp-start#hidetaskviewbutton)
+ - Group policy: `Computer and User Configuration\Administrative Templates\Start Menu and Taskbar\Hide the TaskView button`
+ - Local setting: Settings > Personalization > Taskbar > Task view
+
+- [NewsAndInterests/AllowNewsAndInterests](/windows/client-management/mdm/policy-csp-newsandinterests#allownewsandinterests)
+ - Group policy: `Computer Configuration\Administrative Templates\Windows Components\Widgets\Allow widgets`
+ - Local setting: Settings > Personalization > Taskbar > Widgets
+
+- [Experience/ConfigureChatIcon](/windows/client-management/mdm/policy-csp-experience#configurechaticonvisibilityonthetaskbar)
+ - Group policy: `Computer Configuration\Administrative Templates\Windows Components\Chat\Configure the Chat icon setting`
+ - Local setting: Settings > Personalization > Taskbar > Chat
+
## Existing CSP policies that Windows 11 taskbar supports
-- [Start/HideRecentJumplists CSP](/windows/client-management/mdm/policy-csp-start#start-hiderecentjumplists)
+- [Start/HideRecentJumplists](/windows/client-management/mdm/policy-csp-start#hiderecentjumplists)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not keep history of recently opened documents`
- Local setting: Settings > Personalization > Start > Show recently opened items in Jump Lists on Start or the taskbar
-- [Start/NoPinningToTaskbar](/windows/client-management/mdm/policy-csp-start#start-nopinningtotaskbar)
+- [Start/NoPinningToTaskbar](/windows/client-management/mdm/policy-csp-start#nopinningtotaskbar)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not allow pinning programs to the Taskbar`
- Local setting: None
-- [Experience/ConfigureChatIcon](/windows/client-management/mdm/policy-csp-experience#experience-configurechaticonvisibilityonthetaskbar)
- - Group policy: `Computer Configuration\Administrative Templates\Windows Components\Chat`
- - Local setting: Settings > Personalization > Taskbar > Chat
-
## Existing CSP policies that Windows 11 doesn't support
The following list includes some of the CSP policies that aren't supported on Windows 11:
-- [TaskbarLockAll CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarlockall)
+- [ADMX_Taskbar/TaskbarLockAll](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarlockall)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Lock all taskbar settings`
-- [TaskbarNoAddRemoveToolbar CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnoaddremovetoolbar)
+- [ADMX_Taskbar/TaskbarNoAddRemoveToolbar](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarnoaddremovetoolbar)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from adding or removing toolbars`
-- [TaskbarNoDragToolbar CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnodragtoolbar)
+- [ADMX_Taskbar/TaskbarNoDragToolbar](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarnodragtoolbar)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from rearranging toolbars`
-- [TaskbarNoRedock CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnoredock)
+- [ADMX_Taskbar/TaskbarNoRedock](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarnoredock)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from moving taskbar to another screen dock location`
-- [TaskbarNoResize CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnoresize)
+- [ADMX_Taskbar/TaskbarNoResize](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarnoresize)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from resizing the taskbar`
-- [NoToolbarsOnTaskbar CSP](/windows/client-management/mdm/policy-csp-admx-startmenu#admx-startmenu-notoolbarsontaskbar)
+- [ADMX_StartMenu/NoToolbarsOnTaskbar](/windows/client-management/mdm/policy-csp-admx-startmenu#notoolbarsontaskbar)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not display any custom toolbars in the taskbar`
-- [NoTaskGrouping CSP](/windows/client-management/mdm/policy-csp-admx-startmenu#admx-startmenu-notaskgrouping)
+- [ADMX_StartMenu/NoTaskGrouping](/windows/client-management/mdm/policy-csp-admx-startmenu#notaskgrouping)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent grouping of taskbar items`
-- [HidePeopleBar CSP](/windows/client-management/mdm/policy-csp-start#start-hidepeoplebar)
- - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove the People Bar from the taskbar`
-
-- [QuickLaunchEnabled CSP](/windows/client-management/mdm/policy-csp-admx-startmenu#admx-startmenu-quicklaunchenabled)
+- [ADMX_StartMenu/QuickLaunchEnabled](/windows/client-management/mdm/policy-csp-admx-startmenu#quicklaunchenabled)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Show QuickLaunch on Taskbar`
+
+- [Start/HidePeopleBar](/windows/client-management/mdm/policy-csp-start#hidepeoplebar)
+ - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove the People Bar from the taskbar`
diff --git a/windows/configuration/windows-accessibility-for-ITPros.md b/windows/configuration/windows-accessibility-for-ITPros.md
index 528e7fcbba..1c23a9707e 100644
--- a/windows/configuration/windows-accessibility-for-ITPros.md
+++ b/windows/configuration/windows-accessibility-for-ITPros.md
@@ -8,7 +8,6 @@ author: lizgt2000
ms.reviewer:
manager: aaroncz
ms.localizationpriority: medium
-ms.date: 09/20/2022
ms.topic: conceptual
ms.collection: tier1
appliesto:
@@ -60,7 +59,9 @@ Windows 11, version 22H2, includes improvements for people with disabilities: sy
- [Keep notifications around longer](https://support.microsoft.com/windows/make-windows-easier-to-hear-9c18cfdc-63be-2d47-0f4f-5b00facfd2e1). If notifications aren't staying visible long enough for you to notice them, you can increase the time a notification will be displayed up to five minutes.
-- [Read in Braille](https://support.microsoft.com/windows/chapter-8-using-narrator-with-braille-3e5f065b-1c9d-6eb2-ec6d-1d07c9e94b20). Narrator supports braille displays from more than 35 manufacturers using more than 40 languages and multiple braille variants.
+- [Read in braille](https://support.microsoft.com/windows/chapter-8-using-narrator-with-braille-3e5f065b-1c9d-6eb2-ec6d-1d07c9e94b20). Narrator supports braille displays from more than 35 manufacturers using more than 40 languages and multiple braille variants.
+
+- Starting in Windows 11, version 22H2 with [KB5022913](https://support.microsoft.com/kb/5022913), the compatibility of braille displays has been expanded. Braille displays work seamlessly and reliably across multiple screen readers, improving the end user experience.
## Hearing
diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml
index 084263aadb..4fc092c907 100644
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@@ -35,7 +35,7 @@
- name: Plan
items:
- name: Plan for Windows 11
- href: /windows/whats-new/windows-11-plan
+ href: /windows/whats-new/windows-11-plan?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
- name: Create a deployment plan
href: update/create-deployment-plan.md
- name: Define readiness criteria
@@ -72,7 +72,7 @@
- name: Prepare
items:
- name: Prepare for Windows 11
- href: /windows/whats-new/windows-11-prepare
+ href: /windows/whats-new/windows-11-prepare?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
- name: Prepare to deploy Windows client updates
href: update/prepare-deploy-windows.md
- name: Evaluate and update infrastructure
@@ -334,6 +334,8 @@
href: update/windows-update-overview.md
- name: Servicing stack updates
href: update/servicing-stack-updates.md
+ - name: Update CSP policies
+ href: /windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
- name: Additional Windows Update settings
href: update/waas-wu-settings.md
- name: Delivery Optimization reference
diff --git a/windows/deployment/breadcrumb/toc.yml b/windows/deployment/breadcrumb/toc.yml
index bbaa26132d..c7cea673bd 100644
--- a/windows/deployment/breadcrumb/toc.yml
+++ b/windows/deployment/breadcrumb/toc.yml
@@ -34,4 +34,15 @@ items:
- name: Deployment
tocHref: /mem/intune/protect/
topicHref: /windows/deployment/
-
+
+- name: Learn
+ tocHref: /
+ topicHref: /
+ items:
+ - name: Windows
+ tocHref: /windows/
+ topicHref: /windows/resources/
+ items:
+ - name: Deployment
+ tocHref: /windows/client-management/mdm
+ topicHref: /windows/deployment/
diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md
index c76958e4f8..7ee6413a64 100644
--- a/windows/deployment/do/waas-delivery-optimization-reference.md
+++ b/windows/deployment/do/waas-delivery-optimization-reference.md
@@ -124,11 +124,11 @@ Download mode dictates which download sources clients are allowed to use when do
| Download mode option | Functionality when set |
| --- | --- |
-| HTTP Only (0) | This setting disables peer-to-peer caching but still allows Delivery Optimization to download content over HTTP from the download's original source. This mode uses additional metadata provided by the Delivery Optimization cloud services for a peerless reliable and efficient download experience. |
+| HTTP Only (0) | This setting disables peer-to-peer caching but still allows Delivery Optimization to download content over HTTP from the download's original source or a Microsoft Connected Cache server. This mode uses additional metadata provided by the Delivery Optimization cloud services for a peerless reliable and efficient download experience. |
| LAN (**1 – Default**) | This default operating mode for Delivery Optimization enables peer sharing on the same network. The Delivery Optimization cloud service finds other clients that connect to the Internet using the same public IP as the target client. These clients then try to connect to other peers on the same network by using their private subnet IP.|
| Group (2) | When group mode is set, the group is automatically selected based on the device's Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use GroupID option to create your own custom group independently of domains and AD DS sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other method to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. |
| Internet (3) | Enable Internet peer sources for Delivery Optimization. |
-| Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. |
+| Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable, or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience over HTTP from the download's original source or a Microsoft Connected Cache server, with no peer-to-peer caching. |
| Bypass (100) | This option is deprecated starting in Windows 11. If you want to disable peer-to-peer functionality, it's best to set DownloadMode to (0). If your device doesn’t have internet access, set Download Mode to (99). Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You don't need to set this option if you're using Configuration Manager. |
> [!NOTE]
@@ -248,7 +248,7 @@ Starting in Windows 10, version 1903, set this policy to delay the fallback from
### Minimum Background QoS
-This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more kilobytes from HTTP sources . The lower this value is, the more content will be sourced using peers on the network rather than HTTP sources. The higher this value, the more content is received from HTTP sources, versus peers on the local network. **The default value is 2500 KB/s.**
+This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more kilobytes from HTTP sources. The lower this value is, the more content will be sourced using peers on the network rather than HTTP sources. The higher this value, the more content is received from HTTP sources, versus peers on the local network. **The default value is 2500 KB/s.**
### Modify Cache Drive
diff --git a/windows/deployment/update/create-deployment-plan.md b/windows/deployment/update/create-deployment-plan.md
index bc649af09d..0f0a693609 100644
--- a/windows/deployment/update/create-deployment-plan.md
+++ b/windows/deployment/update/create-deployment-plan.md
@@ -110,32 +110,3 @@ During the broad deployment phase, you should focus on the following activities:
- Deploy to all devices in the organization.
- Work through any final unusual issues that weren't detected in your Limited ring.
-
-
-## Ring deployment planning
-
-Previously, we have provided methods for analyzing your deployments, but these have been standalone tools to assess, manage and execute deployments. In other words, you would generate an analysis, make a deployment strategy, and then move to your console for implementation, repeating these steps for each deployment. We've combined many of these tasks, and more, into a single interface with Desktop Analytics.
-
-
-[Desktop Analytics](/mem/configmgr/desktop-analytics/overview) is a cloud-based service and a key tool in [Configuration Manager](/mem/configmgr/core/understand/microsoft-endpoint-manager-faq). Using artificial intelligence and machine learning, Desktop Analytics is a powerful tool to give you insights and intelligence to
-make informed decisions about the readiness of your Windows devices.
-
-In Windows client deployments, we have seen compatibility issues on < 0.5% of apps when using Desktop Analytics. Using Desktop Analytics with Configuration Manager can help you assess app compatibility with the latest
-feature update. You can create groups that represent the broadest number of hardware and software configurations on the smallest set of devices across your organization. In addition, Desktop Analytics can provide you with a device and software inventory and identify issues, giving you data that equate to actionable decisions.
-
-> [!IMPORTANT]
-> Desktop Analytics does not support preview (Windows Insider) builds; use Configuration Manager to deploy to your Preview ring. As noted previously, the Preview ring is a small group of devices represents your ecosystem very well in terms of app, driver, and hardware diversity.
-
-### Deployment plan options
-
-There are two ways to implement a ring deployment plan, depending on how you manage your devices:
-
-- If you're using Configuration Manager: Desktop Analytics provides end-to-end deployment plan integration so that you can also kick off phased deployments within a ring. Learn more about [deployment plans in Desktop Analytics](/mem/configmgr/desktop-analytics/about-deployment-plans).
-- If you're using Microsoft Intune, see [Create deployment plans directly in Intune](/mem/intune/fundamentals/planning-guide).
-
-For more about Desktop Analytics, see these articles:
-
-- [How to set up Desktop Analytics](/mem/configmgr/desktop-analytics/set-up)
-- [Tutorial: Deploy Windows 10 to Pilot](/mem/configmgr/desktop-analytics/tutorial-windows10)
-- [Desktop Analytics documentation](/mem/configmgr/desktop-analytics/overview)
-- [Intune deployment planning, design, and implementation guide](/mem/intune/fundamentals/planning-guide)
diff --git a/windows/deployment/update/plan-determine-app-readiness.md b/windows/deployment/update/plan-determine-app-readiness.md
index 4d7cf5c662..b25c48f947 100644
--- a/windows/deployment/update/plan-determine-app-readiness.md
+++ b/windows/deployment/update/plan-determine-app-readiness.md
@@ -63,15 +63,3 @@ There is more than one way to choose devices for app validation:
- **Existing pilot devices**: You might already have a list of devices that you regularly use for testing updates as part of release cycles.
- **Manual selection**: Some internal groups like operations will have expertise to help choose devices manually based on specifications, usage, or records of past support problems.
- **Data-driven analysis**: With appropriate tools, you can use diagnostic data from devices to inform your choices.
-
-
-### Desktop Analytics
-
-Desktop Analytics can make all of the tasks discussed in this article significantly easier:
-
-- Creating and maintaining an application and device inventory
-- Assign owners to applications for testing
-- Automatically apply your app classifications (critical, important, not important)
-- Automatically identify application compatibility risks and provide recommendations for reducing those risks
-
-For more information, see [What is Desktop Analytics?](/mem/configmgr/desktop-analytics/overview)
diff --git a/windows/deployment/update/prepare-deploy-windows.md b/windows/deployment/update/prepare-deploy-windows.md
index 7d787fbeda..a6c241bac8 100644
--- a/windows/deployment/update/prepare-deploy-windows.md
+++ b/windows/deployment/update/prepare-deploy-windows.md
@@ -97,7 +97,7 @@ Enable update services on devices. Ensure that every device is running all the s
- Windows Update
- Windows Update Medic Service
-You can check these services manually by using Services.msc, or by using PowerShell scripts, Desktop Analytics, or other methods.
+You can check these services manually by using Services.msc, or by using PowerShell scripts, or other methods.
### Network configuration
@@ -125,7 +125,7 @@ Set up [Delivery Optimization](../do/waas-delivery-optimization.md) for peer net
### Address unhealthy devices
-In the course of surveying your device population, either with Desktop Analytics or by some other means, you might find devices that have systemic problems that could interfere with update installation. Now is the time to fix those problems.
+In the course of surveying your device population, you might find devices that have systemic problems that could interfere with update installation. Now is the time to fix those problems.
- **Low disk space:** Quality updates require a minimum of 2 GB to successfully install. Feature updates require between 8 GB and 15 GB depending upon the configuration. On Windows 10, version 1903 and later (and Windows 11) you can proactively use the "reserved storage" feature (for wipe and loads, rebuilds, and new builds) to avoid running out of disk space. If you find a group of devices that don't have enough disk space, you can often resolve the problem by cleaning up log files and asking users to clean up data if necessary. A good place to start is to delete the following files:
@@ -160,7 +160,7 @@ You can also create and run scripts to perform additional cleanup actions on dev
net start msiserver
```
-- **Application and driver updates:** Out-of-date app or driver software can prevent devices from updating successfully. Desktop Analytics will help you identify drivers and applications that need attention. You can also check for known issues in order to take any appropriate action. Deploy any updates from the vendor(s) for any problematic application or driver versions to resolve issues.
+- **Application and driver updates:** Out-of-date app or driver software can prevent devices from updating successfully. Deploy any updates from the vendor(s) for any problematic application or driver versions to resolve issues.
- **Corruption:** In rare circumstances, a device that has repeated installation errors might be corrupted in a way that prevents the system from applying a new update. You might have to repair the Component-Based Store from another source. You can fix the problem with the [System File Checker](https://support.microsoft.com/help/929833/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system).
diff --git a/windows/deployment/update/update-compliance-configuration-mem.md b/windows/deployment/update/update-compliance-configuration-mem.md
index 14c94f5341..aab7607865 100644
--- a/windows/deployment/update/update-compliance-configuration-mem.md
+++ b/windows/deployment/update/update-compliance-configuration-mem.md
@@ -33,7 +33,7 @@ This article is specifically targeted at configuring devices enrolled to [Micros
Take the following steps to create a configuration profile that will set required policies for Update Compliance:
-1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices/Windows/Configuration profiles**.
+1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices/Windows/Configuration profiles**.
1. On the **Configuration profiles** view, select **Create a profile**.
1. Select **Platform**="Windows 10 and later" and **Profile type**="Templates".
1. For **Template name**, select **Custom**, and then press **Create**.
diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index 693f8b440d..459f00de98 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -56,7 +56,6 @@ Update Compliance is offered as an Azure Marketplace application that is linked
1. Go to the [Update Compliance page in the Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/). The solution was published by Microsoft and named **WaaSUpdateInsights**.
2. Select **Get it now**.
3. Choose an existing or configure a new Log Analytics Workspace, ensuring it is in a **Compatible Log Analytics region** from the following table. Although an Azure subscription is required, you won't be charged for ingestion of Update Compliance data.
- - [Desktop Analytics](/sccm/desktop-analytics/overview) users should use the same workspace for Update Compliance.
- [Azure Update Management](/azure/automation/automation-intro#update-management) users should use the same workspace for Update Compliance.
4. After your workspace is configured and selected, select **Create**. You'll receive a notification when the solution has been successfully created.
@@ -125,9 +124,5 @@ Once you've added Update Compliance to a workspace in your Azure subscription, y
After you configure devices, diagnostic data they send will begin to be associated with your Azure AD organization ("tenant"). However, enrolling to Update Compliance doesn't influence the rate at which required data is uploaded from devices. Device connectivity to the internet and generally how active the device is highly influences how long it will take before the device appears in Update Compliance. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available.
-### Update Compliance and Desktop Analytics
-
-If you use or plan to use [Desktop Analytics](/mem/configmgr/desktop-analytics/overview), you must use the same Log Analytics workspace for both solutions.
-
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index a3f6cdf2a8..5de1f980ef 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -8,7 +8,7 @@ ms.localizationpriority: medium
ms.author: mstewart
ms.topic: article
ms.technology: itpro-updates
-ms.date: 12/31/2017
+ms.date: 02/28/2023
---
# Configure Windows Update for Business
@@ -27,7 +27,7 @@ ms.date: 12/31/2017
> [!NOTE]
> Windows Server _doesn't_ get feature updates from Windows Update, so only the quality update policies apply. This behavior doesn't apply to [Azure Stack hyperconverged infrastructure (HCI)](/azure-stack/hci/).
-You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and later, including Windows 11. The MDM policies use the OMA-URI setting from the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
+You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this article provide the Group Policy and MDM policies for Windows 10, version 1511 and later, including Windows 11. The MDM policies use the OMA-URI setting from the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
> [!IMPORTANT]
> Beginning with Windows 10, version 1903, organizations can use Windows Update for Business policies, regardless of the diagnostic data level chosen. If the diagnostic data level is set to **0 (Security)**, Windows Update for Business policies will still be honored. For instructions, see [Configure the operating system diagnostic data level](/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels).
@@ -35,7 +35,7 @@ You can use Group Policy or your mobile device management (MDM) service to confi
## Start by grouping devices
-By grouping devices with similar deferral periods, administrators are able to cluster devices into deployment or validation groups which can be as a quality control measure as updates are deployed. With deferral windows and the ability to pause updates, administrators can effectively control and measure update deployments, updating a small pool of devices first to verify quality, prior to a broader roll-out to their organization.
+By grouping devices with similar deferral periods, administrators are able to cluster devices into deployment or validation groups, which can be as a quality control measure as updates are deployed. With deferral windows and the ability to pause updates, administrators can effectively control and measure update deployments, updating a small pool of devices first to verify quality, prior to a broader roll-out to their organization.
>[!TIP]
>In addition to setting up multiple rings for your update deployments, also incorporate devices enrolled in the Windows Insider Program as part of your deployment strategy. This will provide you the chance to not only evaluate new features before they are broadly available to the public, but it also increases the lead time to provide feedback and influence Microsoft’s design on functional aspects of the product. For more information on Windows Insider program, see [https://insider.windows.com/](https://insider.windows.com/).
@@ -68,7 +68,7 @@ Starting with Windows 10, version 1703, users can configure the branch readiness
After you configure the servicing branch (Windows Insider Preview or General Availability Channel), you can then define if, and for how long, you would like to defer receiving feature updates following their availability from Microsoft on Windows Update. You can defer receiving these feature updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value.
-For example, a device on the General Availability Channel with `DeferFeatureUpdatesPeriodinDays=30` will not install a feature update that is first publicly available on Windows Update in September until 30 days later, in October.
+For example, a device on the General Availability Channel with `DeferFeatureUpdatesPeriodinDays=30` won't install a feature update that is first publicly available on Windows Update in September until 30 days later, in October.
@@ -86,7 +86,7 @@ For example, a device on the General Availability Channel with `DeferFeatureUpda
## Pause feature updates
-You can also pause a device from receiving feature updates by a period of up to 35 days from when the value is set. After 35 days has passed, the pause setting will automatically expire and the device will scan Windows Update for applicable feature updates. Following this scan, you can then pause feature updates for the device again.
+You can also pause a device from receiving feature updates by a period of up to 35 days from when the value is set. After 35 days have passed, the pause setting will automatically expire and the device will scan Windows Update for applicable feature updates. Following this scan, you can then pause feature updates for the device again.
Starting with Windows 10, version 1703, when you configure a pause by using policy, you must set a start date for the pause to begin. The pause period is calculated by adding 35 days to this start date.
@@ -107,7 +107,7 @@ In cases where the pause policy is first applied after the configured start date
You can check the date that feature updates were paused by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
-The local group policy editor (GPEdit.msc) will not reflect whether the feature update pause period has expired. Although the device will resume feature updates after 35 days automatically, the pause check box will remain selected in the policy editor. To check whether a device has automatically resumed taking feature updates, check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values:
+The local group policy editor (GPEdit.msc) won't reflect whether the feature update pause period has expired. Although the device will resume feature updates after 35 days automatically, the pause check box will remain selected in the policy editor. To check whether a device has automatically resumed taking feature updates, check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values:
| Value | Status|
| --- | --- |
@@ -119,7 +119,7 @@ The local group policy editor (GPEdit.msc) will not reflect whether the feature
>If not configured by policy, individual users can pause feature updates by using **Settings > Update & security > Windows Update > Advanced options**.
Starting with Windows 10, version 1703, using Settings to control the pause behavior provides a more consistent experience, specifically:
-- Any active restart notification are cleared or closed.
+- Any active restart notifications are cleared or closed.
- Any pending restarts are canceled.
- Any pending update installations are canceled.
- Any update installation running when pause is activated will attempt to roll back.
@@ -164,7 +164,7 @@ In cases where the pause policy is first applied after the configured start date
You can check the date that quality updates were paused by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
-The local group policy editor (GPEdit.msc) will not reflect whether the quality update pause period has expired. Although the device will resume quality updates after 35 days automatically, the pause check box will remain selected in the policy editor. To check whether a device has automatically resumed taking quality Updates, check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values:
+The local group policy editor (GPEdit.msc) won't reflect whether the quality update pause period has expired. Although the device will resume quality updates after 35 days automatically, the pause check box will remain selected in the policy editor. To check whether a device has automatically resumed taking quality Updates, check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values:
| Value | Status|
| --- | --- |
@@ -176,10 +176,10 @@ The local group policy editor (GPEdit.msc) will not reflect whether the quality
>If not configured by policy, individual users can pause quality updates by using **Settings > Update & security > Windows Update > Advanced options**.
Starting with Windows 10, version 1703, using Settings to control the pause behavior provides a more consistent experience, specifically:
-- Any active restart notification are cleared or closed
+- Any active restart notifications are cleared or closed
- Any pending restarts are canceled
- Any pending update installations are canceled
-- Any update installation running when pause is activated will attempt to rollback
+- Any update installation running when pause is activated will attempt to roll back
## Configure when devices receive Windows Insider Preview builds
@@ -201,7 +201,7 @@ The policy settings to **Select when feature updates are received** allows you t
## Exclude drivers from quality updates
-Starting with Windows 10, version 1607, you can selectively opt out of receiving driver update packages as part of your normal quality update cycle. This policy will not apply to updates to drivers provided with the operating system (which will be packaged within a security or critical update) or to feature updates, where drivers might be dynamically installed to ensure the feature update process can complete.
+Starting with Windows 10, version 1607, you can selectively opt out of receiving driver update packages as part of your normal quality update cycle. This policy won't apply to updates to drivers provided with the operating system (which will be packaged within a security or critical update) or to feature updates, where drivers might be dynamically installed to ensure the feature update process can complete.
**Policy settings to exclude drivers**
@@ -210,6 +210,21 @@ Starting with Windows 10, version 1607, you can selectively opt out of receiving
| GPO for Windows 10, version 1607 or later: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate |
| MDM for Windows 10, version 1607 and later: ../Vendor/MSFT/Policy/Config/Update/**ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate |
+## Enable features introduced via servicing that are off by default
+
+
+New features and enhancements are introduced through the monthly cumulative update to provide continuous innovation for Windows 11. To give organizations time to plan and prepare, some of these new features are temporarily turned off by default. Features that are turned off by default are listed in the KB article for the monthly cumulative update. Typically, a feature is selected to be off by default because it either impacts the user experience or IT administrators significantly.
+
+The features that are turned off by default from servicing updates will be enabled in the next annual feature update. Organizations can choose to deploy feature updates at their own pace, to delay these features until they're ready for them.
+
+**Policy settings to enable features introduced via servicing that are off by default**
+
+| Policy | Sets registry key under HKLM\Software |
+| --- | --- |
+| GPO for Windows 11, version 22H2 and later: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience > **Enable features introduced via servicing that are off by default**| \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate |
+| MDM for Windows 11, version 22H2 and later: ../Vendor/MSFT/Policy/Config/Update/**[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol)** | \Microsoft\PolicyManager\default\Update\AllowTemporaryEnterpriseFeatureControl |
+
+
## Summary: MDM and Group Policy settings for Windows 10, version 1703 and later
The following are quick-reference tables of the supported policy values for Windows Update for Business in Windows 10, version 1607 and later.
@@ -218,26 +233,28 @@ The following are quick-reference tables of the supported policy values for Wind
| GPO Key | Key type | Value |
| --- | --- | --- |
-| BranchReadinessLevel | REG_DWORD | 2: systems take feature updates for the Windows Insider build - Fast (added in Windows 10, version 1709) 4: systems take feature updates for the Windows Insider build - Slow (added in Windows 10, version 1709) 8: systems take feature updates for the Release Windows Insider build (added in Windows 10, version 1709)Other value or absent: receive all applicable updates |
-| DeferQualityUpdates | REG_DWORD | 1: defer quality updatesOther value or absent: don’t defer quality updates |
-| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: defer quality updates by given days |
-| PauseQualityUpdatesStartTime | REG_DWORD | 1: pause quality updatesOther value or absent: don’t pause quality updates |
-|DeferFeatureUpdates | REG_DWORD | 1: defer feature updatesOther value or absent: don’t defer feature updates |
-| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: defer feature updates by given days |
-| PauseFeatureUpdatesStartTime | REG_DWORD |1: pause feature updatesOther value or absent: don’t pause feature updates |
-| ExcludeWUDriversInQualityUpdate | REG_DWORD | 1: exclude Windows Update driversOther value or absent: offer Windows Update drivers |
+| AllowTemporaryEnterpriseFeatureControl *Added in Windows 11, version 22H2*| REG_DWORD | 1: Allowed. All features in the latest monthly cumulative update are enabled. Other value or absent: Features that are shipped turned off by default will remain off |
+| BranchReadinessLevel | REG_DWORD | 2: Systems take feature updates for the Windows Insider build - Fast 4: Systems take feature updates for the Windows Insider build - Slow 8: Systems take feature updates for the Release Windows Insider build Other value or absent: Receive all applicable updates |
+| DeferFeatureUpdates | REG_DWORD | 1: Defer feature updatesOther value or absent: Don't defer feature updates |
+| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: Defer feature updates by given days |
+| DeferQualityUpdates | REG_DWORD | 1: Defer quality updatesOther value or absent: Don't defer quality updates |
+| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: Defer quality updates by given days |
+| ExcludeWUDriversInQualityUpdate | REG_DWORD | 1: Exclude Windows Update driversOther value or absent: Offer Windows Update drivers |
+| PauseFeatureUpdatesStartTime | REG_DWORD |1: Pause feature updatesOther value or absent: Don't pause feature updates |
+| PauseQualityUpdatesStartTime | REG_DWORD | 1: Pause quality updatesOther value or absent: Don't pause quality updates |
**MDM: HKEY_LOCAL_MACHINE\Software\Microsoft\PolicyManager\default\Update**
| MDM Key | Key type | Value |
| --- | --- | --- |
-| BranchReadinessLevel | REG_DWORD |2: systems take feature updates for the Windows Insider build - Fast (added in Windows 10, version 1709) 4: systems take feature updates for the Windows Insider build - Slow (added in Windows 10, version 1709) 8: systems take feature updates for the Release Windows Insider build (added in Windows 10, version 1709) 32: systems take feature updates from General Availability Channel Note: Other value or absent: receive all applicable updates |
-| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: defer quality updates by given days |
-| PauseQualityUpdatesStartTime | REG_DWORD | 1: pause quality updatesOther value or absent: don’t pause quality updates |
-| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: defer feature updates by given days |
-| PauseFeatureUpdatesStartTime | REG_DWORD | 1: pause feature updatesOther value or absent: don’t pause feature updates |
-| ExcludeWUDriversinQualityUpdate | REG_DWORD | 1: exclude Windows Update driversOther value or absent: offer Windows Update drivers |
+| AllowTemporaryEnterpriseFeatureControl *Added in Windows 11, version 22H2*| REG_DWORD | 1: Allowed. All features in the latest monthly cumulative update are enabled. Other value or absent: Features that are shipped turned off by default will remain off |
+| BranchReadinessLevel | REG_DWORD |2: Systems take feature updates for the Windows Insider build - Fast 4: Systems take feature updates for the Windows Insider build - Slow 8: Systems take feature updates for the Release Windows Insider build 32: Systems take feature updates from General Availability Channel Note: Other value or absent: Receive all applicable updates |
+| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: Defer feature updates by given days |
+| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: Defer quality updates by given days |
+| ExcludeWUDriversinQualityUpdate | REG_DWORD | 1: Exclude Windows Update driversOther value or absent: Offer Windows Update drivers |
+| PauseFeatureUpdatesStartTime | REG_DWORD | 1: Pause feature updatesOther value or absent: Don't pause feature updates |
+| PauseQualityUpdatesStartTime | REG_DWORD | 1: Pause quality updatesOther value or absent: Don't pause quality updates |
## Update devices to newer versions
@@ -245,7 +262,7 @@ Due to the changes in Windows Update for Business, Windows 10, version 1607 uses
### How older version policies are respected on newer versions
-When a device running a newer version sees an update available on Windows Update, the device first evaluates and executes the Windows Updates for Business policy keys for its current (newer) version. If these are not present, it then checks whether any of the older version keys are set and defer accordingly. Update keys for newer versions will always supersede the older equivalent.
+When a device running a newer version sees an update available on Windows Update, the device first evaluates and executes the Windows Updates for Business policy keys for its current (newer) version. If these aren't present, it then checks whether any of the older version keys are set and defer accordingly. Update keys for newer versions will always supersede the older equivalent.
### Comparing keys in Windows 10, version 1607 to Windows 10, version 1703
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index dd9bc872b4..b1c57166c3 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -41,11 +41,7 @@ Deploying Windows 10 and Windows 11 is simpler than with previous versions of Wi
### Application compatibility
-Application compatibility testing has historically been a burden when approaching a Windows deployment or upgrade. Application compatibility from the perspective of desktop applications, websites, and apps built on the Universal Windows Platform (UWP) has improved tremendously over older versions of Windows.
-
-
-For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. For remaining applications, consider validating them as part of a pilot deployment process to reduce the time spent on compatibility testing. Desktop Analytics is a cloud-based service that integrates with Configuration Manager. The service provides insight and intelligence for you to make more informed decisions about the update readiness of your Windows endpoints, including assessment of your existing applications. For more, see [Ready for modern desktop retirement FAQ](/mem/configmgr/desktop-analytics/ready-for-windows).
-
+Application compatibility testing has historically been a burden when approaching a Windows deployment or upgrade. Application compatibility from the perspective of desktop applications, websites, and apps built on the Universal Windows Platform (UWP) has improved tremendously over older versions of Windows. For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds.
## Servicing
diff --git a/windows/deployment/update/waas-wufb-csp-mdm.md b/windows/deployment/update/waas-wufb-csp-mdm.md
index 1d1bbb1115..fbbb54d9b6 100644
--- a/windows/deployment/update/waas-wufb-csp-mdm.md
+++ b/windows/deployment/update/waas-wufb-csp-mdm.md
@@ -1,6 +1,6 @@
---
title: Configure Windows Update for Business by using CSPs and MDM
-description: Walk-through demonstration of how to configure Windows Update for Business settings using Configuration Service Providers and MDM.
+description: Walk through demonstration of how to configure Windows Update for Business settings using Configuration Service Providers and MDM.
ms.prod: windows-client
author: mestew
ms.localizationpriority: medium
@@ -8,7 +8,7 @@ ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
-ms.date: 12/31/2017
+ms.date: 02/28/2023
---
# Walkthrough: Use CSPs and MDMs to configure Windows Update for Business
@@ -16,8 +16,8 @@ ms.date: 12/31/2017
**Applies to**
-- Windows 10
-- Windows 11
+- Windows 10
+- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
@@ -42,9 +42,9 @@ You can control when updates are applied, for example by deferring when an updat
Both feature and quality updates are automatically offered to devices that are connected to Windows Update using Windows Update for Business policies. However, you can choose whether you want the devices to additionally receive other Microsoft Updates or drivers that are applicable to that device.
-To enable Microsoft Updates use [Update/AllwMUUpdateService](/windows/client-management/mdm/policy-csp-update#update-allowmuupdateservice).
+To enable Microsoft Updates, use [Update/AllwMUUpdateService](/windows/client-management/mdm/policy-csp-update#update-allowmuupdateservice).
-Drivers are automatically enabled because they are beneficial to device systems. We recommend that you allow the driver policy to allow drivers to updated on devices (the default), but you can turn this setting off if you prefer to manage drivers manually. If you want to disable driver updates for some reason, use Update/[ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-csp-update#update-excludewudriversinqualityupdate).
+Drivers are automatically enabled because they're beneficial to device systems. We recommend that you allow the driver policy to allow drivers to be updated on devices (the default), but you can turn off this setting if you prefer to manage drivers manually. If you want to disable driver updates for some reason, use Update/[ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-csp-update#update-excludewudriversinqualityupdate).
We also recommend that you allow Microsoft product updates as discussed previously.
@@ -52,17 +52,17 @@ Drivers are automatically enabled because they are beneficial to device systems.
#### I want to receive pre-release versions of the next feature update
-1. Ensure that you are enrolled in the Windows Insider Program for Business. This is a completely free program available to commercial customers to aid them in their validation of feature updates before they are released. Joining the program enables you to receive updates prior to their release as well as receive emails and content related to what is coming in the next updates.
+1. Ensure that you're enrolled in the Windows Insider Program for Business. This is a free program available to commercial customers to aid them in their validation of feature updates before they're released. Joining the program enables you to receive updates prior to their release as well as receive emails and content related to what is coming in the next updates.
1. For any of test devices you want to install pre-release builds, use [Update/ManagePreviewBuilds](/windows/client-management/mdm/policy-csp-update#update-managepreviewbuilds). Set this to **Enable preview builds**.
1. Use [Update/BranchReadinessLevel](/windows/client-management/mdm/policy-csp-update#update-branchreadinesslevel) and select one of the preview Builds. Windows Insider Program Slow is the recommended channel for commercial customers who are using pre-release builds for validation.
-1. Additionally, you can defer pre-release feature updates the same way as released updates, by setting a deferral period up to 14 days by using [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays). If you are testing with Windows Insider Program Slow builds, we recommend that you receive the preview updates to your IT department on day 0, when the update is released, and then have a 7-10 day deferral before rolling out to your group of testers. This ensures that if a problem is discovered, you can pause the rollout of the preview update before it reaches your tests.
+1. Additionally, you can defer pre-release feature updates the same way as released updates, by setting a deferral period up to 14 days by using [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays). If you're testing with Windows Insider Program Slow builds, we recommend that you receive the preview updates to your IT department on day 0, when the update is released, and then have a 7-10 day deferral before rolling out to your group of testers. This ensures that if a problem is discovered, you can pause the rollout of the preview update before it reaches your tests.
#### I want to manage which released feature update my devices receive
-A Windows Update for Business administrator can defer or pause updates. You can defer feature updates for up to 365 days and defer quality updates for up to 30 days. Deferring simply means that you will not receive the update until it has been released for at least the number of deferral days you specified (offer date = release date + deferral date). You can pause feature or quality updates for up to 35 days from a given start date that you specify.
+A Windows Update for Business administrator can defer or pause updates. You can defer feature updates for up to 365 days and defer quality updates for up to 30 days. Deferring simply means that you won't receive the update until it has been released for at least the number of deferral days you specified (offer date = release date + deferral date). You can pause feature or quality updates for up to 35 days from a given start date that you specify.
- To defer a feature update: [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays)
- To pause a feature update: [Update/PauseFeatureUpdatesStartTime](/windows/client-management/mdm/policy-csp-update#update-pausefeatureupdatesstarttime)
@@ -99,7 +99,7 @@ At this point, the IT administrator can set a policy to pause the update. In thi
-Now all devices are paused from updating for 35 days. When the pause is removed, they will be offered the *next* quality update, which ideally will not have the same issue. If there is still an issue, the IT admin can pause updates again.
+Now all devices are paused from updating for 35 days. When the pause is removed, they'll be offered the *next* quality update, which ideally won't have the same issue. If there's still an issue, the IT admin can pause updates again.
@@ -156,7 +156,7 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window
- - If the user scheduled a restart, or if an auto restart is scheduled, 15 minutes before the scheduled time the user is receives this notification that the restart is about to occur:
+ - If the user scheduled a restart, or if an auto restart is scheduled, 15 minutes before the scheduled time the user receives this notification that the restart is about to occur:
@@ -174,7 +174,7 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window
There are additional settings that affect the notifications.
-We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you have set. If you do have further needs that are not met by the default notification settings, you can use the [Update/UpdateNotificationLevel](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel) policy with these values:
+We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you have set. If you do have further needs that aren't met by the default notification settings, you can use the [Update/UpdateNotificationLevel](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel) policy with these values:
**0** (default) – Use the default Windows Update notifications
**1** – Turn off all notifications, excluding restart warnings
@@ -194,4 +194,16 @@ When you disable this setting, users will see **Some settings are managed by you
If you use Windows Server Update Server (WSUS), you can prevent users from scanning Windows Update. To do this, use [Update/SetDisableUXWUAccess](/windows/client-management/mdm/policy-csp-update#update-setdisableuxwuaccess).
+#### I want to enable features introduced via servicing that are off by default
+
+(*Starting in Windows 11, version 22H2 or later*)
+New features and enhancements are introduced through the monthly cumulative update to provide continuous innovation for Windows 11. To give organizations time to plan and prepare, some of these new features are temporarily turned off by default. Features that are turned off by default are listed in the KB article for the monthly cumulative update. Typically, a feature is selected to be off by default because it either impacts the user experience or IT administrators significantly.
+
+The features that are turned off by default from servicing updates will be enabled in the next annual feature update. Organizations can choose to deploy feature updates at their own pace, to delay these features until they're ready for them.
+
+ You can enable these features by using [AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol). The following options are available:
+
+- **0** (default): Allowed. All features in the latest monthly cumulative update are enabled.
+ - When the policy is set to **0**, all features that are currently turned off will turn on when the device next reboots
+- **1** - Not allowed. Features that are shipped turned off by default will remain off
diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md
index 286ed2119c..356e2b1e80 100644
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@@ -1,6 +1,6 @@
---
title: Configure Windows Update for Business via Group Policy
-description: Walk-through demonstration of how to configure Windows Update for Business settings using Group Policy.
+description: Walk through of how to configure Windows Update for Business settings using Group Policy.
ms.prod: windows-client
author: mestew
ms.localizationpriority: medium
@@ -10,7 +10,7 @@ ms.collection:
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
-ms.date: 12/31/2017
+ms.date: 02/28/2023
---
# Walkthrough: Use Group Policy to configure Windows Update for Business
@@ -25,7 +25,7 @@ ms.date: 12/31/2017
## Overview
-You can use Group Policy through the Group Policy Management Console (GPMC) to control how Windows Update for Business works. You should consider and devise a deployment strategy for updates before you make changes to the Windows Update for Business settings. See [Prepare servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md) for more information.
+You can use Group Policy through the Group Policy Management Console (GPMC) to control how Windows Update for Business works. You should consider and devise a deployment strategy for updates before you make changes to the Windows Update for Business settings. For more information, see [Prepare servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md) for more information.
An IT administrator can set policies for Windows Update for Business by using Group Policy, or they can be set locally (per device). All of the relevant policies are under the path **Computer configuration > Administrative Templates > Windows Components > Windows Update**.
@@ -53,7 +53,7 @@ Follow these steps on a device running the Remote Server Administration Tools or
5. Right-click the **"Windows Update for Business - Group 1"** object, and then select **Edit**.
-6. In the Group Policy Management Editor, go to **Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update**. You are now ready to start assigning policies to this ring (group) of devices.
+6. In the Group Policy Management Editor, go to **Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update**. You're now ready to start assigning policies to this ring (group) of devices.
## Manage Windows Update offerings
@@ -64,9 +64,9 @@ You can control when updates are applied, for example by deferring when an updat
Both feature and quality updates are automatically offered to devices that are connected to Windows Update using Windows Update for Business policies. However, you can choose whether you want the devices to additionally receive other Microsoft Updates or drivers that are applicable to that device.
-To enable Microsoft Updates use the Group Policy Management Console go to **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates** and select **Install updates for other Microsoft products**.
+To enable Microsoft Updates, use the Group Policy Management Console go to **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates** and select **Install updates for other Microsoft products**.
-Drivers are automatically enabled because they are beneficial to device systems. We recommend that you allow the driver policy to allow drivers to update on devices (the default), but you can turn this setting off if you prefer to manage drivers manually. If you want to disable driver updates for some reason, use the Group Policy Management Console to go to **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not include drivers with Windows Updates** and enable the policy.
+Drivers are automatically enabled because they're beneficial to device systems. We recommend that you allow the driver policy to allow drivers to update on devices (the default), but you can turn off this setting if you prefer to manage drivers manually. If you want to disable driver updates for some reason, use the Group Policy Management Console to go to **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not include drivers with Windows Updates** and enable the policy.
We also recommend that you allow Microsoft product updates as discussed previously.
@@ -74,7 +74,7 @@ Drivers are automatically enabled because they are beneficial to device systems.
#### I want to receive pre-release versions of the next feature update
-1. Ensure that you are enrolled in the Windows Insider Program for Business. This is a completely free program available to commercial customers to aid them in their validation of feature updates before they are released. Joining the program enables you to receive updates prior to their release as well as receive emails and content related to what is coming in the next updates.
+1. Ensure that you're enrolled in the Windows Insider Program for Business. This is a free program available to commercial customers to aid them in their validation of feature updates before they're released. Joining the program enables you to receive updates prior to their release and receive emails and content related to what is coming in the next updates.
2. Use Group Policy Management Console to go to: **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Manage preview builds** and set the policy to **Enable preview builds** for any of test devices you want to install pre-release builds.
@@ -84,18 +84,18 @@ Drivers are automatically enabled because they are beneficial to device systems.
#### I want to manage which released feature update my devices receive
-A Windows Update for Business administrator can defer or pause updates. You can defer feature updates for up to 365 days and defer quality updates for up to 30 days. Deferring simply means that you will not receive the update until it has been released for at least the number of deferral days you specified (offer date = release date + deferral date). You can pause feature or quality updates for up to 35 days from a given start date that you specify.
+A Windows Update for Business administrator can defer or pause updates. You can defer feature updates for up to 365 days and defer quality updates for up to 30 days. Deferring simply means that you won't receive the update until it has been released for at least the number of deferral days you specified (offer date = release date + deferral date). You can pause feature or quality updates for up to 35 days from a given start date that you specify.
- To defer or pause a feature update: **Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and feature updates are Received**
- Defer or pause a quality update: **Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are Received**
#### Example
-In this example, there are three rings for quality updates. The first ring ("pilot") has a deferral period of 0 days. The second ring ("fast") has a deferral of five days. The third ring ("slow") has a deferral of ten days.
+In this example, there are three rings for quality updates. The first ring ("pilot") has a deferral period of 0 days. The second ring ("fast") has a deferral of five days. The third ring ("slow") has a deferral of 10 days.
:::image type="content" alt-text="illustration of devices divided into three rings." source="images/waas-wufb-3-rings.png" lightbox="images/waas-wufb-3-rings.png":::
-When the quality update is released, it is offered to devices in the pilot ring the next time they scan for updates.
+When the quality update is released, it's offered to devices in the pilot ring the next time they scan for updates.
##### Five days later
The devices in the fast ring are offered the quality update the next time they scan for updates.
@@ -103,11 +103,11 @@ The devices in the fast ring are offered the quality update the next time they s
:::image type="content" alt-text="illustration of devices with fast ring deployed." source="images/waas-wufb-fast-ring.png" lightbox="images/waas-wufb-fast-ring.png":::
##### Ten days later
-Ten days after the quality update is released, it is offered to the devices in the slow ring the next time they scan for updates.
+Ten days after the quality update is released, it's offered to the devices in the slow ring the next time they scan for updates.
:::image type="content" alt-text="illustration of devices with slow ring deployed." source="images/waas-wufb-slow-ring.png" lightbox="images/waas-wufb-slow-ring.png":::
-If no problems occur, all of the devices that scan for updates will be offered the quality update within ten days of its release, in three waves.
+If no problems occur, all of the devices that scan for updates will be offered the quality update within 10 days of its release, in three waves.
##### What if a problem occurs with the update?
@@ -119,13 +119,13 @@ At this point, the IT administrator can set a policy to pause the update. In thi
:::image type="content" alt-text="illustration of rings with pause quality update check box selected." source="images/waas-wufb-pause.png" lightbox="images/waas-wufb-pause.png":::
-Now all devices are paused from updating for 35 days. When the pause is removed, they will be offered the *next* quality update, which ideally will not have the same issue. If there is still an issue, the IT admin can pause updates again.
+Now all devices are paused from updating for 35 days. When the pause is removed, they'll be offered the *next* quality update, which ideally won't have the same issue. If there's still an issue, the IT admin can pause updates again.
#### I want to stay on a specific version
-If you need a device to stay on a version beyond the point when deferrals on the next version would elapse or if you need to skip a version, use the **Select the target feature update version** setting instead of using the **Specify when Preview Builds and feature updates are received** setting for feature update deferrals. When you use this policy, specify the version that you want your devices to use. If you don't update this before the device reaches end of service, the device will automatically be updated once it is 60 days past end of service for its edition.
+If you need a device to stay on a version beyond the point when deferrals on the next version would elapse or if you need to skip a version, use the **Select the target feature update version** setting instead of using the **Specify when Preview Builds and feature updates are received** setting for feature update deferrals. When you use this policy, specify the version that you want your devices to use. If you don't update this before the device reaches end of service, the device will automatically be updated once it's 60 days past end of service for its edition.
-When you set the target version policy, if you specify a feature update version that is older than your current version or set a value that isn't valid, the device will not receive any feature updates until the policy is updated. When you specify target version policy, feature update deferrals will not be in effect.
+When you set the target version policy, if you specify a feature update version that is older than your current version or set a value that isn't valid, the device won't receive any feature updates until the policy is updated. When you specify target version policy, feature update deferrals won't be in effect.
### Manage how users experience updates
@@ -135,7 +135,7 @@ We recommend that you allow to update automatically--this is the default behavio
For more granular control, you can set the maximum period of active hours the user can set with **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify active hours range for auto restart**.
-It's best to refrain from setting the active hours policy because it's enabled by default when automatic updates are not disabled and provides a better experience when users can set their own active hours. If you do want to set active hours, use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Turn off auto-restart for updates during active hours**.
+It's best to refrain from setting the active hours policy because it's enabled by default when automatic updates aren't disabled and provides a better experience when users can set their own active hours. If you do want to set active hours, use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Turn off auto-restart for updates during active hours**.
To update outside of the active hours, you don't need to set any additional settings: simply don't disable automatic restarts. For even more granular control, consider using automatic updates to schedule the install time, day, or week. To do this, use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates** and select **Auto download and schedule the install**. You can customize this setting to accommodate the time that you want the update to be installed for your devices.
@@ -145,7 +145,7 @@ When you set these policies, installation happens automatically at the specified
We recommend that you use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadline for automatic updates and restarts** for feature and quality updates to ensure that devices stay secure on Windows 10, version 1709 and later. This works by enabling you to specify the number of days that can elapse after an update is offered to a device before it must be installed. Also you can set the number of days that can elapse after a pending restart before the user is forced to restart.
-This policies also offers an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline has actually expired. At that point the device will automatically schedule a restart regardless of active hours.
+This policy also offers an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline has actually expired. At that point the device will automatically schedule a restart regardless of active hours.
These notifications are what the user sees depending on the settings you choose:
@@ -159,7 +159,7 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window
- - If the user scheduled a restart, or if an auto restart is scheduled, 15 minutes before the scheduled time the user is receives this notification that the restart is about to occur:
+ - If the user scheduled a restart, or if an auto restart is scheduled, 15 minutes before the scheduled time the user receives this notification that the restart is about to occur:
@@ -177,7 +177,7 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window
There are additional settings that affect the notifications.
-We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you have set. If you do have further needs that are not met by the default notification settings, you can use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Display options for update notifications** with these values:
+We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you have set. If you do have further needs that aren't met by the default notification settings, you can use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Display options for update notifications** with these values:
**0** (default) - Use the default Windows Update notifications
**1** - Turn off all notifications, excluding restart warnings
@@ -192,9 +192,24 @@ Still more options are available in **Computer Configuration > Administrative Te
#### I want to manage the update settings a user can access
-Every Windows device provides users with a variety of controls they can use to manage Windows Updates. They can access these controls by Search to find Windows Updates or by going selecting **Updates and Security** in **Settings**. We provide the ability to disable a variety of these controls that are accessible to users.
+Every Windows device provides users with various controls they can use to manage Windows Updates. They can access these controls by Search to find Windows Updates or by going selecting **Updates and Security** in **Settings**. We provide the ability to disable a variety of these controls that are accessible to users.
Users with access to update pause settings can prevent both feature and quality updates for 7 days. You can prevent users from pausing updates through the Windows Update settings page by using **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Remove access to “Pause updates**.
When you disable this setting, users will see **Some settings are managed by your organization** and the update pause settings are greyed out.
If you use Windows Server Update Server (WSUS), you can prevent users from scanning Windows Update. To do this, use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Remove access to use all Windows Update features**.
+
+#### I want to enable features introduced via servicing that are off by default
+
+(*Starting in Windows 11, version 22H2 or later*)
+
+New features and enhancements are introduced through the monthly cumulative update to provide continuous innovation for Windows 11. To give organizations time to plan and prepare, some of these new features are temporarily turned off by default. Features that are turned off by default are listed in the KB article for the monthly cumulative update. Typically, a feature is selected to be off by default because it either impacts the user experience or IT administrators significantly.
+
+The features that are turned off by default from servicing updates will be enabled in the next annual feature update. Organizations can choose to deploy feature updates at their own pace, to delay these features until they're ready for them.
+
+ You can enable these features by using **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience > Enable features introduced via servicing that are off by default**. The following options are available:
+
+- **Enabled**: All features in the latest monthly cumulative update are enabled.
+ - When the policy is set to **Enabled**, all features that are currently turned off will turn on when the device next reboots
+- **Disabled** - Features that are shipped turned off by default will remain off
+- **Not configured** - Features that are shipped turned off by default will remain off
diff --git a/windows/deployment/update/wufb-reports-configuration-intune.md b/windows/deployment/update/wufb-reports-configuration-intune.md
index 1f773ef7d8..6dbfd4ac46 100644
--- a/windows/deployment/update/wufb-reports-configuration-intune.md
+++ b/windows/deployment/update/wufb-reports-configuration-intune.md
@@ -32,7 +32,7 @@ Create a configuration profile that will set the required policies for Windows U
### Settings catalog
-1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Windows** > **Configuration profiles**.
+1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Windows** > **Configuration profiles**.
1. On the **Configuration profiles** view, select **Create profile**.
1. Select **Platform**="Windows 10 and later" and **Profile type**="Settings Catalog", and then select **Create**.
1. You're now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**.
@@ -57,7 +57,7 @@ Create a configuration profile that will set the required policies for Windows U
### Custom OMA URI-based profile
-1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Windows** > **Configuration profiles**.
+1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Windows** > **Configuration profiles**.
1. On the **Configuration profiles** view, select **Create profile**.
1. Select **Platform**="Windows 10 and later" and **Profile type**="Templates".
1. For **Template name**, select **Custom**, and then select **Create**.
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
index b01e97264d..b87a674b19 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
@@ -17,7 +17,7 @@ msreviewer: hathind
There are several ways that Windows Autopatch service communicates with customers. To streamline communication and ensure we're checking with the right people when you [submit a support request](../operate/windows-autopatch-support-request.md), you must provide a set of admin contacts when you onboard with Windows Autopatch.
> [!IMPORTANT]
-> You might have already added these contacts in the Microsoft Endpoint Manager admin center during the [enrollment process](../prepare/windows-autopatch-enroll-tenant.md#step-4-enroll-your-tenant), or if you've [submitted a tenant enrollment support request](../prepare/windows-autopatch-enrollment-support-request.md). However, take a moment to double-check that the contact list is accurate, since the Windows Autopatch Service Engineering Team must be able to reach them if a severe incident occurs.
+> You might have already added these contacts in the Microsoft Intune admin center during the [enrollment process](../prepare/windows-autopatch-enroll-tenant.md#step-4-enroll-your-tenant), or if you've [submitted a tenant enrollment support request](../prepare/windows-autopatch-enrollment-support-request.md). However, take a moment to double-check that the contact list is accurate, since the Windows Autopatch Service Engineering Team must be able to reach them if a severe incident occurs.
You must have an admin contact for each specified area of focus. The Windows Autopatch Service Engineering Team will contact these individuals for assistance with your support request. Admin contacts should be the best person or group that can answer questions and make decisions for different [areas of focus](#area-of-focus).
@@ -35,7 +35,7 @@ Your admin contacts will receive notifications about support request updates and
**To add admin contacts:**
-1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Under **Tenant administration** in the **Windows Autopatch** section, select **Admin contacts**.
1. Select **+Add**.
1. Enter the contact details including name, email, phone number and preferred language. For a support ticket, the ticket's primary contact's preferred language will determine the language used for email communications.
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
index 5a0761c2f4..a61d9e9ad9 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
@@ -144,7 +144,7 @@ Since existing Windows 365 Cloud PCs already have an existing Azure AD device ID
**To register devices with Windows Autopatch:**
-1. Go to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Go to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** from the left navigation menu.
3. Under the **Windows Autopatch** section, select **Devices**.
4. Select either the **Ready** or the **Not registered** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens.
@@ -164,7 +164,7 @@ Windows 365 Enterprise gives IT admins the option to register devices with the W
**To register new Windows 365 Cloud PC devices with Windows Autopatch from the Windows 365 Provisioning Policy:**
-1. Go to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Go to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. In the left pane, select **Devices**.
1. Navigate to Provisioning > **Windows 365**.
1. Select Provisioning policies > **Create policy**.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md
index 15b45c91d4..d8c0580d48 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md
@@ -18,7 +18,7 @@ To avoid end-user disruption, device deregistration in Windows Autopatch only de
**To deregister a device:**
-1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Windows Autopatch** in the left navigation menu.
1. Select **Devices**.
1. In either **Ready** or **Not ready** tab, select the device(s) you want to deregister.
@@ -42,7 +42,7 @@ You can hide unregistered devices you don't expect to be remediated anytime soon
**To hide unregistered devices:**
-1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Windows Autopatch** in the left navigation menu.
1. Select **Devices**.
1. In the **Not ready** tab, select an unregistered device or a group of unregistered devices you want to hide then select **Status == All**.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
index 79ff9e1b78..13ce62ec8d 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
@@ -23,7 +23,7 @@ Support requests are triaged and responded to as they're received.
**To submit a new support request:**
-1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant administration** menu.
+1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant administration** menu.
1. In the **Windows Autopatch** section, select **Support requests**.
1. In the **Support requests** section, select **+ New support request**.
1. Enter your question(s) and/or a description of the problem.
@@ -57,7 +57,7 @@ You can see the summary status of all your support requests. At any time, you ca
**To view all your active support requests:**
-1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu.
+1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu.
1. In the **Windows Autopatch** section, select **Support request**.
1. From this view, you can export the summary view or select any case to view the details.
@@ -67,7 +67,7 @@ You can edit support request details, for example, updating the primary case con
**To edit support request details:**
-1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu.
+1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu.
1. In the **Windows Autopatch** section, select **Support request**.
1. In the **Support requests** section, use the search bar or filters to find the case you want to edit.
1. Select the case to open the request's details.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
index 92e00968e2..d63adb541d 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
@@ -71,7 +71,7 @@ If you want to move separate devices to different deployment rings, after Window
**To move devices in between deployment rings:**
-1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** in the left pane.
+1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** in the left pane.
2. In the **Windows Autopatch** section, select **Devices**.
3. In the **Ready** tab, select one or more devices you want to assign. All selected devices will be assigned to the deployment ring you specify.
4. Select **Device actions** from the menu.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
index cf2a56aadc..288a283c63 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
@@ -89,7 +89,7 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym
**To pause or resume a Windows feature update:**
-1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** from the left navigation menu.
3. Under the **Windows Autopatch** section, select **Release management**.
4. In the **Release management** blade, select either: **Pause** or **Resume**.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-historical-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-historical-report.md
index 1aeecfd623..ce2252c5e1 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-historical-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-historical-report.md
@@ -18,7 +18,7 @@ The historical All devices report provides a visual representation of the update
**To view the historical All devices report:**
-1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
1. Select the **Reports** tab.
1. Select **All devices report—historical**.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-report.md
index beb945d17e..879934d3df 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-report.md
@@ -18,7 +18,7 @@ The All devices report provides a per device view of the current update status f
**To view the All devices report:**
-1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
1. Select the **Reports** tab.
1. Select **All devices report**.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md
index 9fc28bcbbb..b3a67ad7f2 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md
@@ -24,7 +24,7 @@ Communications are posted to, as appropriate for the type of communication, to t
- Message center
- Service health dashboard
-- Windows Autopatch messages section of the Microsoft Endpoint Manager admin center
+- Windows Autopatch messages section of the Microsoft Intune admin center
:::image type="content" source="../media/update-communications.png" alt-text="Update communications timeline" lightbox="../media/update-communications.png":::
@@ -38,7 +38,7 @@ Communications are posted to, as appropriate for the type of communication, to t
## Communications during release
-The most common type of communication during a release is a customer advisory. Customer advisories are posted to both Message center and the Messages blade of the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) shortly after Autopatch becomes aware of the new information.
+The most common type of communication during a release is a customer advisory. Customer advisories are posted to both Message center and the Messages blade of the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) shortly after Autopatch becomes aware of the new information.
There are some circumstances where Autopatch will need to change the release schedule based on new information.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report.md
index 8b2577d48c..6476c5476e 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report.md
@@ -18,7 +18,7 @@ The historical Eligible devices report provides a visual representation of the u
**To view the historical Eligible devices report:**
-1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
1. Select the **Reports** tab.
1. Select **Eligible devices report—historical**.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report.md
index dbcc2d106f..0bee3e92dd 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report.md
@@ -21,7 +21,7 @@ The historical Ineligible devices report provides a visual representation of why
**To view the historical Ineligible devices report:**
-1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
1. Select the **Reports** tab.
1. Select **Ineligible devices report—historical**.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
index 6245326cc1..5b7df79fdc 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
@@ -94,7 +94,7 @@ By default, the service expedites quality updates as needed. For those organizat
**To turn off service-driven expedited quality updates:**
-1. Go to **[Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431)** > **Devices**.
+1. Go to **[Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)** > **Devices**.
2. Under **Windows Autopatch** > **Release management**, go to the **Release settings** tab and turn off the **Expedited quality updates** setting.
> [!NOTE]
@@ -106,7 +106,7 @@ Windows Autopatch schedules and deploys required Out of Band (OOB) updates relea
**To view deployed Out of Band quality updates:**
-1. Go to [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Windows Autopatch** > **Release management**.
+1. Go to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Windows Autopatch** > **Release management**.
2. Under the **Release Announcements** tab, you can view the knowledge base (KB) articles corresponding to deployed OOB and regular Windows quality updates.
> [!NOTE]
@@ -126,7 +126,7 @@ If Windows Autopatch detects a [significant issue with a release](../operate/win
**To pause or resume a Windows quality update:**
-1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** from the left navigation menu.
3. Under the **Windows Autopatch** section, select **Release management**.
4. In the **Release management** blade, select either: **Pause** or **Resume**.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard.md
index 88f6e4ec66..b7301dd597 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard.md
@@ -18,7 +18,7 @@ The Summary dashboard provides a summary view of the current update status for a
**To view the current update status for all your enrolled devices:**
-1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
:::image type="content" source="../media/windows-autopatch-summary-dashboard.png" alt-text="Summary dashboard" lightbox="../media/windows-autopatch-summary-dashboard.png":::
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
index c8a319ab66..438c91a99a 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
@@ -38,7 +38,7 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
| Task | Your responsibility | Windows Autopatch |
| ----- | :-----: | :-----: |
-| [Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md) in Microsoft Endpoint Manager | :heavy_check_mark: | :x: |
+| [Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md) in Microsoft Intune | :heavy_check_mark: | :x: |
| [Deploy and configure Windows Autopatch service configuration](../references/windows-autopatch-changes-to-tenant.md) | :x: | :heavy_check_mark: |
| Educate users on the Windows Autopatch end user update experience- [Windows quality update end user experience](../operate/windows-autopatch-windows-quality-update-end-user-exp.md)
- [Windows feature update end user experience](../operate/windows-autopatch-windows-feature-update-end-user-exp.md)
- [Microsoft 365 Apps for enterprise end user experience](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#end-user-experience)
- [Microsoft Teams end user experience](../operate/windows-autopatch-teams.md#end-user-experience)
| :heavy_check_mark: | :x: |
| Remove your devices from existing unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: |
@@ -58,7 +58,7 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
| Task | Your responsibility | Windows Autopatch |
| ----- | :-----: | :-----: |
-| [Maintain contacts in the Microsoft Endpoint Manager admin center](../deploy/windows-autopatch-admin-contacts.md) | :heavy_check_mark: | :x: |
+| [Maintain contacts in the Microsoft Intune admin center](../deploy/windows-autopatch-admin-contacts.md) | :heavy_check_mark: | :x: |
| [Maintain and manage the Windows Autopatch service configuration](../operate/windows-autopatch-maintain-environment.md) | :x: | :heavy_check_mark: |
| [Maintain customer configuration to align with the Windows Autopatch service configuration](../operate/windows-autopatch-maintain-environment.md) | :heavy_check_mark: | :x: |
| [Run on-going checks to ensure devices are only present in one deployment ring](../operate/windows-autopatch-update-management.md#automated-deployment-ring-remediation-functions) | :x: | :heavy_check_mark: |
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
index b091a73a97..a2e5b1c382 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
@@ -19,7 +19,7 @@ Before you enroll in Windows Autopatch, there are settings, and other parameters
> [!IMPORTANT]
> You must be a Global Administrator to enroll your tenant.
-The Readiness assessment tool, accessed in the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), checks management or configuration-related settings. This tool allows you to check the relevant settings, and details steps to fix any settings that aren't configured properly for Windows Autopatch.
+The Readiness assessment tool, accessed in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), checks management or configuration-related settings. This tool allows you to check the relevant settings, and details steps to fix any settings that aren't configured properly for Windows Autopatch.
## Step 1: Review all prerequisites
@@ -37,7 +37,7 @@ The Readiness assessment tool checks the settings in [Microsoft Intune](#microso
> [!IMPORTANT]
> You must be a Global Administrator to run the Readiness assessment tool.
-1. Go to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Go to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. In the left pane, select Tenant administration and then navigate to Windows Autopatch > **Tenant enrollment**.
> [!IMPORTANT]
@@ -109,7 +109,7 @@ Windows Autopatch retains the data associated with these checks for 12 months af
**To delete the data we collect:**
-1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Navigate to Windows Autopatch > **Tenant enrollment**.
3. Select **Delete all data**.
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md
index 44447d5697..48f204bbf8 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md
@@ -35,6 +35,6 @@ If you have a question about the case, the best way to get in touch is to reply
**To view all your active tenant enrollment support requests:**
-1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu.
+1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu.
1. In the **Windows Autopatch** section, select **Tenant Enrollment**.
1. Select the **Support history** tab. You can view the list of all support cases, or select an individual case to view the details.
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
index 776fb296c0..cc8e865103 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
@@ -35,7 +35,7 @@ For each check, the tool will report one of four possible results:
## Microsoft Intune settings
-You can access Intune settings at the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+You can access Intune settings at the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
### Unlicensed admins
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md b/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md
index 09842260a5..e0ea1e18e2 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md
@@ -26,10 +26,10 @@ The following policies contain settings which apply to both Windows quality and
| ----- | ----- | ----- | ----- | ----- |
| Microsoft product updates | Allow | Allow | Allow | Allow |
| Windows drivers | Allow | Allow | Allow | Allow |
-| Quality update deferral period | 0 | 1 | 6 | 9 |
-| Feature update deferral period | 0 | 0 | 0 | 0 |
+| Windows quality update deferral period | 0 | 1 | 6 | 9 |
+| Windows feature update deferral period | 0 | 0 | 0 | 0 |
| Upgrade Windows 10 to latest Windows 11 release | No | No | No | No |
-| Set feature update uninstall period | 30 days | 30 days | 30 days | 30 days |
+| Set Windows feature update uninstall period | 30 days | 30 days | 30 days | 30 days |
| Servicing channel | General availability | General availability | General availability | General availability |
### Windows 10 and later user experience settings
@@ -41,8 +41,8 @@ The following policies contain settings which apply to both Windows quality and
| Option to pause updates | Disable | Disable | Disable | Disable |
| Option to check for Windows updates | Default | Default | Default | Default |
| Change notification update level | Default | Default | Default | Default |
-| Deadline for feature updates | 5 | 5 | 5 | 5 |
-| Deadline for quality updates | 0 | 2 | 2 | 5 |
+| Deadline for Windows feature updates | 5 | 5 | 5 | 5 |
+| Deadline for Windows quality updates | 0 | 2 | 2 | 5 |
| Grace period | 0 | 2 | 2 | 2 |
| Auto-restart before deadline | Yes | Yes | Yes | Yes |
@@ -53,24 +53,24 @@ The following policies contain settings which apply to both Windows quality and
| Included groups | Modern Workplace Devices–Windows Autopatch-Test | Modern Workplace Devices–Windows Autopatch-First | Modern Workplace Devices–Windows Autopatch-Fast | Modern Workplace Devices–Windows Autopatch-Broad |
| Excluded groups | None | None | None | None |
-## Feature update policies
+## Windows feature update policies
-The service deploys policies using Microsoft Intune to control how feature updates are deployed to devices.
+The service deploys policies using Microsoft Intune to control how Windows feature updates are deployed to devices.
-### Feature updates for Windows 10 and later
+### Windows feature updates for Windows 10 and later
These policies control the minimum target version of Windows which a device is meant to accept. Throughout the rest of the article, you will see these policies referred to as DSS policies. After onboarding there will be four of these policies in your tenant with the following naming convention:
**Modern Workplace DSS Policy [ring name]**
-#### Feature update deployment settings
+#### Windows feature update deployment settings
| Setting name | Test | First | Fast | Broad |
| ----- | ----- | ----- | ----- | ----- |
| Name | Current targeted version of Windows | Current targeted version of Windows | Current targeted version of Windows | Current targeted version of Windows |
| Rollout options | Immediate start | Immediate start | Immediate start | Immediate start |
-#### Feature update policy assignments
+#### Windows feature update policy assignments
| Setting name | Test | First | Fast | Broad |
| ----- | ----- | ----- | ----- | ----- |
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index 7e8bbc7ba7..cf8a83e4a3 100644
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -400,7 +400,7 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B
### Autopilot registration using Intune
-1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** > **Device enrollment | Enroll devices** > **Windows enrollment** > **Windows Autopilot Deployment Program | Devices** and then on the **Windows Autopilot devices** page, choose **Import**.
+1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** > **Device enrollment | Enroll devices** > **Windows enrollment** > **Windows Autopilot Deployment Program | Devices** and then on the **Windows Autopilot devices** page, choose **Import**.
@@ -456,7 +456,7 @@ Pick one:
The Autopilot deployment profile wizard asks for a device group, so you must create one first. To create a device group:
-1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Groups** > **New group**.
+1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Groups** > **New group**.
2. In the **Group** pane:
1. For **Group type**, choose **Security**.
@@ -605,7 +605,7 @@ To use the device (or VM) for other purposes after completion of this lab, you n
### Delete (deregister) Autopilot device
-You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure AD), sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), then go to **Devices > All Devices**. Select the device you want to delete, then select the **Delete** button along the top menu.
+You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure AD), sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), then go to **Devices > All Devices**. Select the device you want to delete, then select the **Delete** button along the top menu.
> [!div class="mx-imgBorder"]
> 
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index aa9a8e5a92..34186301e4 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -233,9 +233,9 @@ additionalContent:
url: /mem/endpoint-manager-overview
- text: What is Microsoft Intune?
url: /mem/intune/fundamentals/what-is-intune
- - text: Microsoft Endpoint Manager simplifies upgrades to Windows 11
+ - text: Microsoft Intune services simplify upgrades to Windows 11
url: https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/endpoint-manager-simplifies-upgrades-to-windows-11/ba-p/2771886
- - text: Understanding readiness for Windows 11 with Microsoft Endpoint Manager
+ - text: Understanding readiness for Windows 11 with Microsoft Intune services
url: https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/understanding-readiness-for-windows-11-with-microsoft-endpoint/ba-p/2770866
- text: Microsoft endpoint management blog
url: https://aka.ms/memblog
diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml
index 9f840b293a..d2d1fa36bd 100644
--- a/windows/security/TOC.yml
+++ b/windows/security/TOC.yml
@@ -385,19 +385,19 @@
href: identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
- name: Smart Card Events
href: identity-protection/smart-cards/smart-card-events.md
- - name: Virtual Smart Cards
+ - name: Virtual smart cards
href: identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
items:
- - name: Understanding and Evaluating Virtual Smart Cards
+ - name: Understand and evaluate virtual smart cards
href: identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
items:
- - name: "Get Started with Virtual Smart Cards: Walkthrough Guide"
+ - name: Get started with virtual smart cards
href: identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
- - name: Use Virtual Smart Cards
+ - name: Use virtual smart cards
href: identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
- - name: Deploy Virtual Smart Cards
+ - name: Deploy virtual smart cards
href: identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
- - name: Evaluate Virtual Smart Card Security
+ - name: Evaluate virtual smart card security
href: identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
- name: Tpmvscmgr
href: identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index 54f2278102..0310c13313 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -68,15 +68,18 @@
},
"fileMetadata": {
"author":{
- "identity-protection/**/*.md": "paolomatarazzo"
+ "identity-protection/**/*.md": "paolomatarazzo",
+ "threat-protection/windows-firewall/**/*.md": "aczechowski"
},
"ms.author":{
- "identity-protection/**/*.md": "paoloma"
+ "identity-protection/**/*.md": "paoloma",
+ "threat-protection/windows-firewall/*.md": "aaroncz"
},
"ms.reviewer":{
"identity-protection/hello-for-business/*.md": "erikdau",
"identity-protection/credential-guard/*.md": "zwhittington",
- "identity-protection/access-control/*.md": "sulahiri"
+ "identity-protection/access-control/*.md": "sulahiri",
+ "threat-protection/windows-firewall/*.md": "paoloma"
},
"ms.collection":{
"identity-protection/hello-for-business/*.md": "tier1",
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index ec9ce3c4e8..a4f523f78b 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -67,7 +67,7 @@ To enforce processing of the group policy, you can run `gpupdate /force`.
### Enable Windows Defender Credential Guard by using Microsoft Intune
-1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices**.
+1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices**.
1. Select **Configuration Profiles**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
index 25100512b3..fa405ca079 100644
--- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
@@ -49,7 +49,7 @@ We recommend that you disable or manage Windows Hello for Business provisioning
The following method explains how to disable Windows Hello for Business enrollment using Intune.
-1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Go to **Devices** > **Enrollment** > **Enroll devices** > **Windows enrollment** > **Windows Hello for Business**. The Windows Hello for Business pane opens.
3. If you don't want to enable Windows Hello for Business during device enrollment, select **Disabled** for **Configure Windows Hello for Business**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index 26fb7abfb6..8896bacc2b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -106,7 +106,7 @@ Once these requirements are met, a policy can be configured in Intune that provi
This section describes how to configure a SCEP policy in Intune. Similar steps can be followed to configure a PKCS policy.
-1. Go to the Microsoft Endpoint Manager admin center
+1. Go to the Microsoft Intune admin center
1. Select **Devices > Configuration profiles > Create profile**
1. Select **Platform > Windows 10 and later** and **Profile type > Templates > SCEP Certificate**
1. Select **Create**
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml
index 982ee0f388..fd1630c12b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml
@@ -2,6 +2,8 @@
metadata:
title: Windows Hello for Business Frequently Asked Questions (FAQ)
description: Use these frequently asked questions (FAQ) to learn important details about Windows Hello for Business.
+ author: paolomatarazzo
+ ms.author: paoloma
ms.collection:
- highpri
- tier1
@@ -78,7 +80,7 @@ sections:
Windows Hello biometrics template database file is created on the device only when a user is enrolled into Windows Hello biometrics-based authentication. Your workplace or IT administrator may have turned certain authentication functionality, however, it is always your choice if you want to use Windows Hello or an alternative method, like a PIN. Users can check their current enrollment into Windows Hello biometrics by going to sign-in options on their device. Go to **Start > Settings > Accounts > Sign-in** options. If you don't see Windows Hello in Sign-in options, then it may not be available for your device or blocked by admin via policy. Admins can request users to enroll into Windows Hello during Autopilot or during the initial setup of the device. Admins can disallow users to enroll into biometrics via Windows Hello for Business policy configurations. However, when allowed via policy configurations, enrollment into Windows Hello biometrics is always optional for users.
- question: When is Windows Hello biometrics database file deleted? How can a user be unenrolled from Windows Hello face or fingerprint authentication?
answer: |
- To remove Windows Hello and any associated biometric identification data from the device, user can go to **Start > Settings > Accounts > Sign-in options**. Select the Windows Hello biometrics authentication method you want to remove, and then select **Remove**. This will u-enroll the user from Windows Hello biometrics authentication and will also delete the associated biometrics template database file. For more details, see [Windows sign-in options and account protection (microsoft.com)](https://support.microsoft.com/en-us/windows/windows-sign-in-options-and-account-protection-7b34d4cf-794f-f6bd-ddcc-e73cdf1a6fbf#bkmk_helloandprivacy).
+ To remove Windows Hello and any associated biometric identification data from the device, user can go to **Start > Settings > Accounts > Sign-in options**. Select the Windows Hello biometrics authentication method you want to remove, and then select **Remove**. This will u-enroll the user from Windows Hello biometrics authentication and will also delete the associated biometrics template database file. For more details, see [Windows sign-in options and account protection (microsoft.com)](https://support.microsoft.com/windows/windows-sign-in-options-and-account-protection-7b34d4cf-794f-f6bd-ddcc-e73cdf1a6fbf#bkmk_helloandprivacy).
- name: Management and operations
questions:
@@ -117,7 +119,7 @@ sections:
- Data about whether people sign in with their face, iris, fingerprint, or PIN
- The number of times they use it
- Whether it works or not
- All this is valuable information that helps Microsoft building a better product. The data is pseudonymized, does not include biometric information, and is encrypted before it is transmitted to Microsoft. You can choose to stop sending diagnostic data to Microsoft at any time. [Learn more about diagnostic data in Windows](https://support.microsoft.com/en-us/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319).
+ All this is valuable information that helps Microsoft building a better product. The data is pseudonymized, does not include biometric information, and is encrypted before it is transmitted to Microsoft. You can choose to stop sending diagnostic data to Microsoft at any time. [Learn more about diagnostic data in Windows](https://support.microsoft.com/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319).
- question: Can I disable the PIN while using Windows Hello for Business?
answer: |
No. The movement away from passwords is accomplished by gradually reducing the use of the password. In situations where you can't authenticate by using biometrics, you need a fallback mechanism that isn't a password. The PIN is the fallback mechanism. Disabling or hiding the PIN credential provider will disable the use of biometrics.
@@ -185,7 +187,7 @@ sections:
- question: Which is a better or more secure for of authentication, key or certificate?
answer: |
Both types of authentication provide the same security; one is not more secure than the other.
- The trust models of your deployment determine how you authenticate to Active Directory (on-premises). Both key trust and certificate trust use the same hardware-backed, two-factor credential. The differences between the two trust types is the issuance of end-entity certificates:
+ The trust models of your deployment determine how you authenticate to Active Directory (on-premises). Both key trust and certificate trust use the same hardware-backed, two-factor credential. The difference between the two trust types is the issuance of end-entity certificates:
- The *key trust* model authenticates to Active Directory by using a raw key. Key trust doesn't require an enterprise-issued certificate, therefore you don't need to issue certificates to users (domain controller certificates are still needed)
- The *certificate trust* model authenticates to Active Directory by using a certificate. Therefore, you need to issue certificates to users. The certificate used in certificate trust uses the TPM-protected private key to request a certificate from your enterprise's issuing CA
- question: What is convenience PIN?
@@ -196,7 +198,7 @@ sections:
No. While it's possible to set a convenience PIN on Azure AD joined and hybrid Azure AD joined devices, convenience PIN isn't supported for Azure AD user accounts (including synchronized identities). Convenience PIN is only supported for on-premises Active Directory users and local account users.
- question: What about virtual smart cards?
answer: |
- Windows Hello for Business is the modern, two-factor credential for Windows. Microsoft will be deprecating virtual smart cards in the future, but no date is set at this time. Customers using virtual smart cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business. Microsoft recommends that new Windows deployments use Windows Hello for Business.
+ Windows Hello for Business is the modern, two-factor authentication for Windows. Microsoft will deprecate virtual smart cards in the near future. Customers using virtual smart cards are strongly encouraged to move to Windows Hello for Business. Microsoft will publish the deprecation date to ensure customers have adequate lead time to move to Windows Hello for Business. We recommend that new Windows deployments use Windows Hello for Business.
- question: What URLs do I need to allow for a hybrid deployment?
answer: |
For a list of required URLs, see [Microsoft 365 Common and Office Online](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#microsoft-365-common-and-office-online).
@@ -248,4 +250,4 @@ sections:
In a hybrid deployment, a user's public key must sync from Azure AD to AD before it can be used to authenticate against a domain controller. This sync is handled by Azure AD Connect and will occur during a normal sync cycle.
- question: Can I use Windows Hello for Business key trust and RDP?
answer: |
- Remote Desktop Protocol (RDP) doesn't currently support using key-based authentication and self-signed certificates as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. For more information, see [Deploying certificates to key trust users to enable RDP](hello-deployment-rdp-certs.md). In addition, Windows Hello for Business key trust can be also used with RDP with [Windows Defender Remote Credential Guard](../remote-credential-guard.md) without deploying certificates.
\ No newline at end of file
+ Remote Desktop Protocol (RDP) doesn't currently support using key-based authentication and self-signed certificates as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. For more information, see [Deploying certificates to key trust users to enable RDP](hello-deployment-rdp-certs.md). In addition, Windows Hello for Business key trust can be also used with RDP with [Windows Defender Remote Credential Guard](../remote-credential-guard.md) without deploying certificates.
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index 519b34bd34..7b1fdf338f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -129,7 +129,7 @@ Before you can remotely reset PINs, your devices must be configured to enable PI
You can configure Windows devices to use the **Microsoft PIN Reset Service** using Microsoft Intune.
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Devices** > **Configuration profiles** > **Create profile**.
1. Enter the following properties:
- **Platform**: Select **Windows 10 and later**.
@@ -151,7 +151,7 @@ You can configure Windows devices to use the **Microsoft PIN Reset Service** usi
>[!NOTE]
> You can also configure PIN recovery from the **Endpoint security** blade:
-> 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+> 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
> 1. Select **Endpoint security** > **Account protection** > **Create Policy**.
#### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
@@ -232,7 +232,7 @@ The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-au
### Configure Web Sign-in Allowed URLs using Microsoft Intune
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
1. Select **Devices** > **Configuration profiles** > **Create profile**
1. Enter the following properties:
- **Platform**: Select **Windows 10 and later**
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 677bc65d0e..fbed200f77 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -848,7 +848,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
Sign-in a workstation with access equivalent to a _domain user_.
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices**, and then select **Configuration Profiles**.
@@ -901,7 +901,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
Sign-in a workstation with access equivalent to a _domain user_.
-1. Sign-in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign-in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices**, and then select **Configuration Profiles**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
index 22d0a585f9..d0aa2590f7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
@@ -242,7 +242,7 @@ The domain controllers have a certificate that includes the new CRL distribution
To configure devices with Microsoft Intune, use a custom policy:
-1. Go to the Microsoft Endpoint Manager admin center
+1. Go to the Microsoft Intune admin center
1. Select **Devices > Configuration profiles > Create profile**
1. Select **Platform > Windows 8.1 and later** and **Profile type > Trusted certificate**
1. Select **Create**
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index 205970b978..a1a88d6f2e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -119,12 +119,12 @@ There are different ways to enable and configure Windows Hello for Business in I
To check the Windows Hello for Business policy applied at enrollment time:
-1. Sign in to the Microsoft Endpoint Manager admin center
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Devices** > **Windows** > **Windows Enrollment**
1. Select **Windows Hello for Business**
1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured
-:::image type="content" source="images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Endpoint Manager admin center." border="true" lightbox="images/whfb-intune-disable.png":::
+:::image type="content" source="images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="images/whfb-intune-disable.png":::
If the tenant-wide policy is enabled and configured to your needs, you can skip to [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business). Otherwise, follow the instructions below to create a policy using an *account protection* policy.
@@ -132,7 +132,7 @@ If the tenant-wide policy is enabled and configured to your needs, you can skip
To configure Windows Hello for Business using an *account protection* policy:
-1. Go to the Microsoft Endpoint Manager admin center
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Endpoint security** > **Account protection**
1. Select **+ Create Policy**
1. For *Platform**, select **Windows 10 and later** and for *Profile* select **Account protection**
@@ -147,7 +147,7 @@ To configure Windows Hello for Business using an *account protection* policy:
1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
1. Review the policy configuration and select **Create**
-:::image type="content" source="images/whfb-intune-account-protection-cert-enable.png" alt-text="Enablement of Windows Hello for Business from Microsoft Endpoint Manager admin center using an account protection policy." border="true" lightbox="images/whfb-intune-account-protection-cert-enable.png":::
+:::image type="content" source="images/whfb-intune-account-protection-cert-enable.png" alt-text="Enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-cert-enable.png":::
---
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md
new file mode 100644
index 0000000000..0f6b8ab112
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md
@@ -0,0 +1,218 @@
+---
+title: Windows Hello for Business cloud Kerberos trust clients configuration and enrollment
+description: Learn how to configure devices and enroll them in Windows Hello for Business in a cloud Kerberos trust scenario.
+ms.date: 02/24/2023
+appliesto:
+- ✅ Windows 10, version 21H2 and later
+ms.topic: tutorial
+---
+# Configure and provision Windows Hello for Business - cloud Kerberos trust
+
+[!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-cloudkerb-trust.md)]
+
+## Deployment steps
+
+Deploying Windows Hello for Business cloud Kerberos trust consists of two steps:
+
+1. Set up Azure AD Kerberos.
+1. Configure a Windows Hello for Business policy and deploy it to the devices.
+
+### Deploy Azure AD Kerberos
+
+If you've already deployed on-premises SSO for passwordless security key sign-in, then you've already deployed Azure AD Kerberos in your hybrid environment. You don't need to redeploy or change your existing Azure AD Kerberos deployment to support Windows Hello for Business and you can skip this section.
+
+If you haven't deployed Azure AD Kerberos, follow the instructions in the [Enable passwordless security key sign-in to on-premises resources by using Azure AD][AZ-2] documentation. This page includes information on how to install and use the Azure AD Kerberos PowerShell module. Use the module to create an Azure AD Kerberos Server object for the domains where you want to use Windows Hello for Business cloud Kerberos trust.
+
+### Configure Windows Hello for Business policy
+
+After setting up the Azure AD Kerberos object, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
+
+#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune)
+
+For devices managed by Intune, you can use Intune policies to configure Windows Hello for Business.
+
+There are different ways to enable and configure Windows Hello for Business in Intune:
+
+- When the device is enrolled in Intune, a tenant-wide policy is applied to the device. This policy is applied at enrollment time only, and any changes to its configuration won't apply to devices already enrolled in Intune. For this reason, this policy is usually disabled, and Windows Hello for Business can be enabled using a policy targeted to a security group.
+- After the device is enrolled in Intune, you can apply a device configuration policy. Any changes to the policy will be applied to the devices during regular policy refresh intervals. There are different policy types to choose from:
+ - [Settings catalog][MEM-7]
+ - [Security baselines][MEM-2]
+ - [Custom policy][MEM-3], via the [PassportForWork CSP][MEM-4]
+ - [Account protection policy][MEM-5]
+ - [Identity protection policy template][MEM-6]
+
+### Verify the tenant-wide policy
+
+To check the Windows Hello for Business policy applied at enrollment time:
+
+1. Sign in to the Microsoft Intune admin center.
+1. Select **Devices** > **Windows** > **Windows Enrollment**.
+1. Select **Windows Hello for Business**.
+1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured.
+
+:::image type="content" source="images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." border="true" lightbox="images/whfb-intune-disable.png":::
+
+If the tenant-wide policy is enabled and configured to your needs, you can skip to [Configure cloud Kerberos trust policy](#configure-the-cloud-kerberos-trust-policy). Otherwise, follow the instructions below to create a policy using an *account protection* policy.
+
+### Enable Windows Hello for Business
+
+To configure Windows Hello for Business using an account protection policy:
+
+1. Sign in to the Microsoft Intune admin center.
+1. Select **Endpoint security** > **Account protection**.
+1. Select **+ Create Policy**.
+1. For **Platform**, select **Windows 10 and later** and for **Profile** select **Account protection**.
+1. Select **Create**.
+1. Specify a **Name** and, optionally, a **Description** > **Next**.
+1. Under **Block Windows Hello for Business**, select **Disabled** and multiple policies become available.
+ - These policies are optional to configure, but it's recommended to configure **Enable to use a Trusted Platform Module (TPM)** to **Yes**.
+ - For more information about these policies, see [MDM policy settings for Windows Hello for Business](hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business).
+1. Under **Enable to certificate for on-premises resources**, select **Disabled** and multiple policies become available.
+1. Select **Next**.
+1. Optionally, add **scope tags** and select **Next**.
+1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**.
+1. Review the policy configuration and select **Create**.
+
+> [!TIP]
+> If you want to enforce the use of digits for your Windows Hello for Business PIN, use the settings catalog and choose **Digits** or **Digits (User)** instead of using the Account protection template.
+
+:::image type="content" source="images/whfb-intune-account-protection-enable.png" alt-text="This image shows the enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-enable.png":::
+
+Assign the policy to a security group that contains as members the devices or users that you want to configure.
+
+### Configure the cloud Kerberos trust policy
+
+The cloud Kerberos trust policy can be configured using a custom template, and it's configured separately from enabling Windows Hello for Business.
+
+To configure the cloud Kerberos trust policy:
+
+1. Sign in to the Microsoft Intune admin center.
+1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile**.
+1. For Profile Type, select **Templates** and select the **Custom** Template.
+1. Name the profile with a familiar name, for example, "Windows Hello for Business cloud Kerberos trust".
+1. In Configuration Settings, add a new configuration with the following settings:
+
+ - Name: **Windows Hello for Business cloud Kerberos trust** or another familiar name
+ - Description (optional): *Enable Windows Hello for Business cloud Kerberos trust for sign-in and on-premises SSO*
+ - OMA-URI: **`./Device/Vendor/MSFT/PassportForWork/`*\*`/Policies/UseCloudTrustForOnPremAuth`**
+ - Data type: **Boolean**
+ - Value: **True**
+
+ > [!IMPORTANT]
+ > *Tenant ID* in the OMA-URI must be replaced with the tenant ID for your Azure AD tenant. See [How to find your Azure AD tenant ID][AZ-3] for instructions on looking up your tenant ID.
+
+ :::image type="content" alt-text ="Intune custom-device configuration policy creation" source="./images/hello-cloud-trust-intune.png" lightbox="./images/hello-cloud-trust-intune-large.png":::
+
+1. Assign the policy to a security group that contains as members the devices or users that you want to configure.
+
+#### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
+
+Hybrid Azure AD joined organizations can use Windows Hello for Business Group Policy to manage the feature. Group Policy can be configured to enable users to enroll and use Windows Hello for Business.
+
+The Enable Windows Hello for Business Group Policy setting is used by Windows to determine if a user should attempt to enroll a credential. A user will only attempt enrollment if this policy is configured to enabled.
+
+You can configure the Enable Windows Hello for Business Group Policy setting for computers or users. Deploying this policy setting to computers results in all users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence.
+
+Cloud Kerberos trust requires setting a dedicated policy for it to be enabled. This policy is only available as a computer configuration.
+
+> [!NOTE]
+> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune][MEM-1] and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more information about policy conflicts, see [Policy conflicts from multiple policy sources](hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources).
+
+#### Update administrative templates
+
+You may need to update your Group Policy definitions to be able to configure the cloud Kerberos trust policy. You can copy the ADMX and ADML files from a Windows client that supports cloud Kerberos trust to their respective language folder on your Group Policy management server. Windows Hello for Business settings are in the *Passport.admx* and *Passport.adml* files.
+
+You can also create a Group Policy Central Store and copy them their respective language folder. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows][TS-1].
+
+#### Create the Windows Hello for Business group policy object
+
+You can configure Windows Hello for Business cloud Kerberos trust using a Group Policy Object (GPO).
+
+1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer objects in Active Directory.
+1. Edit the Group Policy object from Step 1.
+1. Expand **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**.
+1. Select **Use Windows Hello for Business** > **Enable** > **OK**.
+1. Select **Use cloud Kerberos trust for on-premises authentication** > **Enable** > **OK**.
+1. Optional, but recommended: select **Use a hardware security device** > **Enable** > **OK**.
+
+---
+
+> [!IMPORTANT]
+> If the **Use certificate for on-premises authentication** policy is enabled, certificate trust will take precedence over cloud Kerberos trust. Ensure that the machines that you want to enable cloud Kerberos trust have this policy **not configured** or **disabled**.
+
+## Provision Windows Hello for Business
+
+The Windows Hello for Business provisioning process begins immediately after a user has signed in if certain prerequisite checks are passed. Windows Hello for Business *cloud Kerberos trust* adds a prerequisite check for Hybrid Azure AD-joined devices when cloud Kerberos trust is enabled by policy.
+
+You can determine the status of the prerequisite check by viewing the **User Device Registration** admin log under **Applications and Services Logs** > **Microsoft** > **Windows**.\
+This information is also available using the `dsregcmd /status` command from a console. For more information, see [dsregcmd][AZ-4].
+
+:::image type="content" alt-text="Cloud Kerberos trust prerequisite check in the user device registration log" source="./images/cloud-trust-prereq-check.png" lightbox="./images/cloud-trust-prereq-check.png":::
+
+The cloud Kerberos trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Azure AD Kerberos is set up for the user's domain and tenant. If Azure AD Kerberos is set up, the user will receive a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud Kerberos trust isn't being enforced by policy or if the device is Azure AD joined.
+
+> [!NOTE]
+> The cloud Kerberos trust prerequisite check isn't done on Azure AD-joined devices. If Azure AD Kerberos isn't provisioned, a user on an Azure AD joined device will still be able to sign in, but won't have SSO to on-premises resources secured by Active Directory.
+
+### PIN Setup
+
+After a user signs in, this is the process that occurs to enroll in Windows Hello for Business:
+
+1. The user is prompted with a full screen page to use Windows Hello with the organization account. The user selects **OK**.
+1. The provisioning flow proceeds to the multi-factor authentication portion of the enrollment. Provisioning informs the user that it's actively attempting to contact the user through their configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry.
+1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device.
+
+:::image type="content" source="images/haadj-whfb-pin-provisioning.gif" alt-text="Animation showing a user logging on to an HAADJ device with a password, and being prompted to enroll in Windows Hello for Business.":::
+
+### Sign-in
+
+Once a user has set up a PIN with cloud Kerberos trust, it can be used **immediately** for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached sign-in can be used for subsequent unlocks without line of sight or network connectivity.
+
+## Migrate from key trust deployment model to cloud Kerberos trust
+
+If you deployed Windows Hello for Business using the key trust model, and want to migrate to the cloud Kerberos trust model, follow these steps:
+
+1. [Set up Azure AD Kerberos in your hybrid environment](#deploy-azure-ad-kerberos).
+1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy).
+1. For hybrid Azure AD joined devices, sign out and sign in to the device using Windows Hello for Business.
+
+> [!NOTE]
+> For hybrid Azure AD joined devices, users must perform the first sign in with new credentials while having line of sight to a DC.
+>
+> Without line of sight to a DC, even when the client is configured to use cloud Kerberos trust, the system will fall back to key trust if cloud Kerberos trust login fails.
+
+## Migrate from certificate trust deployment model to cloud Kerberos trust
+
+> [!IMPORTANT]
+> There is no *direct* migration path from a certificate trust deployment to a cloud Kerberos trust deployment. The Windows Hello container must be deleted before you can migrate to cloud Kerberos trust.
+
+If you deployed Windows Hello for Business using the certificate trust model, and want to use the cloud Kerberos trust model, you must redeploy Windows Hello for Business by following these steps:
+
+1. Disable the certificate trust policy.
+1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy).
+1. Remove the certificate trust credential using the command `certutil -deletehellocontainer` from the user context.
+1. Sign out and sign back in.
+1. Provision Windows Hello for Business using a method of your choice.
+
+> [!NOTE]
+> For hybrid Azure AD joined devices, users must perform the first sign-in with new credentials while having line of sight to a DC.
+
+## Frequently Asked Questions
+
+For a list of frequently asked questions about Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business Frequently Asked Questions](hello-faq.yml#cloud-kerberos-trust).
+
+
+
+[AZ-2]: /azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azure-ad-kerberos-powershell-module
+[AZ-3]: /azure/active-directory/fundamentals/active-directory-how-to-find-tenant
+[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
+
+[MEM-1]: /mem/intune/protect/identity-protection-windows-settings
+[MEM-2]: /mem/intune/protect/security-baselines
+[MEM-3]: /mem/intune/configuration/custom-settings-configure
+[MEM-4]: /windows/client-management/mdm/passportforwork-csp
+[MEM-5]: /mem/intune/protect/endpoint-security-account-protection-policy
+[MEM-6]: /mem/intune/protect/identity-protection-configure
+[MEM-7]: /mem/intune/configuration/settings-catalog
+
+[TS-1]: /troubleshoot/windows-client/group-policy/create-and-manage-central-store
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
index ce118ce681..d3f07a3668 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
@@ -1,16 +1,16 @@
---
title: Windows Hello for Business cloud Kerberos trust deployment
description: Learn how to deploy Windows Hello for Business in a cloud Kerberos trust scenario.
-ms.date: 11/1/2022
+ms.date: 02/24/2023
appliesto:
- ✅ Windows 10, version 21H2 and later
-ms.topic: article
+ms.topic: tutorial
---
# Cloud Kerberos trust deployment
[!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-cloudkerb-trust.md)]
-Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This deployment guide provides the information to successfully deploy Windows Hello for Business in a *cloud Kerberos trust* scenario.
+Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This deployment guide provides the information to deploy Windows Hello for Business in a *cloud Kerberos trust* scenario.
## Introduction to cloud Kerberos trust
@@ -19,7 +19,7 @@ The goal of Windows Hello for Business cloud Kerberos trust is to bring the simp
Windows Hello for Business cloud Kerberos trust uses *Azure AD Kerberos*, which enables a simpler deployment when compared to the *key trust model*:
- No need to deploy a public key infrastructure (PKI) or to change an existing PKI
-- No need to synchronize public keys between Azure AD and Active Directory for users to access on-premises resources. This means that there isn't delay between the user's WHFB provisioning and being able to authenticate to Active Directory
+- No need to synchronize public keys between Azure AD and Active Directory for users to access on-premises resources. There isn't any delay between the user's Windows Hello for Business provisioning, and being able to authenticate to Active Directory
- [Passwordless security key sign-in][AZ-1] can be deployed with minimal extra setup
> [!NOTE]
@@ -30,7 +30,7 @@ Windows Hello for Business cloud Kerberos trust uses *Azure AD Kerberos*, which
*Key trust* and *certificate trust* use certificate authentication-based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires a PKI for DC certificates, and requires end-user certificates for certificate trust.
Cloud Kerberos trust uses Azure AD Kerberos, which doesn't require a PKI to request TGTs.\
-With Azure AD Kerberos, Azure AD can issue TGTs for one or more AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business, and use the returned TGT for logon or to access traditional AD-based resources. Kerberos service tickets and authorization continue to be controlled by the on-premises Domain Controllers.
+With Azure AD Kerberos, Azure AD can issue TGTs for one or more AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business, and use the returned TGT for sign-in or to access AD-based resources. The on-premises domain controllers are still responsible for Kerberos service tickets and authorization.
When Azure AD Kerberos is enabled in an Active Directory domain, an *Azure AD Kerberos server object* is created in the domain. This object:
@@ -69,187 +69,23 @@ The following scenarios aren't supported using Windows Hello for Business cloud
>
> To unblock the accounts, use Active Directory Users and Computers to modify the msDS-NeverRevealGroup property of the Azure AD Kerberos Computer object `CN=AzureADKerberos,OU=Domain Controllers,`.
-## Deployment steps
+## Next steps
-Deploying Windows Hello for Business cloud Kerberos trust consists of two steps:
+Once the prerequisites are met, deploying Windows Hello for Business with a cloud Kerberos trust model consists of the following steps:
-1. Set up Azure AD Kerberos
-1. Configure a Windows Hello for Business policy and deploy it to the devices
+> [!div class="checklist"]
+> * Deploy Azure AD Kerberos
+> * Configure Windows Hello for Business settings
+> * Provision Windows Hello for Business on Windows clients
-### Deploy Azure AD Kerberos
-
-If you've already deployed on-premises SSO for passwordless security key sign-in, then you've already deployed Azure AD Kerberos in your hybrid environment. You don't need to redeploy or change your existing Azure AD Kerberos deployment to support Windows Hello for Business and you can skip this section.
-
-If you haven't deployed Azure AD Kerberos, follow the instructions in the [Enable passwordless security key sign-in to on-premises resources by using Azure AD][AZ-2] documentation. This page includes information on how to install and use the Azure AD Kerberos PowerShell module. Use the module to create an Azure AD Kerberos Server object for the domains where you want to use Windows Hello for Business cloud Kerberos trust.
-
-### Configure Windows Hello for Business policy
-
-After setting up the Azure AD Kerberos object, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
-
-#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune)
-
-Windows Hello for Business can be enabled using device enrollment or device configuration policy. Device enrollment policy is only applied at device enrollment time. Any modifications to the configuration in Intune won't apply to already enrolled devices. Device configuration policy is applied after device enrollment. Changes to this policy type in Intune are applied to already enrolled devices.
-
-The cloud Kerberos trust policy needs to be configured using a custom template and is configured separately from enabling Windows Hello from Business.
-
-### Enable Windows Hello for Business
-
-If you already enabled Windows Hello for Business, you can skip to **configure the cloud Kerberos trust policy**. Otherwise, follow the instructions at [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello) to create a Windows Hello for Business device enrollment policy.
-
-You can also follow these steps to create a device configuration policy instead of using the device enrollment policy:
-
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile**.
-1. For Platform, select **Windows 10 and later**.
-1. For Profile Type, select **Templates** and select the **Identity Protection** Template.
-1. Name the profile with a familiar name. For example, "Windows Hello for Business".
-1. In **Configurations settings**, set the **Configure Windows Hello for Business** option to **Enable**.
-1. After setting Configure Windows Hello for Business to Enable, multiple policy options become available. These policies are optional to configure. More information on these policies is available in our documentation on managing [Windows Hello for Business in your organization](hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business). We recommend setting **Use a Trusted Platform Module (TPM)** to **Enable**.
-
- [](./images/hello-intune-enable-large.png#lightbox)
-
-Assign the policy to a security group that contains as members the devices or users that you want to configure.
-
-Windows Hello for Business settings are also available in the settings catalog. For more information, see [Use the settings catalog to configure settings on Windows and macOS devices - preview](/mem/intune/configuration/settings-catalog).
-
-### Configure cloud Kerberos trust policy
-
-To configure the cloud Kerberos trust policy, follow the steps below:
-
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile**.
-1. For Profile Type, select **Templates** and select the **Custom** Template.
-1. Name the profile with a familiar name. For example, "Windows Hello for Business cloud Kerberos trust".
-1. In Configuration Settings, add a new configuration with the following settings:
-
- | Setting |
- |--------|
- | - Name: **Windows Hello for Business cloud Kerberos trust** or another familiar name
- Description (optional): *Enable Windows Hello for Business cloud Kerberos trust for sign-in and on-premises SSO*
- OMA-URI: **`./Device/Vendor/MSFT/PassportForWork/`*\*`/Policies/UseCloudTrustForOnPremAuth`**
- Data type: **Boolean**
- Value: **True**
|
-
- >[!IMPORTANT]
- >*Tenant ID* in the OMA-URI must be replaced with the tenant ID for your Azure AD tenant. See [How to find your Azure AD tenant ID][AZ-3] for instructions on looking up your tenant ID.
-
- [](./images/hello-cloud-trust-intune-large.png#lightbox)
-
-Assign the policy to a security group that contains as members the devices or users that you want to configure.
-
-#### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
-
-Hybrid Azure AD joined organizations can use Windows Hello for Business Group Policy to manage the feature. Group Policy can be configured to enable users to enroll and use Windows Hello for Business.
-
-The Enable Windows Hello for Business Group Policy setting is used by Windows to determine if a user should attempt to enroll a credential. A user will only attempt enrollment if this policy is configured to enabled.
-
-You can configure the Enable Windows Hello for Business Group Policy setting for computers or users. Deploying this policy setting to computers results in all users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence.
-
-cloud Kerberos trust requires setting a dedicated policy for it to be enabled. This policy is only available as a computer configuration.
-
-> [!NOTE]
-> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune][MEM-1] and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more information about policy conflicts, see [Policy conflicts from multiple policy sources](hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources).
-
-#### Update administrative templates
-
-You may need to update your Group Policy definitions to be able to configure the cloud Kerberos trust policy. You can copy the ADMX and ADML files from a Windows client that supports cloud Kerberos trust to their respective language folder on your Group Policy management server. Windows Hello for Business settings are in the *Passport.admx* and *Passport.adml* files.
-
-You can also create a Group Policy Central Store and copy them their respective language folder. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows][TS-1].
-
-#### Create the Windows Hello for Business group policy object
-
-You can configure Windows Hello for Business cloud Kerberos trust using a Group Policy Object (GPO).
-
-1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer objects in Active Directory
-1. Edit the Group Policy object from Step 1
-1. Expand **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**
-1. Select **Use Windows Hello for Business** > **Enable** > **OK**
-1. Select **Use cloud Kerberos trust for on-premises authentication** > **Enable** > **OK**
-1. *Optional, but recommended*: select **Use a hardware security device** > **Enable** > **OK**
-
----
-
-> [!IMPORTANT]
-> If the *Use certificate for on-premises authentication* policy is enabled, certificate trust will take precedence over cloud Kerberos trust. Ensure that the machines that you want to enable cloud Kerberos trust have this policy *not configured* or *disabled*.
-
-## Provision Windows Hello for Business
-
-The Windows Hello for Business provisioning process begins immediately after a user has signed in if certain prerequisite checks are passed. Windows Hello for Business *cloud Kerberos trust* adds a prerequisite check for Hybrid Azure AD-joined devices when cloud Kerberos trust is enabled by policy.
-
-You can determine the status of the prerequisite check by viewing the **User Device Registration** admin log under **Applications and Services Logs** > **Microsoft** > **Windows**.\
-This information is also available using the `dsregcmd /status` command from a console. For more information, see [dsregcmd][AZ-4].
-
- 
-
-The cloud Kerberos trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Azure AD Kerberos is set up for the user's domain and tenant. If Azure AD Kerberos is set up, the user will receive a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud Kerberos trust isn't being enforced by policy or if the device is Azure AD joined.
-
-> [!NOTE]
-> The cloud Kerberos trust prerequisite check isn't done on Azure AD-joined devices. If Azure AD Kerberos isn't provisioned, a user on an Azure AD joined device will still be able to sign in, but won't have SSO to on-premises resources secured by Active Directory.
-
-### PIN Setup
-
-This is the process that occurs after a user signs in, to enroll in Windows Hello for Business:
-
-1. The user is prompted with a full screen page to use Windows Hello with the organization account. The user selects **OK**
-1. The provisioning flow proceeds to the multi-factor authentication portion of the enrollment. Provisioning informs the user that it's actively attempting to contact the user through their configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry
-1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device
-
-:::image type="content" source="images/haadj-whfb-pin-provisioning.gif" alt-text="Animation showing a user logging on to an HAADJ device with a password, and being prompted to enroll in Windows Hello for Business.":::
-
-### Sign-in
-
-Once a user has set up a PIN with cloud Kerberos trust, it can be used **immediately** for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached sign-in can be used for subsequent unlocks without line of sight or network connectivity.
-
-## Migrate from key trust deployment model to cloud Kerberos trust
-
-If you deployed Windows Hello for Business using the key trust model, and want to migrate to the cloud Kerberos trust model, follow these steps:
-
-1. [Set up Azure AD Kerberos in your hybrid environment](#deploy-azure-ad-kerberos)
-1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy)
-1. For hybrid Azure AD joined devices, sign out and sign in to the device using Windows Hello for Business
-
-> [!NOTE]
-> For hybrid Azure AD joined devices, users must perform the first sign in with new credentials while having line of sight to a DC.
->
-> Without line of sight to a DC, even when the client is configured to use cloud Kerberos trust, the system will fall back to key trust if cloud Kerberos trust login fails.
-
-## Migrate from certificate trust deployment model to cloud Kerberos trust
-
-> [!IMPORTANT]
-> There is no *direct* migration path from a certificate trust deployment to a cloud Kerberos trust deployment. The Windows Hello container must be deleted before you can migrate to cloud Kerberos trust.
-
-If you deployed Windows Hello for Business using the certificate trust model, and want to use the cloud Kerberos trust model, you must redeploy Windows Hello for Business by following these steps:
-
-1. Disable the certificate trust policy
-1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy)
-1. Remove the certificate trust credential using the command `certutil -deletehellocontainer` from the user context
-1. Sign out and sign back in
-1. Provision Windows Hello for Business using a method of your choice
-
-> [!NOTE]
-> For hybrid Azure AD joined devices, users must perform the first sign in with new credentials while having line of sight to a DC.
-
-## Troubleshooting
-
-If you encounter issues or want to share feedback about Windows Hello for Business cloud Kerberos trust, share via the *Windows Feedback Hub* app by following these steps:
-
-1. Open **Feedback Hub**, and make sure that you're signed in
-1. Submit feedback by selecting the following categories:
- - Category: Security and Privacy
- - Subcategory: Windows Hello PIN
-
-## Frequently Asked Questions
-
-For a list of frequently asked questions about Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business Frequently Asked Questions](hello-faq.yml#cloud-kerberos-trust).
+> [!div class="nextstepaction"]
+> [Next: configure and provision Windows Hello for Business >](hello-hybrid-cloud-kerberos-trust-provision.md)
[AZ-1]: /azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises
-[AZ-2]: /azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azure-ad-kerberos-powershell-module
-[AZ-3]: /azure/active-directory/fundamentals/active-directory-how-to-find-tenant
-[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
-
-[MEM-1]: /mem/intune/protect/identity-protection-windows-settings
[SERV-1]: /windows-server/administration/performance-tuning/role/active-directory-server/capacity-planning-for-active-directory-domain-services
[SUP-1]: https://support.microsoft.com/topic/january-23-2020-kb4534307-os-build-14393-3474-b181594e-2c6a-14ea-e75b-678efea9d27e
-[SUP-2]: https://support.microsoft.com/topic/january-23-2020-kb4534321-os-build-17763-1012-023e84c3-f9aa-3b55-8aff-d512911c459f
-
-[TS-1]: /troubleshoot/windows-client/group-policy/create-and-manage-central-store
+[SUP-2]: https://support.microsoft.com/topic/january-23-2020-kb4534321-os-build-17763-1012-023e84c3-f9aa-3b55-8aff-d512911c459f
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md
index a165084a61..73c27e5835 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md
@@ -35,12 +35,12 @@ There are different ways to enable and configure Windows Hello for Business in I
To check the Windows Hello for Business policy applied at enrollment time:
-1. Sign in to the Microsoft Endpoint Manager admin center
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Devices** > **Windows** > **Windows Enrollment**
1. Select **Windows Hello for Business**
1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured
-:::image type="content" source="images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Endpoint Manager admin center." border="true" lightbox="images/whfb-intune-disable.png":::
+:::image type="content" source="images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="images/whfb-intune-disable.png":::
If the tenant-wide policy is enabled and configured to your needs, you can skip to [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business). Otherwise, follow the instructions below to create a policy using an *account protection* policy.
@@ -48,7 +48,7 @@ If the tenant-wide policy is enabled and configured to your needs, you can skip
To configure Windows Hello for Business using an *account protection* policy:
-1. Go to the Microsoft Endpoint Manager admin center
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Endpoint security** > **Account protection**
1. Select **+ Create Policy**
1. For *Platform**, select **Windows 10 and later** and for *Profile* select **Account protection**
@@ -62,7 +62,7 @@ To configure Windows Hello for Business using an *account protection* policy:
1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
1. Review the policy configuration and select **Create**
-:::image type="content" source="images/whfb-intune-account-protection-enable.png" alt-text="Enablement of Windows Hello for Business from Microsoft Endpoint Manager admin center using an account protection policy." border="true" lightbox="images/whfb-intune-account-protection-enable.png":::
+:::image type="content" source="images/whfb-intune-account-protection-enable.png" alt-text="Enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-enable.png":::
#### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
index 0efcd603a1..1d36c9e14c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
+++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
@@ -16,6 +16,8 @@ Although the organization may require users to change their Active Directory or
People who are currently using virtual or physical smart cards for authentication can use their virtual smart card to verify their identity when they set up Hello.
+[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)]
+
## On devices owned by the organization
When someone sets up a new device, they are prompted to choose who owns the device. For corporate devices, they select **This device belongs to my organization**.
@@ -40,9 +42,7 @@ People can go to **Settings** > **Accounts** > **Work or school**, select
If your policy allows it, people can use biometrics (fingerprint, iris, and facial recognition) with Windows Hello for Business, if the hardware supports it.
-
-
-
+:::image type="content" alt-text="This screenshot shows account sign-in options to windows, apps, and services using fingerprint or face." source="images/hellosettings.png":::
## Related topics
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-intune-enable-large.png b/windows/security/identity-protection/hello-for-business/images/hello-intune-enable-large.png
deleted file mode 100644
index ef99144042..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello-intune-enable-large.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-intune-enable.png b/windows/security/identity-protection/hello-for-business/images/hello-intune-enable.png
deleted file mode 100644
index edcbe0ec34..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello-intune-enable.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index ee40135695..77c3a38b65 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -26,31 +26,47 @@
- name: Hybrid deployments
items:
- name: Cloud Kerberos trust deployment
- href: hello-hybrid-cloud-kerberos-trust.md
+ items:
+ - name: Overview
+ href: hello-hybrid-cloud-kerberos-trust.md
+ displayName: cloud Kerberos trust
+ - name: Configure and provision Windows Hello for Business
+ href: hello-hybrid-cloud-kerberos-trust-provision.md
+ displayName: cloud Kerberos trust
- name: Key trust deployment
items:
- name: Overview
href: hello-hybrid-key-trust.md
+ displayName: key trust
- name: Configure and validate the PKI
href: hello-hybrid-key-trust-validate-pki.md
+ displayName: key trust
- name: Configure and provision Windows Hello for Business
href: hello-hybrid-key-trust-provision.md
+ displayName: key trust
- name: Configure SSO for Azure AD joined devices
href: hello-hybrid-aadj-sso.md
+ displayName: key trust
- name: Certificate trust deployment
items:
- name: Overview
href: hello-hybrid-cert-trust.md
+ displayName: certificate trust
- name: Configure and validate the PKI
href: hello-hybrid-cert-trust-validate-pki.md
+ displayName: certificate trust
- name: Configure AD FS
href: hello-hybrid-cert-whfb-settings-adfs.md
+ displayName: certificate trust
- name: Configure and provision Windows Hello for Business
href: hello-hybrid-cert-whfb-provision.md
+ displayName: certificate trust
- name: Configure SSO for Azure AD joined devices
href: hello-hybrid-aadj-sso.md
+ displayName: certificate trust
- name: Deploy certificates to Azure AD joined devices
href: hello-hybrid-aadj-sso-cert.md
+ displayName: certificate trust
- name: On-premises deployments
items:
- name: Key trust deployment
diff --git a/windows/security/identity-protection/index.md b/windows/security/identity-protection/index.md
index c42735cfe2..dc71f52903 100644
--- a/windows/security/identity-protection/index.md
+++ b/windows/security/identity-protection/index.md
@@ -16,7 +16,9 @@ ms.technology: itpro-security
# Identity and access management
-Learn more about identity and access management technologies in Windows 10 and Windows 11.
+Learn more about identity and access management technologies in Windows.
+
+[!INCLUDE [virtual-smart-card-deprecation-notice](../includes/virtual-smart-card-deprecation-notice.md)]
| Section | Description |
|-|-|
diff --git a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
index 9ba3ee5da6..d5912c3e8d 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
@@ -1,20 +1,12 @@
---
title: Smart Card Technical Reference (Windows)
description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
ms.reviewer: ardenw
-manager: aaroncz
ms.topic: article
-ms.localizationpriority: medium
ms.date: 09/24/2021
-appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+appliesto:
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
ms.technology: itpro-security
---
@@ -44,7 +36,9 @@ Smart cards provide:
Smart cards can be used to sign in to domain accounts only, not local accounts. When you use a password to sign in interactively to a domain account, Windows uses the Kerberos version 5 (v5) protocol for authentication. If you use a smart card, the operating system uses Kerberos v5 authentication with X.509 v3 certificates.
-**Virtual smart cards** were introduced in Windows Server 2012 and Windows 8 to alleviate the need for a physical smart card, the smart card reader, and the associated administration of that hardware. For information about virtual smart card technology, see [Virtual Smart Card Overview](../virtual-smart-cards/virtual-smart-card-overview.md).
+**Virtual smart cards** were introduced in Windows Server 2012 and Windows 8 to alleviate the need for a physical smart card, the smart card reader, and the associated administration of that hardware.
+
+[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)]
## In this technical reference
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
index a29f378683..63ac28b3e9 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
@@ -1,30 +1,24 @@
---
-title: Deploy Virtual Smart Cards (Windows 10)
-description: This topic for the IT professional discusses the factors to consider when you deploy a virtual smart card authentication solution.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 04/19/2017
-appliesto:
- - ✅ Windows 10
- - ✅ Windows Server 2016
-ms.technology: itpro-security
+title: Deploy Virtual Smart Cards
+description: Learn about what to consider when deploying a virtual smart card authentication solution
+ms.topic: conceptual
+ms.date: 02/22/2023
+appliesto:
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
---
# Deploy Virtual Smart Cards
-Applies To: Windows 10, Windows Server 2016
+[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)]
-This topic for the IT professional discusses the factors to consider when you deploy a virtual smart card authentication solution.
+This article discusses the factors to consider when you deploy a virtual smart card authentication solution.
Traditional identity devices, such as physical smart cards, follow a predictable lifecycle in any deployment, as shown in the following diagram.
-Physical devices are created by a dedicated manufacturer and then purchased by the corporation that will ultimately deploy it. The device passes through the personalization stage, where its unique properties are set. In smart cards, these properties are the administrator key, Personal Identification Number (PIN), PIN Unlock Key (PUK), and its physical appearance. To provision the device, it is loaded with the required certificates, such as a sign-in certificate. After you provision the device, it is ready for use. The device must simply be maintained. For example, you must replace cards when they are lost or stolen and reset PINs when users forget them. Finally, you’ll retire devices when they exceed their intended lifetime or when employees leave the company.
+A device manufacturer creates physical devices, and then an organization purchase and deploy them. The device passes through the personalization stage, where its unique properties are set. In smart cards, these properties are the *administrator key*, *Personal Identification Number (PIN)*, *PIN Unlock Key (PUK)*, and its physical appearance. During the device provisioning phase, the required certificates are installed, such as a sign-in certificate. After you provision the device, it's ready for use. You'll maintain the device, for example you may replace cards when they're lost or stolen, or reset PINs when users forget them. Finally, you'll retire devices when they exceed their intended lifetime or when employees leave the company.
This topic contains information about the following phases in a virtual smart card lifecycle:
@@ -44,94 +38,90 @@ The TPM Provisioning Wizard, which is launched from the **TPM Management Console
When you create virtual smart cards, consider the following actions in the TPM:
-- **Enable and Activate**: TPMs are built in to many industry ready computers, but they often are not enabled and activated by default. In some cases, the TPM must be enabled and activated through the BIOS. For more information, see Initialize and Configure Ownership of the TPM.
+- **Enable and Activate**: TPMs are built into many devices. In some cases, the TPM must be enabled and activated through the BIOS
+- **Take ownership**: When you provision the TPM, you set an owner password for managing the TPM in the future, and you establish the *storage root key*. To provide anti-hammering protection for virtual smart cards, the user or a domain administrator must be able to reset the TPM owner password. For corporate use of TPM virtual smart cards, the domain administrator should restrict access to the TPM owner password by storing it in Active Directory, and not in the local registry. When TPM ownership is set, you must clear and reinitialize the TPM
+- **Manage**: You can manage ownership of a virtual smart card by changing the owner password, and you can manage anti-hammering logic by resetting the lockout time
-- **Take ownership**: When you provision the TPM, you set an owner password for managing the TPM in the future, and you establish the storage root key. To provide anti-hammering protection for virtual smart cards, the user or a domain administrator must be able to reset the TPM owner password.
- For corporate use of TPM virtual smart cards, we recommend that the corporate domain administrator restrict access to the TPM owner password by storing it in Active Directory, not in the local registry. When TPM ownership is set in Windows Vista, the TPM needs to be cleared and reinitialized. For more information, see Trusted Platform Module Technology Overview.
-
-- **Manage**: You can manage ownership of a virtual smart card by changing the owner password, and you can manage anti-hammering logic by resetting the lockout time. For more information, see Manage TPM Lockout.
-
-A TPM might operate in reduced functionality mode. This could occur, for example, if the operating system cannot determine if the owner password is available to the user. In those cases, the TPM can be used to create a virtual smart card, but it is strongly recommended to bring the TPM to a fully ready state so that any unexpected circumstances will not leave the user blocked from using the computer.
+A TPM might operate in reduced functionality mode, which may occur if the operating system can't determine if the owner password is available to the user. During reduce functionality mode, you can use the TPM to create a virtual smart card, but it's preferable to bring the TPM to a fully ready state so that any unexpected circumstances won't leave the user blocked from using the device.
Those smart card deployment management tools that require a status check of a TPM before attempting to create a TPM virtual smart card can do so using the TPM WMI interface.
-Depending on the setup of the computer that is designated for installing TPM virtual smart cards, it might be necessary to provision the TPM before continuing with the virtual smart card deployment. For more information about provisioning, see [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md).
+Depending on the setup of the device designated for installing TPM virtual smart cards, it may be necessary to provision the TPM before continuing with the virtual smart card deployment. For more information about provisioning, see [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md).
For more information about managing TPMs by using built-in tools, see Trusted Platform Module Services Group Policy Settings.
### Creation
-A TPM virtual smart card simulates a physical smart card, and it uses the TPM to provide the same functionality as physical smart card hardware. A virtual smart card appears within the operating system as a physical smart card that is always inserted. Supported versions of the Windows operating system present a virtual smart card reader and virtual smart card to applications with the same interface as physical smart cards, but messages to and from the virtual smart card are translated to TPM commands. This process ensures the integrity of the virtual smart card through the three properties of smart card security:
+A TPM virtual smart card simulates a physical smart card, using the TPM to provide the same functionality as physical smart card hardware.\
+A virtual smart card appears within the operating system as a physical smart card that is always inserted. Windows presents a *virtual smart card reader* and a *virtual smart card* to applications using the same interface as physical smart cards. The messages to and from the virtual smart card are translated to TPM commands, ensuring the integrity of the virtual smart card through the three properties of smart card security:
-- **Non-exportability**: Because all private information on the virtual smart card is encrypted by using the TPM on the host computer, it cannot be used on a different computer with a different TPM. Additionally, TPMs are designed to be tamper-resistant and non-exportable, so a malicious user cannot reverse engineer an identical TPM or install the same TPM on a different computer.
+- **Non-exportability**: Because all private information on the virtual smart card is encrypted by using the TPM on the host computer, it can't be used on a different computer with a different TPM. Additionally, TPMs are designed to be tamper-resistant and non-exportable, so a malicious user can't reverse engineer an identical TPM or install the same TPM on a different computer.
For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
-- **Isolated cryptography**: TPMs provide the same properties of isolated cryptography that is offered by physical smart cards, and this is utilized by virtual smart cards. Unencrypted copies of private keys are loaded only within the TPM and never into memory that is accessible by the operating system. All cryptographic operations with these private keys occur inside the TPM.
+- **Isolated cryptography**: TPMs provide the same properties of isolated cryptography that is offered by physical smart cards, which is utilized by virtual smart cards. Unencrypted copies of private keys are loaded only within the TPM and never into memory that is accessible by the operating system. All cryptographic operations with these private keys occur inside the TPM.
-- **Anti-hammering**: If a user enters a PIN incorrectly, the virtual smart card responds by using the anti-hammering logic of the TPM, which rejects further attempts for a period of time instead of blocking the card. This is also known as lockout.
- For more information, see [Blocked virtual smart card](#blocked-virtual-smart-card) and [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
+- **Anti-hammering**: If a user enters a PIN incorrectly, the virtual smart card responds by using the anti-hammering logic of the TPM, which rejects further attempts for some time instead of blocking the card. This is also known as lockout.
+ For more information, see [Blocked virtual smart card](#blocked-virtual-smart-card) and [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
-There are several options for creating virtual smart cards, depending on the size of the deployment and budget of the organization. The lowest cost option is using Tpmvscmgr.exe to create cards individually on users’ computers. Alternatively, a virtual smart card management solution can be purchased to more easily accomplish virtual smart card creation on a larger scale and aid in further phases of deployment. Virtual smart cards can be created on computers that are to be provisioned for an employee or on those that are already in an employee’s possession. In either approach, there should be some central control over personalization and provisioning. If a computer is intended for use by multiple employees, multiple virtual smart cards can be created on a computer.
+There are several options for creating virtual smart cards, depending on the size of the deployment and budget of the organization. The lowest cost option is using `tpmvscmgr.exe` to create cards individually on users' computers. Alternatively, a virtual smart card management solution can be purchased to more easily accomplish virtual smart card creation on a larger scale and aid in further phases of deployment. Virtual smart cards can be created on computers that are to be provisioned for an employee or on those that are already in an employee's possession. In either approach, there should be some central control over personalization and provisioning. If a computer is intended for use by multiple employees, multiple virtual smart cards can be created on a computer.
For information about the TPM Virtual Smart Card command-line tool, see [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md).
### Personalization
-During virtual smart card personalization, the values for the administrator key, PIN, and PUK are assigned. As with a physical card, knowing the administrator key is important for resetting the PIN or for deleting the card in the future. (If a PUK is set, the administrator key can no longer be used to reset the PIN.)
+During virtual smart card personalization, the values for the administrator key, PIN, and PUK are assigned. As with a physical card, knowing the administrator key is important for resetting the PIN or for deleting the card in the future. (If you set a PUK, you can't use the administrator key to reset the PIN.)
-Because the administrator key is critical to the security of the card, it is important to consider the deployment environment and decide on the proper administrator key setting strategy. Options for these strategies include:
+Because the administrator key is critical to the security of the card, it's important to consider the deployment environment and decide on the proper administrator key setting strategy. Options for these strategies include:
-- **Uniform**: Administrator keys for all the virtual smart cards that are deployed in the organization are the same. Although this makes the maintenance infrastructure easy (only one key needs to be stored), it is highly insecure. This strategy might be sufficient for very small organizations, but if the administrator key is compromised, all virtual smart cards that use this key must be reissued.
+- **Uniform**: Administrator keys for all the virtual smart cards deployed in the organization are the same. Although using the same key makes the maintenance infrastructure easy (only one key needs to be stored), it's highly insecure. This strategy might be sufficient for small organizations, but if the administrator key is compromised, all virtual smart cards that use the key must be reissued.
-- **Random, not stored**: Administrator keys are assigned randomly for all virtual smart cards, and they are not recorded. This is a valid option if the deployment administrators do not require the ability to reset PINs, and instead prefer to delete and reissue virtual smart cards. This could also be a viable strategy if the administrator prefers to set PUK values for the virtual smart cards and then use this value to reset PINs, if necessary.
+- **Random, not stored**: Administrator keys are assigned randomly for all virtual smart cards, and they aren't recorded. This is a valid option if the deployment administrators don't require the ability to reset PINs, and instead prefer to delete and reissue virtual smart cards. This is a viable strategy if the administrator prefers to set PUK values for the virtual smart cards and then use this value to reset PINs, if necessary.
-- **Random, stored**: Administrator keys are assigned randomly and stored in a central location. Each card’s security is independent of the others. This is secure on a large scale unless the administrator key database is compromised.
+- **Random, stored**: you assign the administrator keys randomly, storing them in a central location. Each card's security is independent of the others. This is a secure strategy on a large scale, unless the administrator key database is compromised.
-- **Deterministic**: Administrator keys are the result of some function or known information. For example, the user ID could be used to randomly generate data that can be further processed through a symmetric encryption algorithm by using a secret. This administrator key can be similarly regenerated when needed, and it does not need to be stored. The security of this method relies on the security of the secret used.
+- **Deterministic**: Administrator keys are the result of some function or known information. For example, the user ID could be used to randomly generate data that can be further processed through a symmetric encryption algorithm by using a secret. This administrator key can be similarly regenerated when needed, and it doesn't need to be stored. The security of this method relies on the security of the secret used.
-Although the PUK and the administrator key methodologies provide unlocking and resetting functionality, they do so in different ways. The PUK is a PIN that is simply entered on the computer to enable a user PIN reset.
+Although the PUK and the administrator key methodologies provide unlocking and resetting functionality, they do so in different ways. The PUK is a PIN that is entered on the computer to enable a user PIN reset.
-The administrator key methodology takes a challenge-response approach. The card provides a set of random data after users verify their identity to the deployment administrator. The administrator then encrypts the data with the administrator key and gives the encrypted data back to the user. If the encrypted data matches that produced by the card during verification, the card will allow PIN reset. Because the administrator key is never accessible by anyone other than the deployment administrator, it cannot be intercepted or recorded by any other party (including employees). This provides significant security benefits beyond using a PUK, an important consideration during the personalization process.
+The administrator key methodology takes a challenge-response approach. The card provides a set of random data after users verify their identity to the deployment administrator. The administrator then encrypts the data with the administrator key and gives the encrypted data back to the user. If the encrypted data matches that produced by the card during verification, the card will allow PIN reset. Because the administrator key is never accessible by anyone other than the deployment administrator, it can't be intercepted or recorded by any other party (including employees). This provides significant security benefits beyond using a PUK, an important consideration during the personalization process.
-TPM virtual smart cards can be personalized on an individual basis when they are created with the Tpmvscmgr command-line tool. Or organizations can purchase a management solution that can incorporate personalization into an automated routine. An additional advantage of such a solution is the automated creation of administrator keys. Tpmvscmgr.exe allows users to create their own administrator keys, which can be detrimental to the security of the virtual smart cards.
+TPM virtual smart cards can be personalized on an individual basis when they're created with the Tpmvscmgr command-line tool. Or organizations can purchase a management solution that can incorporate personalization into an automated routine. Another advantage of such a solution is the automated creation of administrator keys. Tpmvscmgr.exe allows users to create their own administrator keys, which can be detrimental to the security of the virtual smart cards.
## Provision virtual smart cards
-Provisioning is the process of loading specific credentials onto a TPM virtual smart card. These credentials consist of certificates that are created to give users access to a specific service, such as domain sign in. A maximum of 30 certificates is allowed on each virtual smart card. As with physical smart cards, several decisions must be made regarding the provisioning strategy, based on the environment of the deployment and the desired level of security.
+Provisioning is the process of loading specific credentials onto a TPM virtual smart card. These credentials consist of certificates that are created to give users access to a specific service, such as domain sign-in. A maximum of 30 certificates is allowed on each virtual smart card. As with physical smart cards, several decisions must be made regarding the provisioning strategy, based on the environment of the deployment and the desired level of security.
-A high-assurance level of secure provisioning requires absolute certainty about the identity of the individual who is receiving the certificate. Therefore, one method of high-assurance provisioning is utilizing previously provisioned strong credentials, such as a physical smart card, to validate identity during provisioning. In-person proofing at enrollment stations is another option, because an individual can easily and securely prove his or her identity with a passport or driver’s license, although this can become infeasible on a larger scale. To achieve a similar level of assurance, a large organization can implement an “enroll-on-behalf-of” strategy, in which employees are enrolled with their credentials by a superior who can personally verify their identities. This creates a chain of trust that ensures individuals are checked in person against their proposed identities, but without the administrative strain of provisioning all virtual smart cards from a single central enrollment station.
+A high-assurance level of secure provisioning requires absolute certainty about the identity of the individual who is receiving the certificate. Therefore, one method of high-assurance provisioning is utilizing previously provisioned strong credentials, such as a physical smart card, to validate identity during provisioning. In-person proofing at enrollment stations is another option, because an individual can easily and securely prove his or her identity with a passport or driver's license, although this can become infeasible on a larger scale. To achieve a similar level of assurance, a large organization can implement an "enroll-on-behalf-of" strategy, in which employees are enrolled with their credentials by a superior who can personally verify their identities. This creates a chain of trust that ensures individuals are checked in person against their proposed identities, but without the administrative strain of provisioning all virtual smart cards from a single central enrollment station.
-For deployments in which a high-assurance level is not a primary concern, you can use self-service solutions. These can include using an online portal to obtain credentials or simply enrolling for certificates by using Certificate Manager, depending on the deployment. Consider that virtual smart card authentication is only as strong as the method of provisioning. For example, if weak domain credentials (such as a password alone) are used to request the authentication certificate, virtual smart card authentication will be equivalent to using only the password, and the benefits of two-factor authentication are lost.
+For deployments in which a high-assurance level isn't a primary concern, you can use self-service solutions. These can include using an online portal to obtain credentials or simply enrolling for certificates by using Certificate Manager, depending on the deployment. Consider that virtual smart card authentication is only as strong as the method of provisioning. For example, if weak domain credentials (such as a password alone) are used to request the authentication certificate, virtual smart card authentication will be equivalent to using only the password, and the benefits of two-factor authentication are lost.
For information about using Certificate Manager to configure virtual smart cards, see [Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-card-get-started.md).
-High-assurance and self-service solutions approach virtual smart card provisioning by assuming that the user’s computer has been issued prior to the virtual smart card deployment, but this is not always the case. If virtual smart cards are being deployed with new computers, they can be created, personalized, and provisioned on the computer before the user has contact with that computer.
+High-assurance and self-service solutions approach virtual smart card provisioning by assuming that the user's computer has been issued prior to the virtual smart card deployment, but this isn't always the case. If virtual smart cards are being deployed with new computers, they can be created, personalized, and provisioned on the computer before the user has contact with that computer.
In this situation, provisioning becomes relatively simple, but identity checks must be put in place to ensure that the recipient of the computer is the individual who was expected during provisioning. This can be accomplished by requiring the employee to set the initial PIN under the supervision of the deployment administrator or manager.
-When you are provisioning your computers, you should also consider the longevity of credentials that are supplied for virtual smart cards. This choice must be based on the risk threshold of the organization. Although longer lived credentials are more convenient, they are also more likely to become compromised during their lifetime. To decide on the appropriate lifetime for credentials, the deployment strategy must take into account the vulnerability of their cryptography (how long it could take to crack the credentials), and the likelihood of attack.
+When you're provisioning your computers, you should also consider the longevity of credentials that are supplied for virtual smart cards. This choice must be based on the risk threshold of the organization. Although longer lived credentials are more convenient, they're also more likely to become compromised during their lifetime. To decide on the appropriate lifetime for credentials, the deployment strategy must take into account the vulnerability of their cryptography (how long it could take to crack the credentials), and the likelihood of attack.
-If a virtual smart card is compromised, administrators should be able to revoke the associated credentials, like they would with a lost or stolen laptop. This requires a record of which credentials match which user and computer, which is functionality that does not exist natively in Windows. Deployment administrators might want to consider add-on solutions to maintain such a record.
+For compromised virtual smart cards, administrators should be able to revoke the associated credentials, like they would with a lost or stolen laptop. Revoking credentials requires a record of which credentials match which user and device, but the functionality doesn't natively exist in Windows. Deployment administrators might want to consider add-on solutions to maintain a record.
### Virtual smart cards on consumer devices used for corporate access
-There are techniques that allow employees to provision virtual smart cards and enroll for certificates that can be used to authenticate the users. This is useful when employees attempt to access corporate resources from devices that are not joined to the corporate domain. Those devices can be further defined to not allow users to download and run applications from sources other than the Windows Store (for example, devices running Windows RT).
+There are techniques that allow employees to provision virtual smart cards and enroll for certificates that can be used to authenticate the users. This is useful when employees attempt to access corporate resources from devices that aren't joined to the corporate domain. Those devices can be further defined to not allow users to download and run applications from sources other than the Microsoft Store.
-You can use APIs that were introduced in Windows Server 2012 R2 and Windows 8.1 to build Windows Store apps that you can use to manage the full lifecycle of virtual smart cards. For more information, see [Create and delete virtual smart cards programmatically](virtual-smart-card-use-virtual-smart-cards.md#create-and-delete-virtual-smart-cards-programmatically).
+You can use APIs to build Microsoft Store apps that you can use to manage the full lifecycle of virtual smart cards. For more information, see [Create and delete virtual smart cards programmatically](virtual-smart-card-use-virtual-smart-cards.md#create-and-delete-virtual-smart-cards-programmatically).
#### TPM ownerAuth in the registry
-When a device or computer is not joined to a domain, the TPM ownerAuth is stored in the registry under HKEY\_LOCAL\_MACHINE. This exposes some threats. Most of the threat vectors are protected by BitLocker, but threats that are not protected include:
+When a device or computer isn't joined to a domain, the TPM ownerAuth is stored in the registry under HKEY\_LOCAL\_MACHINE. This exposes some threats. Most of the threat vectors are protected by BitLocker, but threats that aren't protected include:
- A malicious user possesses a device that has an active local sign-in session before the device locks. The malicious user could attempt a brute-force attack on the virtual smart card PIN, and then access the corporate secrets.
- A malicious user possesses a device that has an active virtual private network (VPN) session. The device is then compromised.
-The proposed mitigation for the previous scenarios is to use Exchange ActiveSync (EAS) policies to reduce the automatic lockout time from five minutes to 30 seconds of inactivity. Policies for automatic lockout can be set while provisioning virtual smart cards. If an organization wants more security, they can also configure a setting to remove the ownerAuth from the local device.
+The proposed mitigation for the previous scenarios is to use Exchange ActiveSync (EAS) policies to reduce the automatic lockout time from five minutes to 30 seconds of inactivity. You can set policies for automatic lockout while provisioning virtual smart cards. If an organization wants more security, they can also configure a setting to remove the ownerAuth from the local device.
-For configuration information about the TPM ownerAuth registry key, see the Group Policy setting Configure the level of TPM owner authorization information available to the operating system.
-
-
+For configuration information about the TPM ownerAuth registry key, see the Group Policy setting **Configure the level of TPM owner authorization information** available to the operating system.
For information about EAS policies, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
@@ -139,12 +129,10 @@ For information about EAS policies, see [Exchange ActiveSync Policy Engine Overv
The following table describes the important differences between managed and unmanaged virtual smart cards that exist on consumer devices:
-
-
-| Operation | [Managed and unmanaged cards](virtual-smart-card-deploy-virtual-smart-cards.md#managed-and-unmanaged-cards) | [Unmanaged cards](virtual-smart-card-deploy-virtual-smart-cards.md#unmanaged-cards) |
-|-----------------------------------------|--------------|----|
-| Reset PIN when the user forgets the PIN | Yes | No, the card has to be deleted and created again. |
-| Allow user to change the PIN | Yes | No, the card has to be deleted and created again. |
+| Operation | [Managed and unmanaged cards](virtual-smart-card-deploy-virtual-smart-cards.md#managed-and-unmanaged-cards) | [Unmanaged cards](virtual-smart-card-deploy-virtual-smart-cards.md#unmanaged-cards) |
+|---|---|---|
+| Reset PIN when the user forgets the PIN | Yes | No. Delete and recreate the card. |
+| Allow user to change the PIN | Yes | No. Delete and recreate the card. |
## Managed cards
@@ -152,7 +140,7 @@ A managed virtual smart card can be serviced by the IT administrator or another
### Managed card creation
-A user can create blank virtual smart card by using the Tpmvscmgr command-line tool, which is a built-in tool that is run with administrative credentials through an elevated command prompt. This virtual smart card needs to be created with well-known parameters (such as default values), and it should be left unformatted (specifically, the **/generate** option should not be specified).
+A user can create blank virtual smart card by using the *Tpmvscmgr* command-line tool, which is a built-in tool executed with administrative credentials through an elevated command prompt. The virtual smart card must be created with well-known parameters (such as default values), and it should be left unformatted (specifically, the **/generate** option shouldn't be specified).
The following command creates a virtual smart card that can later be managed by a smart card management tool launched from another computer (as explained in the next section):
@@ -162,7 +150,7 @@ Alternatively, instead of using a default administrator key, a user can enter an
`tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /AdminKey PROMPT /PIN PROMPT`
-In either case, the card management system needs to be aware of the initial administrator key that is used so that it can take ownership of the virtual smart card and change the administrator key to a value that is only accessible through the card management tool operated by the IT administrator. For example, when the default value is used, the administrator key is set to:
+In either case, the card management system needs to be aware of the initial administrator key. The requirement is so that the card management system can take ownership of the virtual smart card and change the administrator key to a value that is only accessible through the card management tool operated by the IT administrator. For example, when you use the default, the administrator key is set to:
`10203040506070801020304050607080102030405060708`
@@ -180,7 +168,7 @@ Similar to physical smart cards, virtual smart cards require certificate enrollm
#### Certificate issuance
-Users can enroll for certificates from within a remote desktop session that is established to provision the card. This process can also be managed by the smart card management tool that the user runs through the remote desktop connection. This model works for deployments that require the user to sign a request for enrollment by using a physical smart card. The driver for the physical smart card does not need to be installed on the client computer if it is installed on the remote computer. This is made possible by smart card redirection functionality that was introduced in Windows Server 2003, which ensures that smart cards that are connected to the client computer are available for use during a remote session.
+Users can enroll for certificates from within a remote desktop session that is established to provision the card. This process can also be managed by the smart card management tool that the user runs through the remote desktop connection. This model works for deployments that require the user to sign a request for enrollment by using a physical smart card. The driver for the physical smart card doesn't need to be installed on the client computer if it's installed on the remote computer. This is made possible by smart card redirection functionality that was introduced in Windows Server 2003, which ensures that smart cards that are connected to the client computer are available for use during a remote session.
Alternatively, without establishing a remote desktop connection, users can enroll for certificates from the Certificate Management console (certmgr.msc) on a client computer. Users can also create a request and submit it to a server from within a custom certificate enrollment application (for example, a registration authority) that has controlled access to the certification authority (CA). This requires specific enterprise configuration and deployments for Certificate Enrollment Policies (CEP) and Certificate Enrollment Services (CES).
@@ -188,11 +176,11 @@ Alternatively, without establishing a remote desktop connection, users can enrol
You can renew certificates through remote desktop connections, certificate enrollment policies, or certificate enrollment services. Renewal requirements could be different from the initial issuance requirements, based on the renewal policy.
-Certificate revocation requires careful planning. When information about the certificate to be revoked is reliably available, the specific certificate can be easily revoked. When information about the certificate to be revoked is not easy to determine, all certificates that are issued to the user under the policy that was used to issue the certificate might need to be revoked. For example, this could occur if an employee reports a lost or compromised device, and information that associates the device with a certificate is not available.
+Certificate revocation requires careful planning. When information about the certificate to be revoked is reliably available, the specific certificate can be easily revoked. When information about the certificate to be revoked isn't easy to determine, all certificates that are issued to the user under the policy that was used to issue the certificate might need to be revoked. For example, this could occur if an employee reports a lost or compromised device, and information that associates the device with a certificate isn't available.
## Unmanaged cards
-Unmanaged virtual smart cards are not serviceable by an IT administrator. Unmanaged cards might be suitable if an organzation does not have an elaborate smart card deployment management tool and using remote desktop connections to manage the card is not desirable. Because unmanaged cards are not serviceable by the IT administrator, when a user needs help with a virtual smart card (for example, resetting or unlocking a PIN), the only option available to the user is to delete the card and create it again. This results in loss of the user’s credentials and he or she must re-enroll.
+Unmanaged virtual smart cards aren't serviceable by an IT administrator. Unmanaged cards might be suitable if an organization doesn't have an elaborate smart card deployment management tool and using remote desktop connections to manage the card isn't desirable. Because unmanaged cards aren't serviceable by the IT administrator, when a user needs help with a virtual smart card (for example, resetting or unlocking a PIN), the only option available to the user is to delete the card and create it again. This results in loss of the user's credentials and he or she must re-enroll.
### Unmanaged card creation
@@ -220,9 +208,9 @@ Another option is to have the user access an enrollment portal that is available
#### Signing the request with another certificate
-You can provide users with a short-term certificate through a Personal Information Exchange (.pfx) file. You can generate the .pfx file by initiating a request from a domain-joined computer. Additional policy constraints can be enforced on the .pfx file to assert the identity of the user.
+You can provide users with a short-term certificate through a Personal Information Exchange (.pfx) file. You can generate the .pfx file by initiating a request from a domain-joined computer. You can enforce other policy constraints on the .pfx file to assert the identity of the user.
-The user can import the certificate into the **MY** store (which is the user’s certificate store). And your organization can present the user with a script that can be used to sign the request for the short-term certificate and to request a virtual smart card.
+The user can import the certificate into the **MY** store (which is the user's certificate store). And your organization can present the user with a script that can be used to sign the request for the short-term certificate and to request a virtual smart card.
For deployments that require users to use a physical smart card to sign the certificate request, you can use the procedure:
@@ -234,50 +222,38 @@ For deployments that require users to use a physical smart card to sign the cert
#### Using one-time password for enrollment
-Another option to ensure that users are strongly authenticated before virtual smart card certificates are issued is to send a user a one-time password through SMS, email, or phone. The user then types the one-time password during the certificate enrollment from an application or a script on a desktop that invokes built-in command-line tools.
+Another option to ensure that users are strongly authenticated before virtual smart card certificates are issued, is to send a user a one-time password through SMS, email, or phone. The user then types the one-time password during the certificate enrollment from an application or a script on a desktop that invokes built-in command-line tools.
#### Certificate lifecycle management
Certificate renewal can be done from the same tools that are used for the initial certificate enrollment. Certificate enrollment policies and certificate enrollment services can also be used to perform automatic renewal.
-Certificate revocation requires careful planning. When information about the certificate to be revoked is reliably available, the specific certificate can be easily revoked. When information about the certificate to be revoked is not easy to determine, all certificates that are issued to the user under the policy that was used to issue the certificate might need to be revoked. For example, this could occur if an employee reports a lost or compromised device, and information that associates the device with a certificate is not available.
+Certificate revocation requires careful planning. When information about the certificate to be revoked is reliably available, the specific certificate can be easily revoked. When information about the certificate to be revoked isn't easy to determine, all certificates issued to the user under the policy that was used to issue the certificate might need to be revoked. For example, if an employee reports a lost or compromised device, and information that associates the device with a certificate isn't available.
## Maintain virtual smart cards
Maintenance is a significant portion of the virtual smart card lifecycle and one of the most important considerations from a management perspective. After virtual smart cards are created, personalized, and provisioned, they can be used for convenient two-factor authentication. Deployment administrators must be aware of several common administrative scenarios, which can be approached by using a purchased virtual smart card solution or on a case-by-case basis with in-house methods.
-**Renewal**: Renewing virtual smart card credentials is a regular task that is necessary to preserve the security of a virtual smart card deployment. Renewal is the result of a signed request from a user who specifies the key pair desired for the new credentials. Depending on user’s choice or deployment specification, the user can request credentials with the same key pair as previously used, or choose a newly generated key pair.
+**Renewal**: Renewing virtual smart card credentials is a regular task that is necessary to preserve the security of a virtual smart card deployment. Renewal is the result of a signed request from a user who specifies the key pair desired for the new credentials. Depending on user's choice or deployment specification, the user can request credentials with the same key pair as previously used, or choose a newly generated key pair.
When renewing with a previously used key, no extra steps are required because a strong certificate with this key was issued during the initial provisioning. However, when the user requests a new key pair, you must take the same steps that were used during provisioning to assure the strength of the credentials. Renewal with new keys should occur periodically to counter sophisticated long-term attempts by malicious users to infiltrate the system. When new keys are assigned, you must ensure that the new keys are being used by the expected individuals on the same virtual smart cards.
-**Resetting PINs**: Resetting virtual smart card PINs is also a frequent necessity, because employees forget their PINs. There are two ways to accomplish this, depending on choices made earlier in the deployment: Use a PUK (if the PUK is set), or use a challenge-response approach with the administration key. Before resetting the PIN, the user’s identity must be verified by using some means other than the card—most likely the verification method that you used during initial provisioning (for example, in-person proofing). This is necessary in user-error scenarios when users forget their PINs. However, you should never reset a PIN if it has been compromised because the level of vulnerability after the PIN is exposed is difficult to identify. The entire card should be reissued.
+**Resetting PINs**: Resetting virtual smart card PINs is also a frequent necessity, because employees forget their PINs. There are two ways to accomplish this, depending on choices made earlier in the deployment: Use a PUK (if the PUK is set), or use a challenge-response approach with the administration key. Before resetting the PIN, the user's identity must be verified by using some means other than the card—most likely the verification method that you used during initial provisioning (for example, in-person proofing). This is necessary in user-error scenarios when users forget their PINs. However, you should never reset a PIN if it has been compromised because the level of vulnerability after the PIN is exposed is difficult to identify. The entire card should be reissued.
**Lockout reset**: A frequent precursor to resetting a PIN is the necessity of resetting the TPM lockout time because the TPM anti-hammering logic will be engaged with multiple PIN entry failures for a virtual smart card. This is currently device specific.
-**Retiring cards**: The final aspect of virtual smart card management is retiring cards when they are no longer needed. When an employee leaves the company, it is desirable to revoke domain access. Revoking sign-in credentials from the certification authority (CA) accomplishes this goal.
+**Retiring cards**: The final aspect of virtual smart card management is retiring cards when they're no longer needed. When an employee leaves the company, it's desirable to revoke domain access. Revoking sign-in credentials from the certification authority (CA) accomplishes this goal.
-The card should be reissued if the same computer is used by other employees without reinstalling the operating system. Reusing the former card can allow the former employee to change the PIN after leaving the organization, and then hijack certificates that belong to the new user to obtain unauthorized domain access. However, if the employee takes the virtual smart card-enabled computer, it is only necessary to revoke the certificates that are stored on the virtual smart card.
+The card should be reissued if the same computer is used by other employees without reinstalling the operating system. Reusing the former card can allow the former employee to change the PIN after leaving the organization, and then hijack certificates that belong to the new user to obtain unauthorized domain access. However, if the employee takes the virtual smart card-enabled computer, it's only necessary to revoke the certificates that are stored on the virtual smart card.
### Emergency preparedness
#### Card reissuance
-The most common scenario in an organization is reissuing virtual smart cards, which can be necessary if the operating system is reinstalled or if the virtual smart card is compromised in some manner. Reissuance is essentially the recreation of the card, which involves establishing a new PIN and administrator key and provisioning a new set of associated certificates. This is an immediate necessity when a card is compromised, for example, if the virtual smart card-protected computer is exposed to an adversary who might have access to the correct PIN. Reissuance is the most secure response to an unknown exposure of a card’s privacy. Additionally, reissuance is necessary after an operating system is reinstalled because the virtual smart card device profile is removed with all other user data when the operating system is reinstalled.
+The most common scenario in an organization is reissuing virtual smart cards, which can be necessary if the operating system is reinstalled or if the virtual smart card is compromised in some manner. Reissuance is essentially the recreation of the card, which involves establishing a new PIN and administrator key and provisioning a new set of associated certificates. This is an immediate necessity when a card is compromised, for example, if the virtual smart card-protected computer is exposed to an adversary who might have access to the correct PIN. Reissuance is the most secure response to an unknown exposure of a card's privacy. Additionally, reissuance is necessary after an operating system is reinstalled because the virtual smart card device profile is removed with all other user data when the operating system is reinstalled.
#### Blocked virtual smart card
-The anti-hammering behavior of a TPM virtual smart card is different from that of a physical smart card. A physical smart card blocks itself after the user enters the wrong PIN a few times. A TPM virtual smart card enters a timed delay after the user enters the wrong PIN a few times. If the TPM is in the timed-delay mode, when the user attempts to use the TPM virtual smart card, the user is notified that the card is blocked. Furthermore, if you enable the integrated unlock functionality, the user can see the user interface to unlock the virtual smart card and change the PIN. Unlocking the virtual smart card does not reset the TPM lockout. The user needs to perform an extra step to reset the TPM lockout or wait for the timed delay to expire.
+The anti-hammering behavior of a TPM virtual smart card is different from that of a physical smart card. A physical smart card blocks itself after the user enters the wrong PIN a few times. A TPM virtual smart card enters a timed delay after the user enters the wrong PIN a few times. If the TPM is in the timed-delay mode, when the user attempts to use the TPM virtual smart card, the user is notified that the card is blocked. Furthermore, if you enable the integrated unlock functionality, the user can see the user interface to unlock the virtual smart card and change the PIN. Unlocking the virtual smart card doesn't reset the TPM lockout. The user needs to perform an extra step to reset the TPM lockout or wait for the timed delay to expire.
For more information about setting the Allow Integrated Unblock policy, see [Allow Integrated Unblock screen to be displayed at the time of logon](../smart-cards/smart-card-group-policy-and-registry-settings.md#allow-integrated-unblock-screen-to-be-displayed-at-the-time-of-logon).
-
-## See also
-
-[Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md)
-
-[Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-card-get-started.md)
-
-[Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md)
-
-[Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md)
-
-[Tpmvscmgr](virtual-smart-card-tpmvscmgr.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
index c2913cb244..b2afb7673e 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
@@ -1,65 +1,55 @@
---
-title: Evaluate Virtual Smart Card Security (Windows 10)
-description: This topic for the IT professional describes security characteristics and considerations when deploying TPM virtual smart cards.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 04/19/2017
-appliesto:
- - ✅ Windows 10
- - ✅ Windows Server 2016
-ms.technology: itpro-security
+title: Evaluate Virtual Smart Card Security
+description: Learn about the security characteristics and considerations when deploying TPM virtual smart cards.
+ms.topic: conceptual
+ms.date: 02/22/2023
+appliesto:
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
---
# Evaluate Virtual Smart Card Security
-This topic for the IT professional describes security characteristics and considerations when deploying TPM virtual smart cards.
+[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)]
+
+In this article, you'll learn about security characteristics and considerations when deploying TPM virtual smart cards.
## Virtual smart card non-exportability details
-A crucial aspect of TPM virtual smart cards is their ability to securely store and use secret data, specifically that the secured data is non-exportable. Data can be accessed and used within the virtual smart card system, but it is meaningless outside of its intended environment. In TPM virtual smart cards, security is ensured with a secure key hierarchy, which includes several chains of encryption. This originates with the TPM storage root key, which is generated and stored within the TPM and never exposed outside the chip. The TPM key hierarchy is designed to allow encryption of user data with the storage root key, but it authorizes decryption with the user PIN in such a way that changing the PIN doesn’t require re-encryption of the data.
+A crucial aspect of TPM virtual smart cards is their ability to securely store and use secret data. Specifically, that the secured data is non-exportable.\
+Data can be accessed and used within the virtual smart card system, but it's meaningless outside of its intended environment. In TPM virtual smart cards, security is ensured with a secure key hierarchy, which includes several chains of encryption. The chain originates with the TPM storage root key, which is generated and stored within the TPM and never exposed outside the chip. The TPM key hierarchy is designed to allow encryption of user data with the storage root key, but it authorizes decryption with the user PIN so that changing the PIN doesn't require re-encryption of the data.
The following diagram illustrates the secure key hierarchy and the process of accessing the user key.
-
+:::image type="content" alt-text="Diagram of the process of accessing the user key." source="images/vsc-process-of-accessing-user-key.png" lightbox="images/vsc-process-of-accessing-user-key.png":::
The following keys are stored on the hard disk:
-- User key
+- User key
+- Smart card key, which is encrypted by the storage root key
+- Authorization key for the user key decryption, which is encrypted by the public portion of the smart card key
-- Smart card key, which is encrypted by the storage root key
+When the user enters a PIN, the use of the decrypted smart card key is authorized with this PIN. If this authorization succeeds, the decrypted smart card key is used to decrypt the auth key. The auth key is then provided to the TPM to authorize the decryption and use of the user's key that is stored on the virtual smart card.
-- Authorization key for the user key decryption, which is encrypted by the public portion of the smart card key
-
-When the user enters a PIN, the use of the decrypted smart card key is authorized with this PIN. If this authorization succeeds, the decrypted smart card key is used to decrypt the auth key. The auth key is then provided to the TPM to authorize the decryption and use of the user’s key that is stored on the virtual smart card.
-
-The auth key is the only sensitive data that is used as plaintext outside the TPM, but its presence in memory is protected by Microsoft Data Protection API (DPAPI), such that before being stored in any way, it is encrypted. All data other than the auth key is processed only as plaintext within the TPM, which is completely isolated from external access.
+The auth key is the only sensitive data used as plaintext outside the TPM, but its presence in memory is protected by Microsoft Data Protection API (DPAPI), such that before being stored in any way, it's encrypted. All data other than the auth key is processed only as plaintext within the TPM, which is isolated from external access.
## Virtual smart card anti-hammering details
-The anti-hammering functionality of virtual smart cards relies on the anti-hammering functionality of the TPM that is enabling the virtual smart card. However, the TPM version 1.2 and subsequent specifications (as designed by the Trusted Computing Group) provide very flexible guidelines for responding to hammering. The spec requires only that the TPM implement protection against trial-and-error attacks on the user PIN, PUK, and challenge/response mechanism.
+The anti-hammering functionality of virtual smart cards relies on the anti-hammering functionality of the TPM that is enabling the virtual smart card. However, the TPM version 1.2 and subsequent specifications (as designed by the Trusted Computing Group) provide flexible guidelines for responding to hammering. The spec requires only that the TPM implement protection against trial-and-error attacks on the user PIN, PUK, and challenge/response mechanism.
-The Trusted Computing Group also specifies that if the response to attacks involves suspending proper function of the TPM for some period of time or until administrative action is taken, the TPM must prevent running the authorized TPM commands. The TPM can prevent running any TPM commands until the termination of the attack response. Beyond using a time delay or requiring administrative action, a TPM could also force a reboot when an attack is detected. The Trusted Computing Group allows manufacturers a level of creativity in their choice of implementation. Whatever methodology is chosen by TPM manufacturers determines the anti-hammering response of TPM virtual smart cards. Some typical aspects of protection from attacks include:
+The Trusted Computing Group specifies that if the response to attacks involves suspending proper function of the TPM for some period of time, or until administrative action is taken, the TPM must prevent running the authorized TPM commands. The TPM can prevent running any TPM commands until the termination of the attack response. Beyond using a time delay or requiring administrative action, a TPM could also force a reboot when an attack is detected. The Trusted Computing Group allows manufacturers a level of creativity in their choice of implementation. The methodology used by TPM manufacturers determines the anti-hammering response of TPM virtual smart cards. Some typical aspects of protection from attacks include:
-1. Allow only a limited number of wrong PIN attempts before enabling a lockout that enforces a time delay before any further commands are accepted by the TPM.
+1. Allow only a limited number of wrong PIN attempts before enabling a lockout that enforces a time delay before any further commands are accepted by the TPM.
- > **Note** Introduced in Windows Server 2012 R2 and Windows 8.1, if the user enters the wrong PIN five consecutive times for a virtual smart card (which works in conjunction with the TPM), the card is blocked. When the card is blocked, it has to be unblocked by using the administrative key or the PUK.
+ > [!NOTE]
+ >
+ > If the user enters the wrong PIN five consecutive times for a virtual smart card (which works in conjunction with the TPM), the card is blocked. When the card is blocked, it must be unblocked by using the administrative key or the PUK.
-1. Increase the time delay exponentially as the user enters the wrong PIN so that an excessive number of wrong PIN attempts quickly trigger long delays in accepting commands.
+1. Increase the time delay exponentially as the user enters the wrong PIN so that an excessive number of wrong PIN attempts quickly trigger long delays in accepting commands.
+1. Have a failure leakage mechanism to allow the TPM to reset the timed delays over a period of time. This is useful in cases where a valid user has entered the wrong PIN occasionally, for example, due to complexity of the PIN.
-2. Have a failure leakage mechanism to allow the TPM to reset the timed delays over a period of time. This is useful in cases where a valid user has entered the wrong PIN occasionally, for example, due to complexity of the PIN.
+For example, it will take 14 years to guess an eight character PIN for a TPM that implements the following protection:
-As an example, it will take 14 years to guess an 8-character PIN for a TPM that implements the following protection:
-
-1. Number of wrong PINs allowed before entering lockout (threshold): 9
-
-2. Time the TPM is in lockout after the threshold is reached: 10 seconds
-
-3. Timed delay doubles for each wrong PIN after the threshold is reached
-
-## See also
-
-[Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md)
+1. Number of wrong PINs allowed before entering lockout (threshold): 9
+1. Time the TPM is in lockout after the threshold is reached: 10 seconds
+1. Timed delay doubles for each wrong PIN after the threshold is reached
\ No newline at end of file
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
index d29782a291..ab3569f8ab 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
@@ -1,24 +1,20 @@
---
title: Get Started with Virtual Smart Cards - Walkthrough Guide (Windows 10)
description: This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 04/19/2017
-appliesto:
- - ✅ Windows 10
- - ✅ Windows Server 2016
-ms.technology: itpro-security
+ms.topic: conceptual
+ms.date: 02/22/2023
+appliesto:
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
---
# Get Started with Virtual Smart Cards: Walkthrough Guide
+[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)]
+
This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards.
-Virtual smart cards are a technology from Microsoft, which offer comparable security benefits in two-factor authentication to physical smart cards. They also offer more convenience for users and lower cost for organizations to deploy. By utilizing Trusted Platform Module (TPM) devices that provide the same cryptographic capabilities as physical smart cards, virtual smart cards accomplish the three key properties that are desired by smart cards: non-exportability, isolated cryptography, and anti-hammering.
+Virtual smart cards are a technology from Microsoft that offer comparable security benefits in two-factor authentication to physical smart cards. They also offer more convenience for users and lower cost for organizations to deploy. By utilizing Trusted Platform Module (TPM) devices that provide the same cryptographic capabilities as physical smart cards, virtual smart cards accomplish the three key properties that are desired by smart cards: non-exportability, isolated cryptography, and anti-hammering.
This step-by-step walkthrough shows you how to set up a basic test environment for using TPM virtual smart cards. After you complete this walkthrough, you will have a functional virtual smart card installed on the Windows computer.
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
index 22c293e635..05598bf6ee 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
@@ -1,130 +1,66 @@
---
-title: Virtual Smart Card Overview (Windows 10)
-description: Learn more about the virtual smart card technology that was developed by Microsoft. Find links to additional topics about virtual smart cards.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
+title: Virtual Smart Card Overview
+description: Learn about virtual smart card technology for Windows.
ms.topic: conceptual
-ms.localizationpriority: medium
-ms.date: 10/13/2017
-appliesto:
- - ✅ Windows 10
- - ✅ Windows Server 2016
-ms.technology: itpro-security
+ms.date: 02/22/2023
+appliesto:
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
---
# Virtual Smart Card Overview
-This topic for IT professional provides an overview of the virtual smart card technology that was developed by Microsoft and includes [links to additional topics](#see-also) to help you evaluate, plan, provision, and administer virtual smart cards.
+[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)]
-**Did you mean…**
-
-- [Smart Cards](../smart-cards/smart-card-windows-smart-card-technical-reference.md)
-
-> [!NOTE]
-> [Windows Hello for Business](../hello-for-business/hello-identity-verification.md) is the modern, two-factor authentication for Windows 10. Microsoft will be deprecating virtual smart cards in the future, but no date has been set at this time. Customers using Windows 10 and virtual smart cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business. We recommend that new Windows 10 deployments use Windows Hello for Business. Virtual smart cards remain supported for Windows 7 and Windows 8.
+This article provides an overview of the virtual smart card technology.
## Feature description
-Virtual smart card technology from Microsoft offers comparable security benefits to physical smart cards by using two-factor authentication. Virtual smart cards emulate the functionality of physical smart cards, but they use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. Virtual smart cards are created in the TPM, where the keys that are used for authentication are stored in cryptographically secured hardware.
+Virtual smart card technology offers comparable security benefits to physical smart cards by using two-factor authentication. Virtual smart cards emulate the functionality of physical smart cards, but they use the Trusted Platform Module (TPM) chip that is available on devices. Virtual smart cards don't require the use of a separate physical smart card and reader. You create virtual smart cards in the TPM, where the keys used for authentication are stored in cryptographically-secured hardware.
By utilizing TPM devices that provide the same cryptographic capabilities as physical smart cards, virtual smart cards accomplish the three key properties that are desired for smart cards: non-exportability, isolated cryptography, and anti-hammering.
## Practical applications
-Virtual smart cards are functionally similar to physical smart cards and appear in Windows as smart cards that are always-inserted. Virtual smart cards can be used for authentication to external resources, protection of data by secure encryption, and integrity through reliable signing. They are easily deployed by using in-house methods or a purchased solution, and they can become a full replacement for other methods of strong authentication in a corporate setting of any scale.
+Virtual smart cards are functionally similar to physical smart cards, appearing in Windows as smart cards that are always-inserted. Virtual smart cards can be used for authentication to external resources, protection of data by encryption, and integrity through signing. You can deploy virtual smart cards by using in-house methods or a purchased solution, and they can be a replacement for other methods of strong authentication in a corporate setting of any scale.
### Authentication use cases
**Two-factor authentication‒based remote access**
-After a user has a fully functional TPM virtual smart card, provisioned with a sign-in certificate, the certificate is used to gain strongly authenticated access to corporate resources. When the proper certificate is provisioned to the virtual card, the user need only provide the PIN for the virtual smart card, as if it was a physical smart card, to sign in to the domain.
+After a user has a fully functional TPM virtual smart card, provisioned with a sign-in certificate, the certificate is used to gain authenticated access to corporate resources. When the proper certificate is provisioned to the virtual card, the user need only provide the PIN for the virtual smart card, as if it was a physical smart card, to sign in to the domain.
-In practice, this is as easy as entering a password to access the system. Technically, it is far more secure. Using the virtual smart card to access the system proves to the domain that the user who is requesting authentication has possession of the personal computer upon which the card has been provisioned and knows the virtual smart card PIN. Because this request could not have possibly originated from a system other than the system certified by the domain for this user’s access, and the user could not have initiated the request without knowing the PIN, a strong two-factor authentication is established.
+In practice, this is as easy as entering a password to access the system. Technically, it's far more secure. Using the virtual smart card to access the system proves to the domain that the user who is requesting authentication has possession of the personal computer upon which the card has been provisioned and knows the virtual smart card PIN. Because this request couldn't have possibly originated from a system other than the system certified by the domain for this user's access, and the user couldn't have initiated the request without knowing the PIN, a strong two-factor authentication is established.
**Client authentication**
-Virtual smart cards can also be used for client authentication by using Secure Socket Layer (SSL) or a similar technology. Similar to domain access with a virtual smart card, an authentication certificate can be provisioned for the virtual smart card, provided to a remote service, as requested in the client authentication process. This adheres to the principles of two-factor authentication because the certificate is only accessible from the computer that hosts the virtual smart card, and the user is required to enter the PIN for initial access to the card.
+Virtual smart cards can also be used for client authentication by using TLS/SSL or a similar technology. Similar to domain access with a virtual smart card, an authentication certificate can be provisioned for the virtual smart card, provided to a remote service, as requested in the client authentication process. This adheres to the principles of two-factor authentication because the certificate is only accessible from the computer that hosts the virtual smart card, and the user is required to enter the PIN for initial access to the card.
**Virtual smart card redirection for remote desktop connections**
-The concept of two-factor authentication associated with virtual smart cards relies on the proximity of users to the computers that they access domain resources through. Therefore, when a user remotely connects to a computer that is hosting virtual smart cards, the virtual smart cards that are located on the remote computer cannot be used during the remote session. However, the virtual smart cards that are stored on the connecting computer (which is under physical control of the user) are loaded onto the remote computer, and they can be used as if they were installed by using the remote computer’s TPM. This extends a user’s privileges to the remote computer, while maintaining the principles of two-factor authentication.
-
-**Windows To Go and virtual smart cards**
-
-Virtual smart cards work well with Windows To Go, where a user can boot into a supported version of Windows from a compatible removable storage device. A virtual smart card can be created for the user, and it is tied to the TPM on the physical host computer to which the removable storage device is connected. When the user boots the operating system from a different physical computer, the virtual smart card will not be available. This can be used for scenarios when a single physical computer is shared by many users. Each user can be given a removable storage device for Windows To Go, which has a virtual smart card provisioned for the user. This way, users are only able to access their personal virtual smart card.
+The concept of two-factor authentication associated with virtual smart cards relies on the proximity of users to the devices that they use to access domain. When you connect to a device that is hosting virtual smart cards, you can't use the virtual smart cards located on the remote device during the remote session. However, you can access the virtual smart cards on the connecting device (which is under your physical control), which are loaded onto the remote device. You can use the virtual smart cards as if they were installed by using the remote devices' TPM, extending your privileges to the remote device, while maintaining the principles of two-factor authentication.
### Confidentiality use cases
**S/MIME email encryption**
-Physical smart cards are designed to hold private keys that can be used for email encryption and decryption. This functionality also exists in virtual smart cards. By using S/MIME with a user’s public key to encrypt email, the sender of an email can be assured that only the person with the corresponding private key will be able to decrypt the email. This assurance is a result of the non-exportability of the private key. It never exists within reach of malicious software, and it remains protected by the TPM—even during decryption.
+Physical smart cards are designed to hold private keys. You can use the private keys for email encryption and decryption. The same functionality exists in virtual smart cards. By using S/MIME with a user's public key to encrypt email, the sender of an email is assured that only the person with the corresponding private key can decrypt the email. This assurance is a result of the non-exportability of the private key. It never exists within reach of malicious software, and it remains protected by the TPM—even during decryption.
**BitLocker for data volumes**
-sBitLocker Drive Encryption technology makes use of symmetric-key encryption to protect the content of a user’s hard drive. This ensures that if the physical ownership of a hard drive is compromised, an adversary will not be able to read data off the drive. The key used to encrypt the drive can be stored in a virtual smart card, which necessitates knowledge of the virtual smart card PIN to access the drive and possession of the computer that is hosting the TPM virtual smart card. If the drive is obtained without access to the TPM that hosts the virtual smart card, any brute force attack will be very difficult.
+BitLocker Drive Encryption technology makes use of symmetric-key encryption to protect the content of a user's hard drive. BitLocker ensures that if the physical ownership of a hard drive is compromised, an adversary won't be able to read data off the drive. The key used to encrypt the drive can be stored in a virtual smart card, which necessitates knowledge of the virtual smart card PIN to access the drive, and possession of the device that is hosting the TPM virtual smart card. If the drive is obtained without access to the TPM that hosts the virtual smart card, any brute force attack will be difficult.
-BitLocker can also be used to encrypt portable drives, which involves storing keys in virtual smart cards. In this scenario (unlike using BitLocker with a physical smart card), the encrypted drive can be used only when it is connected to the host for the virtual smart card that is used to encrypt the drive, because the BitLocker key is only accessible from this computer. However, this method can be useful to ensure the security of backup drives and personal storage uses outside the main hard drive.
+You can use BitLocker to encrypt portable drives, storing keys in virtual smart cards. In this scenario, unlike using BitLocker with a physical smart card, the encrypted drive can be used only when it's connected to device for the virtual smart card that is used to encrypt the drive, because the BitLocker key is only accessible from the device. This method can be useful to ensure the security of backup drives and personal storage uses outside the main hard drive, too.
### Data integrity use case
**Signing data**
-To verify authorship of data, a user can sign it by using a private key that is stored in the virtual smart card. Digital signatures confirm the integrity and origin of the data. If the key is stored in an operating system that is accessible, a malicious user could access it and use it to modify already signed data or to spoof the key owner’s identity. However, if this key is stored in a virtual smart card, it can be used only to sign data on the host computer. It cannot be exported to other systems (intentionally or unintentionally, such as with malware theft). This makes digital signatures far more secure than other methods for private key storage.
+To verify authorship of data, a user can sign it by using a private key stored in the virtual smart card. Digital signatures confirm the integrity and origin of the data.
-## New and changed functionality as of Windows 8.1
-
-Enhancements in Windows 8.1 enabled developers to build Microsoft Store apps to create and manage virtual smart cards.
-
-The DCOM Interfaces for Trusted Platform Module (TPM) Virtual Smart Card device management protocol provides a Distributed Component Object Model (DCOM) Remote Protocol interface used for creating and destroying virtual smart cards. A virtual smart card is a device that presents a device interface complying with the PC/SC specification for PC-connected interface devices to its host operating system (OS) platform. This protocol does not assume anything about the underlying implementation of virtual smart card devices. In particular, while it is primarily intended for the management of virtual smart cards based on TPMs, it can also be used to manage other types of virtual smart cards.
-
-**What value does this change add?**
-
-Starting with Windows 8.1, application developers can build into their apps the following virtual smart card maintenance capabilities to relieve some of your administrative burdens.
-
-- Create a new virtual smart card or select a virtual smart card from the list of available virtual smart cards on the system. Identify the one that the application is supposed to work with.
-
-- Personalize the virtual smart card.
-
-- Change the admin key.
-
-- Diversify the admin key which allows the user to unblock the PIN in a PIN-blocked scenario.
-
-- Change the PIN.
-
-- Reset or Unblock the PIN.
-
-- Destroy the virtual smart card.
-
-**What works differently?**
-
-Starting with Windows 8.1, Microsoft Store app developers are able to build apps that have the capability to prompt the user to reset or unblock and change a virtual smart card PIN. This places more responsibility on the user to maintain their virtual smart card but it can also provide a more consistent user experience and administration experience in your organization.
-
-For more information about developing Microsoft Store apps with these capabilities, see [Trusted Platform Module Virtual Smart Card Management Protocol](/openspecs/windows_protocols/ms-tpmvsc/10bd67d7-4580-4e38-a6e9-ec3be00033b6).
-
-For more information about managing these capabilities in virtual smart cards, see [Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md).
+- Storing the key in an operating system that is accessible, malicious users could access it and use it to modify already signed data or to spoof the key owner's identity
+- Storing the key in a virtual smart card, means that you can only use it to sign data on the host device. You can't export the key to other systems (intentionally or unintentionally, such as with malware theft), making digital signatures more secure than other methods for private key storage
## Hardware requirements
-To use the virtual smart card technology, TPM 1.2 is the minimum required for computers running Windows 10 or Windows Server 2016.
-
-## Software requirements
-
-To use the virtual smart card technology, computers must be running one of the following operating systems:
-
-- Windows Server 2016
-- Windows Server 2012 R2
-- Windows Server 2012
-- Windows 10
-- Windows 8.1
-- Windows 8
-
-## See also
-
-- [Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md)
-- [Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-card-get-started.md)
-- [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md)
-- [Deploy Virtual Smart Cards](virtual-smart-card-deploy-virtual-smart-cards.md)
-- [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md)
-- [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md)
\ No newline at end of file
+To use the virtual smart card technology, TPM 1.2 is the minimum required for devices running a supported operating system.
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
index 521d0afec7..5f39e38b48 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
@@ -1,21 +1,17 @@
---
-title: Tpmvscmgr (Windows 10)
-description: This topic for the IT professional describes the Tpmvscmgr command-line tool, through which an administrator can create and delete TPM virtual smart cards on a computer.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 04/19/2017
-appliesto:
- - ✅ Windows 10
- - ✅ Windows Server 2016
-ms.technology: itpro-security
+title: Tpmvscmgr
+description: Learn about the Tpmvscmgr command-line tool, through which an administrator can create and delete TPM virtual smart cards on a computer.
+ms.topic: conceptual
+ms.date: 02/22/2023
+appliesto:
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
---
# Tpmvscmgr
+[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)]
+
The Tpmvscmgr command-line tool allows users with Administrative credentials to create and delete TPM virtual smart cards on a computer. For examples of how this command can be used, see [Examples](#examples).
## Syntax
@@ -26,7 +22,7 @@ The Tpmvscmgr command-line tool allows users with Administrative credentials to
### Parameters for Create command
-The Create command sets up new virtual smart cards on the user’s system. It returns the instance ID of the newly created card for later reference if deletion is required. The instance ID is in the format ROOT\\SMARTCARDREADER\\000n where n starts from 0 and is increased by 1 each time you create a new virtual smart card.
+The Create command sets up new virtual smart cards on the user's system. It returns the instance ID of the newly created card for later reference if deletion is required. The instance ID is in the format `ROOT\SMARTCARDREADER\000n` where n starts from 0 and is increased by 1 each time you create a new virtual smart card.
| Parameter | Description |
|-----------|-------------|
@@ -34,10 +30,10 @@ The Create command sets up new virtual smart cards on the user’s system. It re
| /AdminKey | Indicates the desired administrator key that can be used to reset the PIN of the card if the user forgets the PIN.
**DEFAULT** Specifies the default value of 010203040506070801020304050607080102030405060708.
**PROMPT** Prompts the user to enter a value for the administrator key.
**RANDOM** Results in a random setting for the administrator key for a card that is not returned to the user. This creates a card that might not be manageable by using smart card management tools. When generated with RANDOM, the administrator key is set as 48 hexadecimal characters. |
| /PIN | Indicates desired user PIN value.
**DEFAULT** Specifies the default PIN of 12345678.
**PROMPT** Prompts the user to enter a PIN at the command line. The PIN must be a minimum of eight characters, and it can contain numerals, characters, and special characters. |
| /PUK | Indicates the desired PIN Unlock Key (PUK) value. The PUK value must be a minimum of eight characters, and it can contain numerals, characters, and special characters. If the parameter is omitted, the card is created without a PUK.
**DEFAULT** Specifies the default PUK of 12345678.
**PROMPT** Prompts the user to enter a PUK at the command line. |
-| /generate | Generates the files in storage that are necessary for the virtual smart card to function. If the /generate parameter is omitted, it is equivalent to creating a card without this file system. A card without a file system can be managed only by a smart card management system such as Microsoft Configuration Manager. |
+| /generate | Generates the files in storage that are necessary for the virtual smart card to function. If the /generate parameter is omitted, it's equivalent to creating a card without this file system. A card without a file system can be managed only by a smart card management system such as Microsoft Configuration Manager. |
| /machine | Allows you to specify the name of a remote computer on which the virtual smart card can be created. This can be used in a domain environment only, and it relies on DCOM. For the command to succeed in creating a virtual smart card on a different computer, the user running this command must be a member in the local administrators group on the remote computer. |
| /pinpolicy | If **/pin prompt** is used, **/pinpolicy** allows you to specify the following PIN policy options:
**minlen** <minimum PIN length>
If not specified, defaults to 8. The lower bound is 4.
**maxlen** <maximum PIN length>
If not specified, defaults to 127. The upper bound is 127.
**uppercase** Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**
**lowercase** Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**
**digits** Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**
**specialchars** Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**
When using **/pinpolicy**, PIN characters must be printable ASCII characters. |
-| /attestation | Configures attestation (subject only). This attestation uses an [Attestation Identity Key (AIK) certificate](/openspecs/windows_protocols/ms-dha/a4a71926-3639-4d62-b915-760c2483f489#gt_89a2ba3c-80af-4d1f-88b3-06ec3489fd5a) as a trust anchor to vouch that the virtual smart card keys and certificates are truly hardware bound. The attestation methods are:
**AIK_AND_CERT** Creates an AIK and obtains an AIK certificate from the Microsoft cloud certification authority (CA). This requires the device to have a TPM with an [EK certificate](/openspecs/windows_protocols/ms-wcce/719b890d-62e6-4322-b9b1-1f34d11535b4#gt_6aaaff7f-d380-44fb-91d3-b985e458eb6d). If this option is specified and there is no network connectivity, it is possible that creation of the virtual smart card will fail.
**AIK_ONLY** Creates an AIK but does not obtain an AIK certificate. |
+| /attestation | Configures attestation (subject only). This attestation uses an [Attestation Identity Key (AIK) certificate](/openspecs/windows_protocols/ms-dha/a4a71926-3639-4d62-b915-760c2483f489#gt_89a2ba3c-80af-4d1f-88b3-06ec3489fd5a) as a trust anchor to vouch that the virtual smart card keys and certificates are truly hardware bound. The attestation methods are:
**AIK_AND_CERT** Creates an AIK and obtains an AIK certificate from the Microsoft cloud certification authority (CA). This requires the device to have a TPM with an [EK certificate](/openspecs/windows_protocols/ms-wcce/719b890d-62e6-4322-b9b1-1f34d11535b4#gt_6aaaff7f-d380-44fb-91d3-b985e458eb6d). If this option is specified and there's no network connectivity, it's possible that creation of the virtual smart card will fail.
**AIK_ONLY** Creates an AIK but doesn't obtain an AIK certificate. |
| /? | Displays Help for this command. |
### Parameters for Destroy command
@@ -91,8 +87,4 @@ The following command will create a TPM virtual smart card with the default valu
```console
tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /PIN PROMPT /pinpolicy minlen 4 maxlen 8 /AdminKey DEFAULT /attestation AIK_AND_CERT /generate
-```
-
-## Additional references
-
-- [Virtual Smart Card Overview](virtual-smart-card-overview.md)
+```
\ No newline at end of file
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
index 0475663ff5..dfde051a1a 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
@@ -1,22 +1,19 @@
---
-title: Understanding and Evaluating Virtual Smart Cards (Windows 10)
-description: Learn how smart card technology can fit into your authentication design. Find links to additional topics about virtual smart cards.
+title: Understanding and Evaluating Virtual Smart Cards
+description: Learn how smart card technology can fit into your authentication design.
ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 04/19/2017
-appliesto:
- - ✅ Windows 10
- - ✅ Windows Server 2016
-ms.technology: itpro-security
+ms.topic: conceptual
+ms.date: 02/22/2023
+appliesto:
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
---
-# Understanding and Evaluating Virtual Smart Cards
+# Understand and Evaluate Virtual Smart Cards
-This topic for the IT professional describes the virtual smart card technology that was developed by Microsoft; suggests how it can fit into your authentication design; and provides links to additional resources that you can use to design, deploy, and troubleshoot virtual smart cards.
+[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)]
+
+This article describes the virtual smart card technology and how it can fit into your authentication design.
Virtual smart card technology uses cryptographic keys that are stored on computers that have the Trusted Platform Module (TPM) installed. Virtual smart cards offer comparable security benefits to conventional smart cards by using two-factor authentication. The technology also offers more convenience for users and has a lower cost to deploy. By utilizing TPM devices that provide the same cryptographic capabilities as conventional smart cards, virtual smart cards accomplish the three key properties that are desired for smart cards: non-exportability, isolated cryptography, and anti-hammering.
@@ -30,20 +27,17 @@ This topic contains the following sections:
- [Authentication design options](#authentication-design-options):
Describes how passwords, smart cards, and virtual smart cards can be used to reach authentication goals in your organization.
-- [See also](#see-also):
- Links to other topics that can help you design, deploy, and troubleshoot virtual smart cards.
-
## Comparing virtual smart cards with physical smart cards
Virtual smart cards function much like physical smart cards, but they differ in that they protect private keys by using the TPM of the computer instead of smart card media.
A virtual smart card appears to applications as a conventional smart card. Private keys in the virtual smart card are protected, not by isolation of physical memory, but by the cryptographic capabilities of the TPM. All sensitive information is encrypted by using the TPM and then stored on the hard drive in its encrypted form.
-All cryptographic operations occur in the secure, isolated environment of the TPM, and the unencrypted private keys are never used outside this environment. So like physical smart cards, virtual smart cards remain secure from any malware on the host. Additionally, if the hard drive is compromised in some way, a malicious user will not be able to access keys that are stored in the virtual smart card because they are securely encrypted by using the TPM. Keys can also be protected by BitLocker Drive Encryption.
+All cryptographic operations occur in the secure, isolated environment of the TPM, and the unencrypted private keys are never used outside this environment. So like physical smart cards, virtual smart cards remain secure from any malware on the host. Additionally, if the hard drive is compromised in some way, a malicious user won't be able to access keys that are stored in the virtual smart card because they're securely encrypted by using the TPM. Keys can also be protected by BitLocker Drive Encryption.
Virtual smart cards maintain the three key properties of physical smart cards:
-- **Non-exportability**: Because all private information on the virtual smart card is encrypted by using the TPM on the host computer, it cannot be used on a different computer with a different TPM. Additionally, TPMs are designed to be tamper-resistant and non-exportable, so a malicious user cannot reverse engineer an identical TPM or install the same TPM on a different computer.
+- **Non-exportability**: Because all private information on the virtual smart card is encrypted by using the TPM on the host computer, it can't be used on a different computer with a different TPM. Additionally, TPMs are designed to be tamper-resistant and non-exportable, so a malicious user can't reverse engineer an identical TPM or install the same TPM on a different computer.
For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
- **Isolated cryptography**: TPMs provide the same properties of isolated cryptography that are offered by physical smart cards, and this is utilized by virtual smart cards. Unencrypted copies of private keys are loaded only within the TPM and never into memory that is accessible by the operating system. All cryptographic operations with these private keys occur inside the TPM.
@@ -55,7 +49,7 @@ The following subsections compare the functionality, security, and cost of virtu
**Functionality**
-The virtual smart card system that was designed by Microsoft closely mimics the functionality of conventional smart cards. The most striking difference to the end user is that the virtual smart card is essentially a smart card that is always inserted into the computer. There is no method to export the user’s virtual smart card for use on other computers, which adds to the security of virtual smart cards. If a user requires access to network resources on multiple computers, multiple virtual smart cards can be issued for that user. Additionally, a computer that is shared among multiple users can host multiple virtual smart cards for different users.
+The virtual smart card system that was designed by Microsoft closely mimics the functionality of conventional smart cards. The most striking difference to the end user is that the virtual smart card is essentially a smart card that is always inserted into the computer. There's no method to export the user's virtual smart card for use on other computers, which adds to the security of virtual smart cards. If a user requires access to network resources on multiple computers, multiple virtual smart cards can be issued for that user. Additionally, a computer that is shared among multiple users can host multiple virtual smart cards for different users.
The basic user experience for a virtual smart card is as simple as using a password to access a network. Because the smart card is loaded by default, the user must simply enter the PIN that is tied to the card to gain access. Users are no longer required to carry cards and readers or to take physical action to use the card.
@@ -65,7 +59,7 @@ Additionally, although the anti-hammering functionality of the virtual smart car
Physical smart cards and virtual smart cards offer comparable levels of security. They both implement two-factor authentication for using network resources. However, they differ in certain aspects, including physical security and the practicality of an attack. Due to their compact and portable design, conventional smart cards are most frequently kept close to their intended user. They offer little opportunity for acquisition by a potential adversary, so any sort of interaction with the card is difficult without committing some variety of theft.
-TPM virtual smart cards, however, reside on a user’s computer that may frequently be left unattended, which provides an opportunity for a malicious user to hammer the TPM. Although virtual smart cards are fully protected from hammering (as are physical smart cards), this accessibility makes the logistics of an attack somewhat simpler. Additionally, the anti-hammering behavior of a TPM smart card differs in that it only presents a time delay in response to repeated PIN failures, as opposed to fully blocking the user.
+TPM virtual smart cards, however, reside on a user's computer that may frequently be left unattended, which provides an opportunity for a malicious user to hammer the TPM. Although virtual smart cards are fully protected from hammering (as are physical smart cards), this accessibility makes the logistics of an attack somewhat simpler. Additionally, the anti-hammering behavior of a TPM smart card differs in that it only presents a time delay in response to repeated PIN failures, as opposed to fully blocking the user.
However, there are several advantages provided by virtual smart cards to mitigate these slight security deficits. Most importantly, a virtual smart card is much less likely to be lost. Virtual smart cards are integrated into computers and devices that the user already owns for other purposes and has incentive to keep safe. If the computer or device that hosts the virtual smart card is lost or stolen, a user will more immediately notice its loss than the loss of a physical smart card. When a computer or device is identified as lost, the user can notify the administrator of the system, who can revoke the certificate that is associated with the virtual smart card on that device. This precludes any future unauthorized access on that computer or device if the PIN for the virtual smart card is compromised.
@@ -73,7 +67,7 @@ However, there are several advantages provided by virtual smart cards to mitigat
If a company wants to deploy physical smart cards, they need to purchase smart cards and smart card readers for all employees. Although relatively inexpensive options can be found, options that ensure the three key properties of smart card security (most notably, non-exportability) are more expensive. If employees have computers with a built-in TPM, virtual smart cards can be deployed with no additional material costs. These computers and devices are relatively common in the market.
-Additionally, the maintenance cost of virtual smart cards is less than that for physical smart cards, which are easily lost, stolen, or broken from normal wear. TPM virtual smart cards are only lost or broken if the host computer or device is lost or broken, which in most cases is much less frequently.
+The maintenance cost of virtual smart cards is less than that for physical smart cards, which are easily lost, stolen, or broken from normal wear. TPM virtual smart cards are only lost or broken if the host computer or device is lost or broken, which in most cases is much less frequently.
**Comparison summary**
@@ -82,16 +76,16 @@ Additionally, the maintenance cost of virtual smart cards is less than that for
| Protects private keys by using the built-in cryptographic functionality of the card. | Protects private keys by using the cryptographic functionality of the TPM. |
| Stores private keys in isolated non-volatile memory on the card, which means that access to private keys is only from the card, and access is never allowed to the operating system. | Stores encrypted private keys on the hard drive. The encryption ensures that these keys can only be decrypted and used in the TPM, not in the accessible memory of the operating system. |
| Guarantees non-exportability through the card manufacturer, which includes isolating private information from operating system access. | Guarantees non-exportability through the TPM manufacturer, which includes the inability of an adversary to replicate or remove the TPM. |
-| Performs and isolates cryptographic operations within the built-in capabilities of the card. | Performs and isolates cryptographic operations in the TPM of the user’s computer or device. |
+| Performs and isolates cryptographic operations within the built-in capabilities of the card. | Performs and isolates cryptographic operations in the TPM of the user's computer or device. |
| Provides anti-hammering through the card. After a certain number of failed PIN entry attempts, the card blocks further access until administrative action is taken. | Provides anti-hammering through the TPM. Successive failed attempts increase the device lockout time (the time the user has to wait before trying again). This can be reset by an administrator. |
-| Requires that users carry their smart card and smart card reader with them to access network resources. | Allows users to access their TPM-enabled computers or devices, and potentially access the network, without additional equipment. |
+| Requires that users carry their smart card and smart card reader with them to access network resources. | Allows users to access their TPM-enabled computers or devices, and potentially access the network, without other equipment. |
| Enables credential portability by inserting the smart card into smart card readers that are attached to other computers. | Prevents exporting credentials from a given computer or device. However, virtual smart cards can be issued for the same user on multiple computers or devices by using additional certificates. |
| Enables multiple users to access network resources through the same computer by inserting their personal smart cards. | Enables multiple users to access network resources through the same computer or device by issuing a virtual smart card for each user on that computer or device. |
-| Requires the user to carry the card, making it more difficult for an attacker to access the device and launch a hammering attempt. | Stores virtual smart card on the user’s computer, which may be left unattended and allow a greater risk window for hammering attempts. |
+| Requires the user to carry the card, making it more difficult for an attacker to access the device and launch a hammering attempt. | Stores virtual smart card on the user's computer, which may be left unattended and allow a greater risk window for hammering attempts. |
| Provides a generally single-purpose device that is carried explicitly for the purpose of authentication. The smart card can be easily misplaced or forgotten. | Installs the virtual smart card on a device that has other purposes for the user, so the user has greater incentive to be responsible for the computer or device. |
-| Alerts users that their card is lost or stolen only when they need to sign in and notice it is missing. | Installs the virtual smart card on a device that the user likely needs for other purposes, so users will notice its loss much more quickly. This reduces the associated risk window. |
+| Alerts users that their card is lost or stolen only when they need to sign in and notice it's missing. | Installs the virtual smart card on a device that the user likely needs for other purposes, so users will notice its loss much more quickly. This reduces the associated risk window. |
| Requires companies to invest in smart cards and smart card readers for all employees. | Requires that companies ensure all employees have TPM-enabled computers, which are relatively common. |
-| Enables using a smart card removal policy to affect system behavior when the smart card is removed. For example, the policy can dictate if the user’s sign-in session is locked or terminated when the user removes the card. | Eliminates the necessity for a smart card removal policy because a TPM virtual smart card is always present and cannot be removed from the computer. |
+| Enables using a smart card removal policy to affect system behavior when the smart card is removed. For example, the policy can dictate if the user's sign-in session is locked or terminated when the user removes the card. | Eliminates the necessity for a smart card removal policy because a TPM virtual smart card is always present and can't be removed from the computer. |
## Authentication design options
@@ -99,42 +93,30 @@ The following section presents several commonly used options and their respectiv
**Passwords**
-A password is a secret string of characters that is tied to the identification credentials for a user’s account. This establishes the user’s identity. Although passwords are the most commonly used form of authentication, they are also the weakest. In a system where passwords are used as the sole method of user authentication, only individuals who know their passwords are considered valid users.
+A password is a secret string of characters that is tied to the identification credentials for a user's account. This establishes the user's identity. Although passwords are the most commonly used form of authentication, they're also the weakest. In a system where passwords are used as the sole method of user authentication, only individuals who know their passwords are considered valid users.
-Password authentication places a great deal of responsibility on the user. Passwords must be sufficiently complex so they cannot be easily guessed, but they must be simple enough to be committed to memory and not stored in a physical location. Even if this balance is successfully achieved, a wide variety of attacks exist (such as brute force attacks, eavesdropping, and social engineering tactics) where a malicious user can acquire a user’s password and impersonate that person’s identity. A user often will not realize that the password is compromised, which makes it is easy for a malicious user to maintain access to a system if a valid password has been obtained.
+Password authentication places a great deal of responsibility on the user. Passwords must be sufficiently complex so they can't be easily guessed, but they must be simple enough to be committed to memory and not stored in a physical location. Even if this balance is successfully achieved, a wide variety of attacks exist (such as brute force attacks, eavesdropping, and social engineering tactics) where a malicious user can acquire a user's password and impersonate that person's identity. A user often won't realize that the password is compromised, which makes it's easy for a malicious user to maintain access to a system if a valid password has been obtained.
**One-time passwords**
-A one-time password (OTP) is similar to a traditional password, but it is more secure in that it can be used only once to authenticate a user. The method for determining each new password varies by implementation. However, assuming a secure deployment of each new password, OTPs have several advantages over the classic password model of authentication. Most importantly, if a given OTP token is intercepted in transmission between the user and the system, the interceptor cannot use it for any future transactions. Similarly, if a malicious user obtains a valid user’s OTP, the interceptor will have limited access to the system (only one session).
+A one-time password (OTP) is similar to a traditional password, but it's more secure in that it can be used only once to authenticate a user. The method for determining each new password varies by implementation. Assuming a secure deployment of each new password, OTPs have several advantages over the classic password model of authentication. Most importantly, if a given OTP token is intercepted in transmission between the user and the system, the interceptor can't use it for any future transactions. Similarly, if a malicious user obtains a valid user's OTP, the interceptor will have limited access to the system (only one session).
**Smart cards**
Smart cards are physical authentication devices, which improve on the concept of a password by requiring that users actually have their smart card device with them to access the system, in addition to knowing the PIN that provides access to the smart card. Smart cards have three key properties that help maintain their security:
-- **Non-exportability**: Information stored on the card, such as the user’s private keys, cannot be extracted from one device and used in another medium.
+- **Non-exportability**: Information stored on the card, such as the user's private keys, can't be extracted from one device and used in another medium
+- **Isolated cryptography**: Any cryptographic operations that are related to the card (such as secure encryption and decryption of data) occur in a cryptographic processor on the card, so malicious software on the host computer can't observe the transactions
+- **Anti-hammering**: To prevent access to the card by a brute-force attack, a set number of consecutive unsuccessful PIN entry attempts blocks the card until administrative action is taken
-- **Isolated cryptography**: Any cryptographic operations that are related to the card (such as secure encryption and decryption of data) occur in a cryptographic processor on the card, so malicious software on the host computer cannot observe the transactions.
-
-- **Anti-hammering**: To prevent access to the card by a brute-force attack, a set number of consecutive unsuccessful PIN entry attempts blocks the card until administrative action is taken.
-
-Smart cards provide greatly enhanced security over passwords alone, because it is much more difficult for a malicious user to gain and maintain access to a system. Most importantly, access to a smart card system requires that users have a valid card and that they know the PIN that provides access to that card. It is extremely difficult for a thief to acquire the card and the PIN.
+Smart cards provide greatly enhanced security over passwords alone, because it's much more difficult for a malicious user to gain and maintain access to a system. Most importantly, access to a smart card system requires that users have a valid card and that they know the PIN that provides access to that card. It's difficult for a thief to acquire the card and the PIN.
Additional security is achieved by the singular nature of the card because only one copy of the card exists, only one individual can use the sign-in credentials, and users will quickly notice if the card has been lost or stolen. This greatly reduces the risk window of credential theft when compared to using a password alone.
-Unfortunately, this additional security comes with added material and support costs. Traditional smart cards are expensive to purchase (cards and card readers must be supplied to employees), and they also can be easily misplaced or stolen.
+The additional security comes with added material and support costs. Traditional smart cards are expensive to purchase (cards and card readers must be supplied to employees), and users can misplace or lose them.
**Virtual smart cards**
-To address these issues, virtual smart cards emulate the functionality of traditional smart cards, but instead of requiring the purchase of additional hardware, they utilize technology that users already own and are more likely to have with them at all times. Theoretically, any device that can provide the three key properties of smart cards (non-exportability, isolated cryptography, and anti-hammering) can be commissioned as a virtual smart card. However, the virtual smart card platform developed by Microsoft is currently limited to the use of the Trusted Platform Module (TPM) chip, which is installed on most modern computers.
+Virtual smart cards emulate the functionality of traditional smart cards. Instead of requiring the purchase of additional hardware, virtual smart cards utilize technology that users already own and are more likely to always have with them. Theoretically, any device that can provide the three key properties of smart cards (non-exportability, isolated cryptography, and anti-hammering) can be commissioned as a virtual smart card. The virtual smart card platform is limited to the use of the Trusted Platform Module (TPM) chip, which is on most modern devices.
-Virtual smart cards that utilize a TPM provide the three main security principles of traditional smart cards (non-exportability, isolated cryptography, and anti-hammering). They are also less expensive to implement and more convenient for users. Because many corporate computers already have a built-in TPM, there is no cost associated with purchasing new hardware. The user’s possession of a computer or device is equivalent to the possession of a smart card, and a user’s identity cannot be assumed from any other computer or device without administrative provisioning of further credentials. Thus, two-factor authentication is achieved because the user must have a computer that is set up with a virtual smart card and know the PIN to use the virtual smart card.
-
-## See also
-
-- [Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-card-get-started.md)
-
-- [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md)
-
-- [Deploy Virtual Smart Cards](virtual-smart-card-deploy-virtual-smart-cards.md)
-
-- [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md)
+Virtual smart cards that utilize a TPM provide the three main security principles of traditional smart cards: non-exportability, isolated cryptography, and anti-hammering. Virtual smart cards are less expensive to implement and more convenient for users. Since many corporate computers already have a built-in TPM, there's no cost associated with purchasing new hardware. The user's possession of a computer or device is equivalent to the possession of a smart card, and a user's identity can't be assumed from any other computer or device without administrative provisioning of further credentials. Thus, two-factor authentication is achieved because the user must have a computer that is set up with a virtual smart card and know the PIN to use the virtual smart card.
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
index beb70ccddd..eb4d234c61 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
@@ -1,22 +1,18 @@
---
-title: Use Virtual Smart Cards (Windows 10)
-description: This topic for the IT professional describes requirements for virtual smart cards and provides information about how to use and manage them.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 10/13/2017
-appliesto:
- - ✅ Windows 10
- - ✅ Windows Server 2016
-ms.technology: itpro-security
+title: Use Virtual Smart Cards
+description: Learn about the requirements for virtual smart cards, how to use and manage them.
+ms.topic: conceptual
+ms.date: 02/22/2023
+appliesto:
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
---
# Use Virtual Smart Cards
-This topic for the IT professional describes requirements for virtual smart cards, how to use virtual smart cards, and tools that are available to help you create and manage them.
+[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)]
+
+Learn about the requirements for virtual smart cards, how to use and manage them.
## Requirements, restrictions, and limitations
@@ -24,9 +20,9 @@ This topic for the IT professional describes requirements for virtual smart card
|-------------|---------------------------|
| Supported operating systems | Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
Windows 10
Windows 8.1
Windows 8 |
| Supported Trusted Platform Module (TPM) | Any TPM that adheres to the TPM main specifications for version 1.2 or version 2.0 (as set by the Trusted Computing Group) is supported for use as a virtual smart card. For more information, see the [TPM Main Specification](http://www.trustedcomputinggroup.org/resources/tpm_main_specification). |
-| Supported virtual smart cards per computer | Ten smart cards can be connected to a computer or device at one time. This includes physical and virtual smart cards combined.
**Note**
You can create more than one virtual smart card; however, after creating more than four virtual smart cards, you may start to notice performance degradation. Because all smart cards appear as if they are always inserted, if more than one person shares a computer or device, each person can see all the virtual smart cards that are created on that computer or device. If the user knows the PIN values for all the virtual smart cards, the user will also be able to use them.
|
-| Supported number of certificates on a virtual smart card | A single TPM virtual smart card can contain 30 distinct certificates with the corresponding private keys. Users can continue to renew certificates on the card until the total number of certificates on a card exceeds 90. The reason that the total number of certificates is different from the total number of private keys is that sometimes the renewal can be done with the same private key—in which case a new private key is not generated. |
-| PIN, PIN Unlock Key (PUK), and Administrative key requirements | The PIN and the PUK must be a minimum of eight characters that can include numerals, alphabetic characters, and special characters.
The Administrative key must be entered as 48 hexadecimal characters. It is a 3-key triple DES with ISO/IEC 9797 padding method 2 in CBC chaining mode. |
+| Supported virtual smart cards per computer | Ten smart cards can be connected to a computer or device at one time. This includes physical and virtual smart cards combined.
**Note**
You can create more than one virtual smart card; however, after creating more than four virtual smart cards, you may start to notice performance degradation. Because all smart cards appear as if they're always inserted, if more than one person shares a computer or device, each person can see all the virtual smart cards that are created on that computer or device. If the user knows the PIN values for all the virtual smart cards, the user will also be able to use them.
|
+| Supported number of certificates on a virtual smart card | A single TPM virtual smart card can contain 30 distinct certificates with the corresponding private keys. Users can continue to renew certificates on the card until the total number of certificates on a card exceeds 90. The reason that the total number of certificates is different from the total number of private keys is that sometimes the renewal can be done with the same private key—in which case a new private key isn't generated. |
+| PIN, PIN Unlock Key (PUK), and Administrative key requirements | The PIN and the PUK must be a minimum of eight characters that can include numerals, alphabetic characters, and special characters.
The Administrative key must be entered as 48 hexadecimal characters. It's a 3-key triple DES with ISO/IEC 9797 padding method 2 in CBC chaining mode. |
## Using Tpmvscmgr.exe
@@ -68,7 +64,7 @@ For more information about these Windows APIs, see:
## Distinguishing TPM-based virtual smart cards from physical smart cards
-To help users visually distinguish a Trusted Platform Module (TPM)-based virtual smart card from physical smart cards, the virtual smart card has a different icon. The following icon is displayed during sign in, and on other screens that require the user to enter the PIN for a virtual smart card.
+To help users visually distinguish a Trusted Platform Module (TPM)-based virtual smart card from physical smart cards, the virtual smart card has a different icon. The following icon is displayed during sign-in, and on other screens that require the user to enter the PIN for a virtual smart card.
@@ -86,17 +82,17 @@ The PIN for a virtual smart card can be changed by following these steps:
### TPM not provisioned
-For a TPM-based virtual smart card to function properly, a provisioned TPM must be available on the computer. If the TPM is disabled in the BIOS, or it is not provisioned with full ownership and the storage root key, the TPM virtual smart card creation will fail.
+For a TPM-based virtual smart card to function properly, a provisioned TPM must be available on the computer. If the TPM is disabled in the BIOS, or it isn't provisioned with full ownership and the storage root key, the TPM virtual smart card creation will fail.
If the TPM is initialized after creating a virtual smart card, the card will no longer function, and it will need to be re-created.
-If the TPM ownership was established on a Windows Vista installation, the TPM will not be ready to use virtual smart cards. The system administrator needs to clear and initialize the TPM for it to be suitable for creating TPM virtual smart cards.
+If the TPM ownership was established on a Windows Vista installation, the TPM won't be ready to use virtual smart cards. The system administrator needs to clear and initialize the TPM for it to be suitable for creating TPM virtual smart cards.
If the operating system is reinstalled, prior TPM virtual smart cards are no longer available and need to be re-created. If the operating system is upgraded, prior TPM virtual smart cards will be available to use in the upgraded operating system.
### TPM in lockout state
-Sometimes, due to frequent incorrect PIN attempts from a user, the TPM may enter the lockout state. To resume using the TPM virtual smart card, it is necessary to reset the lockout on the TPM by using the owner’s password or to wait for the lockout to expire. Unblocking the user PIN does not reset the lockout in the TPM. When the TPM is in lockout, the TPM virtual smart card appears as if it is blocked. When the TPM enters the lockout state because the user entered an incorrect PIN too many times, it may be necessary to reset the user PIN by using the virtual smart card management tools, such as Tpmvscmgr command-line tool.
+Sometimes, due to frequent incorrect PIN attempts from a user, the TPM may enter the lockout state. To resume using the TPM virtual smart card, it's necessary to reset the lockout on the TPM by using the owner's password or to wait for the lockout to expire. Unblocking the user PIN doesn't reset the lockout in the TPM. When the TPM is in lockout, the TPM virtual smart card appears as if it's blocked. When the TPM enters the lockout state because the user entered an incorrect PIN too many times, it may be necessary to reset the user PIN by using the virtual smart card management tools, such as Tpmvscmgr command-line tool.
## See also
diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md
index d5725508e4..a6330f4ad8 100644
--- a/windows/security/identity-protection/vpn/vpn-profile-options.md
+++ b/windows/security/identity-protection/vpn/vpn-profile-options.md
@@ -295,9 +295,9 @@ The following sample is a sample plug-in VPN profile. This blob would fall under
## Apply ProfileXML using Intune
-After you configure the settings that you want using ProfileXML, you can create a custom profile in the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). After it's created, you deploy this profile to your devices.
+After you configure the settings that you want using ProfileXML, you can create a custom profile in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). After it's created, you deploy this profile to your devices.
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** > **Configuration profiles** > **Create profile**.
3. Enter the following properties:
diff --git a/windows/security/includes/virtual-smart-card-deprecation-notice.md b/windows/security/includes/virtual-smart-card-deprecation-notice.md
new file mode 100644
index 0000000000..dea207534a
--- /dev/null
+++ b/windows/security/includes/virtual-smart-card-deprecation-notice.md
@@ -0,0 +1,9 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 02/22/2023
+ms.topic: include
+---
+
+> [!WARNING]
+> [Windows Hello for Business](../identity-protection/hello-for-business/hello-identity-verification.md) is the modern, two-factor authentication for Windows. Microsoft will deprecate virtual smart cards in the near future. Customers using virtual smart cards are strongly encouraged to move to Windows Hello for Business. Microsoft will publish the deprecation date to ensure customers have adequate lead time to move to Windows Hello for Business. We recommend that new Windows deployments use Windows Hello for Business.
\ No newline at end of file
diff --git a/windows/security/index.yml b/windows/security/index.yml
index 2aa8f670fe..ce7aece4b4 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -11,6 +11,7 @@ metadata:
ms.technology: itpro-security
ms.collection:
- highpri
+ - tier1
author: paolomatarazzo
ms.author: paoloma
ms.date: 12/19/2022
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
index bb9df0cf68..e922e90f32 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
@@ -34,7 +34,7 @@ This article depicts the BitLocker deployment comparison chart.
|*Cloud or on premises* | Cloud | On premises | On premises |
|Server components required? | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|*Additional agent required?* | No (device enrollment only) | Configuration Manager client | MBAM client |
-|*Administrative plane* | Microsoft Endpoint Manager admin center | Configuration Manager console | Group Policy Management Console and MBAM sites |
+|*Administrative plane* | Microsoft Intune admin center | Configuration Manager console | Group Policy Management Console and MBAM sites |
|*Administrative portal installation required* | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|*Compliance reporting capabilities* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|*Force encryption* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
diff --git a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
index 0aed4ad1d1..e42dd1f9c9 100644
--- a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
+++ b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
@@ -21,7 +21,7 @@ ms.date: 12/13/2022
### Enable Personal Data Encryption (PDE)
-1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Navigate to **Devices** > **Configuration Profiles**
@@ -65,7 +65,7 @@ ms.date: 12/13/2022
### Disable Winlogon automatic restart sign-on (ARSO)
-1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Navigate to **Devices** > **Configuration Profiles**
@@ -107,7 +107,7 @@ ms.date: 12/13/2022
### Disable kernel-mode crash dumps and live dumps
-1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Navigate to **Devices** > **Configuration Profiles**
@@ -145,7 +145,7 @@ ms.date: 12/13/2022
### Disable Windows Error Reporting (WER)/Disable user-mode crash dumps
-1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Navigate to **Devices** > **Configuration Profiles**
@@ -183,7 +183,7 @@ ms.date: 12/13/2022
### Disable hibernation
-1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Navigate to **Devices** > **Configuration Profiles**
@@ -221,7 +221,7 @@ ms.date: 12/13/2022
### Disable allowing users to select when a password is required when resuming from connected standby
-1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Navigate to **Devices** > **Configuration Profiles**
diff --git a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
index 1f711c3493..2779296ea9 100644
--- a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
+++ b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
@@ -1,30 +1,20 @@
---
-title: Back up the TPM recovery information to AD DS (Windows)
-description: This topic for the IT professional describes backup of Trusted Platform Module (TPM) information.
-ms.reviewer:
+title: Back up TPM recovery information to Active Directory
+description: Learn how to back up the Trusted Platform Module (TPM) recovery information to Active Directory.
ms.prod: windows-client
-author: dansimp
-ms.author: dansimp
+author: paolomatarazzo
+ms.author: paoloma
manager: aaroncz
ms.topic: conceptual
-ms.date: 09/03/2021
+ms.date: 02/02/2023
ms.technology: itpro-security
+appliesto:
+- ✅ Windows 11
+- ✅ Windows Server 2016 and later
---
# Back up the TPM recovery information to AD DS
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
+In Windows 11, you can back up a device's Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS), enabling remote management of the TPM.
-**Does not apply to**
-
-- Windows 10, version 1607 or later
-
-With Windows 10, versions 1511 and 1507, or Windows 11, you can back up a computer's Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS). By doing this, you can use AD DS to administer the TPM from a remote computer. The procedure is the same as it was for Windows 8.1. For more information, see [Backup the TPM Recovery Information to AD DS](/previous-versions/windows/it-pro/windows-8.1-and-8/dn466534(v=ws.11)).
-
-## Related topics
-
-- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
-- [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md)
\ No newline at end of file
+For more information, see [Back up the TPM Recovery Information to AD DS](/previous-versions/windows/it-pro/windows-8.1-and-8/dn466534(v=ws.11)).
diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
index d1f3ca2437..be0cadec4a 100644
--- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
+++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
@@ -1,30 +1,21 @@
---
title: How Windows uses the TPM
-description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it to enhance security.
-ms.reviewer:
+description: Learn how Windows uses the Trusted Platform Module (TPM) to enhance security.
ms.prod: windows-client
-ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: paolomatarazzo
+ms.author: paoloma
manager: aaroncz
ms.topic: conceptual
-ms.date: 09/03/2021
+ms.date: 02/02/2023
ms.technology: itpro-security
+appliesto:
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
---
# How Windows uses the Trusted Platform Module
-The Windows operating system improves most existing security features in the operating system and adds groundbreaking new security features such as Device Guard and Windows Hello for Business. It places hardware-based security deeper inside the operating system than previous Windows versions had done, maximizing platform security while increasing usability. To achieve many of these security enhancements, Windows makes extensive use of the Trusted Platform Module (TPM). This article offers a brief overview of the TPM, describes how it works, and discusses the benefits that TPM brings to Windows and the cumulative security impact of running Windows on a PC that contains a TPM.
-
-
-**See also:**
-- [Windows 11 Specifications](https://www.microsoft.com/windows/windows-11-specifications)
-
-- [Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications)
-
-- [TPM Fundamentals](tpm-fundamentals.md)
-
-- [TPM Recommendations](tpm-recommendations.md)
+The Windows operating system places hardware-based security deeper inside many features, maximizing platform security while increasing usability. To achieve many of these security enhancements, Windows makes extensive use of the Trusted Platform Module (TPM). This article offers an overview of the TPM, describes how it works, and discusses the benefits that TPM brings to Windows and the cumulative security impact of running Windows on a device with a TPM.
## TPM Overview
@@ -32,17 +23,17 @@ The TPM is a cryptographic module that enhances computer security and privacy. P
Historically, TPMs have been discrete chips soldered to a computer's motherboard. Such implementations allow the computer's original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips.
-TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform's owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, a TPM must be provisioned. Windows automatically provisions a TPM, but if the user reinstalls the operating system, user may need to tell the operating system to explicitly provision the TPM again before it can use all the TPM's features.
+TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform's owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, a TPM must be provisioned. Windows automatically provisions a TPM, but if the operating system is reinstalled, the TPM may be required to be explicitly reprovisioned before it can use all the TPM's features.
The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards that support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
-OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone cannot achieve. For example, software alone cannot reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust—that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key *truly cannot leave the TPM*.
+OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone can't achieve. For example, software alone can't reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust—that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key *truly can't leave the TPM*.
-The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs, whereas others do not.
+The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs, whereas others don't.
Certification programs for TPMs—and technology in general—continue to evolve as the speed of innovation increases. Although having a TPM is clearly better than not having a TPM, Microsoft's best advice is to determine your organization's security needs and research any regulatory requirements associated with procurement for your industry. The result is a balance between scenarios used, assurance level, cost, convenience, and availability.
-## TPM in Windows
+## TPM in Windows
The security features of Windows combined with the benefits of a TPM offer practical security and privacy benefits. The following sections start with major TPM-related security features in Windows and go on to describe how key technologies use the TPM to enable or increase security.
@@ -52,25 +43,27 @@ Windows includes a cryptography framework called *Cryptographic API: Next Genera
Although CNG sounds like a mundane starting point, it illustrates some of the advantages that a TPM provides. Underneath the CNG interface, Windows or third parties supply a cryptographic provider (that is, an implementation of an algorithm) implemented as software libraries alone or in a combination of software and available system hardware or third-party hardware. If implemented through hardware, the cryptographic provider communicates with the hardware behind the software interface of CNG.
-The Platform Crypto Provider, introduced in the Windows 8 operating system, exposes the following special TPM properties, which software-only CNG providers cannot offer or cannot offer as effectively:
+The Platform Crypto Provider, introduced in the Windows 8 operating system, exposes the following special TPM properties, which software-only CNG providers can't offer or can't offer as effectively:
-- **Key protection**. The Platform Crypto Provider can create keys in the TPM with restrictions on their use. The operating system can load and use the keys in the TPM without copying the keys to system memory, where they are vulnerable to malware. The Platform Crypto Provider can also configure keys that a TPM protects so that they are not removable. If a TPM creates a key, the key is unique and resides only in that TPM. If the TPM imports a key, the Platform Crypto Provider can use the key in that TPM, but that TPM is not a source for making more copies of the key or enabling the use of copies elsewhere. In sharp contrast, software solutions that protect keys from copying are subject to reverse-engineering attacks, in which someone figures out how the solution stores keys or makes copies of keys while they are in memory during use.
+- **Key protection**. The Platform Crypto Provider can create keys in the TPM with restrictions on their use. The operating system can load and use the keys in the TPM without copying the keys to system memory, where they're vulnerable to malware. The Platform Crypto Provider can also configure keys that a TPM protects so that they aren't removable. If a TPM creates a key, the key is unique and resides only in that TPM. If the TPM imports a key, the Platform Crypto Provider can use the key in that TPM, but that TPM isn't a source for making more copies of the key or enabling the use of copies elsewhere. In sharp contrast, software solutions that protect keys from copying are subject to reverse-engineering attacks, in which someone figures out how the solution stores keys or makes copies of keys while they are in memory during use.
-- **Dictionary attack protection**. Keys that a TPM protects can require an authorization value such as a PIN. With dictionary attack protection, the TPM can prevent attacks that attempt a large number of guesses to determine the PIN. After too many guesses, the TPM simply returns an error saying no more guesses are allowed for a period of time. Software solutions might provide similar features, but they cannot provide the same level of protection, especially if the system restarts, the system clock changes, or files on the hard disk that count failed guesses are rolled back. In addition, with dictionary attack protection, authorization values such as PINs can be shorter and easier to remember while still providing the same level of protection as more complex values when using software solutions.
+- **Dictionary attack protection**. Keys that a TPM protects can require an authorization value such as a PIN. With dictionary attack protection, the TPM can prevent attacks that attempt a large number of guesses to determine the PIN. After too many guesses, the TPM simply returns an error saying no more guesses are allowed for a period of time. Software solutions might provide similar features, but they can't provide the same level of protection, especially if the system restarts, the system clock changes, or files on the hard disk that count failed guesses are rolled back. In addition, with dictionary attack protection, authorization values such as PINs can be shorter and easier to remember while still providing the same level of protection as more complex values when using software solutions.
-These TPM features give Platform Crypto Provider distinct advantages over software-based solutions. A practical way to see these benefits in action is when using certificates on a Windows device. On platforms that include a TPM, Windows can use the Platform Crypto Provider to provide certificate storage. Certificate templates can specify that a TPM use the Platform Crypto Provider to protect the key associated with a certificate. In mixed environments, where some computers might not have a TPM, the certificate template could prefer the Platform Crypto Provider over the standard Windows software provider. If a certificate is configured as not able to be exported, the private key for the certificate is restricted and cannot be exported from the TPM. If the certificate requires a PIN, the PIN gains the TPM's dictionary attack protection automatically.
+These TPM features give Platform Crypto Provider distinct advantages over software-based solutions. A practical way to see these benefits in action is when using certificates on a Windows device. On platforms that include a TPM, Windows can use the Platform Crypto Provider to provide certificate storage. Certificate templates can specify that a TPM use the Platform Crypto Provider to protect the key associated with a certificate. In mixed environments, where some computers might not have a TPM, the certificate template could prefer the Platform Crypto Provider over the standard Windows software provider. If a certificate is configured as not able to be exported, the private key for the certificate is restricted and can't be exported from the TPM. If the certificate requires a PIN, the PIN gains the TPM's dictionary attack protection automatically.
## Virtual Smart Card
-Smart cards are highly secure physical devices that typically store a single certificate and the corresponding private key. Users insert a smart card into a built-in or USB card reader and enter a PIN to unlock it. Windows can then access the card's certificate and use the private key for authentication or to unlock BitLocker protected data volumes. Smart cards are popular because they provide two-factor authentication that requires both something the user has (that is, the smart card) and something the user knows (such as the smart card PIN). Smart cards are difficult to use, however, because they require purchase and deployment of both smart cards and smart card readers.
+[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)]
-In Windows, the Virtual Smart Card feature allows the TPM to mimic a permanently inserted smart card. The TPM becomes "something the user has" but still requires a PIN. Although physical smart cards limit the number of PIN attempts before locking the card and requiring a reset, a virtual smart card relies on the TPM's dictionary attack protection to prevent too many PIN guesses.
+Smart cards are physical devices that typically store a single certificate and the corresponding private key. Users insert a smart card into a built-in or USB card reader and enter a PIN to unlock it. Windows can then access the card's certificate and use the private key for authentication or to unlock BitLocker protected data volumes. Smart cards are popular because they provide two-factor authentication that requires both something the user has (that is, the smart card) and something the user knows (such as the smart card PIN). However, smart cards can be expensive because they require purchase and deployment of both smart cards and smart card readers.
-For TPM-based virtual smart cards, the TPM protects the use and storage of the certificate private key so that it cannot be copied when it is in use or stored and used elsewhere. Using a component that is part of the system rather than a separate physical smart card can reduce total cost of ownership because it eliminates "lost card" and "card left at home" scenarios while still delivering the benefits of smart card–based multifactor authentication. For users, virtual smart cards are simple to use, requiring only a PIN to unlock. Virtual smart cards support the same scenarios that physical smart cards support, including signing in to Windows or authenticating for resource access.
+In Windows, the *Virtual Smart Card* feature allows the TPM to mimic a permanently inserted smart card. The TPM becomes *something the user has* but still requires a PIN. While physical smart cards limit the number of PIN attempts before locking the card and requiring a reset, a virtual smart card relies on the TPM's dictionary attack protection to prevent too many PIN guesses.
+
+For TPM-based virtual smart cards, the TPM protects the use and storage of the certificate private key, so that it can't be copied when it is in use or stored and used elsewhere. Using a component that is part of the system rather than a separate physical smart card, can reduce total cost of ownership. The *lost card* or *card left at home* scenarios are not applicable, and the benefits of smart card-based multifactor authentication is preserved. For users, virtual smart cards are simple to use, requiring only a PIN to unlock. Virtual smart cards support the same scenarios that physical smart cards support, including signing in to Windows or authenticating for resource access.
## Windows Hello for Business
-Windows Hello for Business provides authentication methods intended to replace passwords, which can be difficult to remember and easily compromised. In addition, user name - password solutions for authentication often reuse the same user name – password combinations on multiple devices and services; if those credentials are compromised, they are compromised in many places. Windows Hello for Business provisions devices one by one and combines the information provisioned on each device (i.e., the cryptographic key) with additional information to authenticate users. On a system that has a TPM, the TPM can protect the key. If a system does not have a TPM, software-based techniques protect the key. The additional information the user supplies can be a PIN value or, if the system has the necessary hardware, biometric information, such as fingerprint or facial recognition. To protect privacy, the biometric information is used only on the provisioned device to access the provisioned key: it is not shared across devices.
+Windows Hello for Business provides authentication methods intended to replace passwords, which can be difficult to remember and easily compromised. In addition, username/password solutions for authentication often reuse the same credential combinations on multiple devices and services. If those credentials are compromised, they are compromised in multiple places. Windows Hello for Business combines the information provisioned on each device (i.e., the cryptographic key) with additional information to authenticate users. On a system that has a TPM, the TPM can protect the key. If a system does not have a TPM, software-based techniques protect the key. The additional information the user supplies can be a PIN value or, if the system has the necessary hardware, biometric information, such as fingerprint or facial recognition. To protect privacy, the biometric information is used only on the provisioned device to access the provisioned key: it is not shared across devices.
The adoption of new authentication technology requires that identity providers and organizations deploy and use that technology. Windows Hello for Business lets users authenticate with their existing Microsoft account, an Active Directory account, a Microsoft Azure Active Directory account, or even non-Microsoft Identity Provider Services or Relying Party Services that support [Fast ID Online V2.0 authentication](https://go.microsoft.com/fwlink/p/?LinkId=533889).
@@ -89,11 +82,11 @@ For Windows Hello for Business, Microsoft can fill the role of the identity CA.
BitLocker provides full-volume encryption to protect data at rest. The most common device configuration splits the hard drive into several volumes. The operating system and user data reside on one volume that holds confidential information, and other volumes hold public information such as boot components, system information and recovery tools. (These other volumes are used infrequently enough that they do not need to be visible to users.) Without more protections in place, if the volume containing the operating system and user data is not encrypted, someone can boot another operating system and easily bypass the intended operating system's enforcement of file permissions to read any user data.
-In the most common configuration, BitLocker encrypts the operating system volume so that if the computer or hard disk is lost or stolen when powered off, the data on the volume remains confidential. When the computer is turned on, starts normally, and proceeds to the Windows logon prompt, the only path forward is for the user to log on with his or her credentials, allowing the operating system to enforce its normal file permissions. If something about the boot process changes, however—for example, a different operating system is booted from a USB device—the operating system volume and user data cannot be read and are not accessible. The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device. BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way. The system firmware and TPM are carefully designed to work together to provide the following capabilities:
+In the most common configuration, BitLocker encrypts the operating system volume so that if the computer or hard disk is lost or stolen when powered off, the data on the volume remains confidential. When the computer is turned on, starts normally, and proceeds to the Windows logon prompt, the only path forward is for the user to log on with his or her credentials, allowing the operating system to enforce its normal file permissions. If something about the boot process changes, however—for example, a different operating system is booted from a USB device—the operating system volume and user data can't be read and are not accessible. The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device. BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way. The system firmware and TPM are carefully designed to work together to provide the following capabilities:
-- **Hardware root of trust for measurement**. A TPM allows software to send it commands that record measurements of software or configuration information. This information can be calculated using a hash algorithm that essentially transforms a lot of data into a small, statistically unique hash value. The system firmware has a component called the Core Root of Trust for Measurement (CRTM) that is implicitly trusted. The CRTM unconditionally hashes the next software component and records the measurement value by sending a command to the TPM. Successive components, whether system firmware or operating system loaders, continue the process by measuring any software components they load before running them. Because each component's measurement is sent to the TPM before it runs, a component cannot erase its measurement from the TPM. (However, measurements are erased when the system is restarted.) The result is that at each step of the system startup process, the TPM holds measurements of boot software and configuration information. Any changes in boot software or configuration yield different TPM measurements at that step and later steps. Because the system firmware unconditionally starts the measurement chain, it provides a hardware-based root of trust for the TPM measurements. At some point in the startup process, the value of recording all loaded software and configuration information diminishes and the chain of measurements stops. The TPM allows for the creation of keys that can be used only when the platform configuration registers that hold the measurements have specific values.
+- **Hardware root of trust for measurement**. A TPM allows software to send it commands that record measurements of software or configuration information. This information can be calculated using a hash algorithm that essentially transforms a lot of data into a small, statistically unique hash value. The system firmware has a component called the Core Root of Trust for Measurement (CRTM) that is implicitly trusted. The CRTM unconditionally hashes the next software component and records the measurement value by sending a command to the TPM. Successive components, whether system firmware or operating system loaders, continue the process by measuring any software components they load before running them. Because each component's measurement is sent to the TPM before it runs, a component can't erase its measurement from the TPM. (However, measurements are erased when the system is restarted.) The result is that at each step of the system startup process, the TPM holds measurements of boot software and configuration information. Any changes in boot software or configuration yield different TPM measurements at that step and later steps. Because the system firmware unconditionally starts the measurement chain, it provides a hardware-based root of trust for the TPM measurements. At some point in the startup process, the value of recording all loaded software and configuration information diminishes and the chain of measurements stops. The TPM allows for the creation of keys that can be used only when the platform configuration registers that hold the measurements have specific values.
-- **Key used only when boot measurements are accurate**. BitLocker creates a key in the TPM that can be used only when the boot measurements match an expected value. The expected value is calculated for the step in the startup process when Windows Boot Manager runs from the operating system volume on the system hard drive. Windows Boot Manager, which is stored unencrypted on the boot volume, needs to use the TPM key so that it can decrypt data read into memory from the operating system volume and startup can proceed using the encrypted operating system volume. If a different operating system is booted or the configuration is changed, the measurement values in the TPM will be different, the TPM will not let Windows Boot Manager use the key, and the startup process cannot proceed normally because the data on the operating system cannot be decrypted. If someone tries to boot the system with a different operating system or a different device, the software or configuration measurements in the TPM will be wrong and the TPM will not allow use of the key needed to decrypt the operating system volume. As a failsafe, if measurement values change unexpectedly, the user can always use the BitLocker recovery key to access volume data. Organizations can configure BitLocker to store the recovery key-in Active Directory Domain Services (AD DS).
+- **Key used only when boot measurements are accurate**. BitLocker creates a key in the TPM that can be used only when the boot measurements match an expected value. The expected value is calculated for the step in the startup process when Windows Boot Manager runs from the operating system volume on the system hard drive. Windows Boot Manager, which is stored unencrypted on the boot volume, needs to use the TPM key so that it can decrypt data read into memory from the operating system volume and startup can proceed using the encrypted operating system volume. If a different operating system is booted or the configuration is changed, the measurement values in the TPM will be different, the TPM will not let Windows Boot Manager use the key, and the startup process can't proceed normally because the data on the operating system can't be decrypted. If someone tries to boot the system with a different operating system or a different device, the software or configuration measurements in the TPM will be wrong and the TPM will not allow use of the key needed to decrypt the operating system volume. As a failsafe, if measurement values change unexpectedly, the user can always use the BitLocker recovery key to access volume data. Organizations can configure BitLocker to store the recovery key-in Active Directory Domain Services (AD DS).
Device hardware characteristics are important to BitLocker and its ability to protect data. One consideration is whether the device provides attack vectors when the system is at the logon screen. For example, if the Windows device has a port that allows direct memory access so that someone can plug in hardware and read memory, an attacker can read the operating system volume's decryption key from memory while at the Windows logon screen. To mitigate this risk, organizations can configure BitLocker so that the TPM key requires both the correct software measurements and an authorization value. The system startup process stops at Windows Boot Manager, and the user is prompted to enter the authorization value for the TPM key or insert a USB device with the value. This process stops BitLocker from automatically loading the key into memory where it might be vulnerable, but has a less desirable user experience.
@@ -124,7 +117,6 @@ When new security features are added to Windows, Measured Boot adds security-rel
:::image type="content" alt-text="Process to Create Evidence of Boot Software and Configuration Using TPM." source="images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png" lightbox="images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png":::
*Figure 2: Process used to create evidence of boot software and configuration using a TPM*
-
## Health Attestation
Some Windows improvements help security solutions implement remote attestation scenarios. Microsoft provides a Health Attestation service, which can create attestation identity key certificates for TPMs from different manufacturers as well as parse measured boot information to extract simple security assertions, such as whether BitLocker is on or off. The simple security assertions can be used to evaluate device health.
@@ -135,9 +127,9 @@ Mobile device management (MDM) solutions can receive simple security assertions
Credential Guard is a new feature in Windows that helps protect Windows credentials in organizations that have deployed AD DS. Historically, a user's credentials (such as a logon password) were hashed to generate an authorization token. The user employed the token to access resources that he or she was permitted to use. One weakness of the token model is that malware that had access to the operating system kernel could look through the computer's memory and harvest all the access tokens currently in use. The attacker could then use harvested tokens to log on to other machines and collect more credentials. This kind of attack is called a "pass the hash" attack, a malware technique that infects one machine to infect many machines across an organization.
-Similar to the way Microsoft Hyper-V keeps virtual machines (VMs) separate from one another, Credential Guard uses virtualization to isolate the process that hashes credentials in a memory area that the operating system kernel cannot access. This isolated memory area is initialized and protected during the boot process so that components in the larger operating system environment cannot tamper with it. Credential Guard uses the TPM to protect its keys with TPM measurements, so they are accessible only during the boot process step when the separate region is initialized; they are not available for the normal operating system kernel. The local security authority code in the Windows kernel interacts with the isolated memory area by passing in credentials and receiving single-use authorization tokens in return.
+Similar to the way Microsoft Hyper-V keeps virtual machines (VMs) separate from one another, Credential Guard uses virtualization to isolate the process that hashes credentials in a memory area that the operating system kernel can't access. This isolated memory area is initialized and protected during the boot process so that components in the larger operating system environment can't tamper with it. Credential Guard uses the TPM to protect its keys with TPM measurements, so they are accessible only during the boot process step when the separate region is initialized; they are not available for the normal operating system kernel. The local security authority code in the Windows kernel interacts with the isolated memory area by passing in credentials and receiving single-use authorization tokens in return.
-The resulting solution provides defense in depth, because even if malware runs in the operating system kernel, it cannot access the secrets inside the isolated memory area that actually generates authorization tokens. The solution does not solve the problem of key loggers because the passwords such loggers capture actually pass through the normal Windows kernel, but when combined with other solutions, such as smart cards for authentication, Credential Guard greatly enhances the protection of credentials in Windows.
+The resulting solution provides defense in depth, because even if malware runs in the operating system kernel, it can't access the secrets inside the isolated memory area that actually generates authorization tokens. The solution does not solve the problem of key loggers because the passwords such loggers capture actually pass through the normal Windows kernel, but when combined with other solutions, such as smart cards for authentication, Credential Guard greatly enhances the protection of credentials in Windows.
## Conclusion
@@ -147,9 +139,9 @@ The TPM adds hardware-based security benefits to Windows. When installed on hard
|Feature | Benefits when used on a system with a TPM|
|---|---|
-| Platform Crypto Provider | - If the machine is compromised, the private key associated with the certificate cannot be copied off the device.
- The TPM's dictionary attack mechanism protects PIN values to use a certificate.
|
+| Platform Crypto Provider | - If the machine is compromised, the private key associated with the certificate can't be copied off the device.
- The TPM's dictionary attack mechanism protects PIN values to use a certificate.
|
| Virtual Smart Card | - Achieve security similar to that of physical smart cards without deploying physical smart cards or card readers.
|
-| Windows Hello for Business | - Credentials provisioned on a device cannot be copied elsewhere.
- Confirm a device's TPM before credentials are provisioned.
|
+| Windows Hello for Business | - Credentials provisioned on a device can't be copied elsewhere.
- Confirm a device's TPM before credentials are provisioned.
|
| BitLocker Drive Encryption | - Multiple options are available for enterprises to protect data at rest while balancing security requirements with different device hardware.
|
|Device Encryption | - With a Microsoft account and the right hardware, consumers' devices seamlessly benefit from data-at-rest protection.
|
| Measured Boot | - A hardware root of trust contains boot measurements that help detect malware during remote attestation.
|
diff --git a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
index 0fa4cfb623..530666774a 100644
--- a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
+++ b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
@@ -1,67 +1,58 @@
---
-title: Troubleshoot the TPM (Windows)
-description: This article for the IT professional describes how to view status for, clear, or troubleshoot the Trusted Platform Module (TPM).
-ms.reviewer:
+title: Troubleshoot the TPM
+description: Learn how to view and troubleshoot the Trusted Platform Module (TPM).
ms.prod: windows-client
-author: dansimp
-ms.author: dansimp
+author: paolomatarazzo
+ms.author: paoloma
manager: aaroncz
-ms.collection:
- - highpri
- - tier1
ms.topic: conceptual
-ms.date: 09/06/2021
+ms.date: 02/02/2023
ms.technology: itpro-security
+appliesto:
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
+ms.collection:
+- highpri
+- tier1
---
# Troubleshoot the TPM
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
+This article provides information how to troubleshoot the Trusted Platform Module (TPM):
-This article provides information for the IT professional to troubleshoot the Trusted Platform Module (TPM):
+- [Troubleshoot TPM initialization](#tpm-initialization)
+- [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm)
-- [Troubleshoot TPM initialization](#troubleshoot-tpm-initialization)
-
-- [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm)
-
-With TPM 1.2 and Windows 10, version 1507 or 1511, or Windows 11, you can also take the following actions:
-
-- [Turn on or turn off the TPM](#turn-on-or-turn-off)
+With TPM 1.2 and Windows 11, you can also take the following actions:
+- [Turn on or turn off the TPM](#turn-on-or-turn-off)
For information about the TPM cmdlets, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true).
## About TPM initialization and ownership
-Starting with Windows 10 and Windows 11, the operating system automatically initializes and takes ownership of the TPM. This is a change from previous operating systems, where you would initialize the TPM and create an owner password.
+Windows automatically initializes and takes ownership of the TPM. This is a change from previous operating systems, where you had to initialize the TPM and create an owner password.
-## Troubleshoot TPM initialization
+### TPM initialization
If you find that Windows isn't able to initialize the TPM automatically, review the following information:
-- You can try clearing the TPM to the factory default values and allowing Windows to re-initialize it. For important precautions for this process, and instructions for completing it, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm), later in this article.
+- You can try clearing the TPM to the factory default values, allowing Windows to reinitialize it. For important precautions for this process, and instructions for completing it, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm)
+- If the TPM is a TPM 2.0 and isn't detected by Windows, verify that your computer hardware contains a Unified Extensible Firmware Interface (UEFI) that is Trusted Computing Group-compliant. Also, ensure that in the UEFI settings, the TPM hasn't been disabled or hidden from the operating system
+- If you have TPM 1.2 with Windows 11, the TPM might be turned off, and need to be turned back on, as described in [Turn on the TPM](#turn-on-the-tpm). When it's turned back on, Windows will reinitialize it
+- If you're attempting to set up BitLocker with the TPM, check which TPM driver is installed on the computer. We recommend always using one of the TPM drivers that is provided by Microsoft and is protected with BitLocker. If a non-Microsoft TPM driver is installed, it may prevent the default TPM driver from loading and cause BitLocker to report that a TPM isn't present on the computer. If you have a non-Microsoft driver installed, remove it, and then allow the operating system to initialize the TPM
-- If the TPM is a TPM 2.0 and isn't detected by Windows, verify that your computer hardware contains a Unified Extensible Firmware Interface (UEFI) that is Trusted Computing Group-compliant. Also, ensure that in the UEFI settings, the TPM hasn't been disabled or hidden from the operating system.
+### Network connection issues for domain-joined Windows 11 devices
-- If you have TPM 1.2 with Windows 10, version 1507 or 1511, or Windows 11, the TPM might be turned off, and need to be turned back on, as described in [Turn on the TPM](#turn-on-the-tpm). When it's turned back on, Windows will re-initialize it.
+If you have Windows 11, the initialization of the TPM can't complete when your computer has network connection issues and both of the following conditions exist:
-- If you're attempting to set up BitLocker with the TPM, check which TPM driver is installed on the computer. We recommend always using one of the TPM drivers that is provided by Microsoft and is protected with BitLocker. If a non-Microsoft TPM driver is installed, it may prevent the default TPM driver from loading and cause BitLocker to report that a TPM isn't present on the computer. If you have a non-Microsoft driver installed, remove it and then allow the operating system to initialize the TPM.
+- An administrator has configured your computer to require that TPM recovery information be saved in Active Directory Domain Services (AD DS). This requirement can be configured through group policy
+- A domain controller can't be reached. This scenario may occur on a device that is currently disconnected from the internal network, separated from the domain by a firewall, or experiencing a network component failure (such as an unplugged cable or a faulty network adapter)
-### Troubleshoot network connection issues for Windows 10, versions 1507 and 1511, or Windows 11
+If these issues occur, an error message appears, and you can't complete the initialization process. To avoid the issue, allow Windows to initialize the TPM while you're connected to the corporate network, and you can contact a domain controller.
-If you have Windows 10, version 1507 or 1511, or Windows 11, the initialization of the TPM can't complete when your computer has network connection issues and both of the following conditions exist:
+### Systems with multiple TPMs
-- An administrator has configured your computer to require that TPM recovery information be saved in Active Directory Domain Services (AD DS). This requirement can be configured through Group Policy.
-
-- A domain controller can't be reached. This can occur on a computer that is currently disconnected from the network, separated from the domain by a firewall, or experiencing a network component failure (such as an unplugged cable or a faulty network adapter).
-
-If these issues occur, an error message appears, and you can't complete the initialization process. To avoid this issue, allow Windows to initialize the TPM while you're connected to the corporate network and you can contact a domain controller.
-
-### Troubleshoot systems with multiple TPMs
-
-Some systems may have multiple TPMs and the active TPM may be toggled in UEFI. Windows does not support this behavior. If you switch TPMs, Windows might not properly detect or interact with the new TPM. If you plan to switch TPMs you should toggle to the new TPM, clear it, and reinstall Windows. For more information, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm), later in this article.
+Some systems may have multiple TPMs and the active TPM may be toggled in UEFI. Windows doesn't support this configuration. If you switch TPMs, Windows might not properly detect or interact with the new TPM. If you plan to switch TPMs, you should toggle to the new TPM, clear it, and reinstall Windows. For more information, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm).
For example, toggling TPMs will cause BitLocker to enter recovery mode. We strongly recommend that, on systems with two TPMs, one TPM is selected to be used and the selection isn't changed.
@@ -69,7 +60,7 @@ For example, toggling TPMs will cause BitLocker to enter recovery mode. We stron
You can use the Windows Defender Security Center app to clear the TPM as a troubleshooting step, or as a final preparation before a clean installation of a new operating system. Preparing for a clean installation in this way helps ensure that the new operating system can fully deploy any TPM-based functionality that it includes, such as attestation. However, even if the TPM isn't cleared before a new operating system is installed, most TPM functionality will probably work correctly.
-Clearing the TPM resets it to an unowned state. After you clear the TPM, the Windows operating system will automatically re-initialize it and take ownership again.
+Clearing the TPM resets it to an unowned state. After you clear the TPM, the Windows operating system will automatically reinitialize it and take ownership again.
> [!WARNING]
> Clearing the TPM can result in data loss. For more information, see the next section, "Precautions to take before clearing the TPM."
@@ -78,74 +69,49 @@ Clearing the TPM resets it to an unowned state. After you clear the TPM, the Win
Clearing the TPM can result in data loss. To protect against such loss, review the following precautions:
-- Clearing the TPM causes you to lose all created keys associated with the TPM, and data protected by those keys, such as a virtual smart card or a sign-in PIN. Make sure that you have a backup and recovery method for any data that is protected or encrypted by the TPM.
-
-- Don't clear the TPM on a device you don't own, such as a work or school PC, without being instructed to do so by your IT administrator.
-
-- If you want to temporarily suspend TPM operations and you have TPM 1.2 with Windows 10, version 1507 or 1511, or Windows 11, you can turn off the TPM. For more information, see [Turn off the TPM](#turn-off-the-tpm), later in this article.
-
-- Always use functionality in the operating system (such as TPM.msc) to the clear the TPM. Don't clear the TPM directly from UEFI.
-
-- Because your TPM security hardware is a physical part of your computer, before clearing the TPM, you might want to read the manuals or instructions that came with your computer, or search the manufacturer's website.
+- Clearing the TPM causes you to lose all created keys associated with the TPM, and data protected by those keys, such as a virtual smart card or a sign-in PIN. Make sure that you have a backup and recovery method for any data that is protected or encrypted by the TPM
+- Don't clear the TPM on a device you don't own, such as a work or school PC, without being instructed to do so by your IT administrator
+- If you want to temporarily suspend TPM operations on Windows 11, you can turn off the TPM. For more information, see [Turn off the TPM](#turn-off-the-tpm)
+- Always use functionality in the operating system (such as TPM.msc) to the clear the TPM. Don't clear the TPM directly from UEFI
+- Because your TPM security hardware is a physical part of your computer, before clearing the TPM, you might want to read the manuals or instructions that came with your computer, or search the manufacturer's website
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.
**To clear the TPM**
1. Open the Windows Defender Security Center app.
+1. Select **Device security**.
+1. Select **Security processor details**.
+1. Select **Security processor troubleshooting**.
+1. Select **Clear TPM**.
+ - You'll be prompted to restart the computer. During the restart, you might be prompted by the UEFI to press a button to confirm that you wish to clear the TPM.
+ - After the device restarts, your TPM will be automatically prepared for use by Windows.
-2. Select **Device security**.
-
-3. Select **Security processor details**.
-
-4. Select **Security processor troubleshooting**.
-
-5. Select **Clear TPM**.
-
-6. You will be prompted to restart the computer. During the restart, you might be prompted by the UEFI to press a button to confirm that you wish to clear the TPM.
-
-7. After the PC restarts, your TPM will be automatically prepared for use by Windows.
-
-## Turn on or turn off the TPM (available only with TPM 1.2 with Windows 10, version 1507 and higher)
+## Turn on or turn off the TPM
Normally, the TPM is turned on as part of the TPM initialization process. You don't normally need to turn the TPM on or off. However, if necessary you can do so by using the TPM MMC.
### Turn on the TPM
-If you want to use the TPM after you have turned it off, you can use the following procedure to turn on the TPM.
+If you want to use the TPM after you've turned it off, you can use the following procedure to turn on the TPM.
-**To turn on the TPM (TPM 1.2 with Windows 10, version 1507 and higher)**
+1. Open the TPM MMC (tpm.msc).
+1. In the **Action** pane, select **Turn TPM On** to display the **Turn on the TPM Security Hardware** page. Read the instructions on this page.
+1. Select **Shutdown** (or **Restart**), and then follow the UEFI screen prompts.
-1. Open the TPM MMC (tpm.msc).
-
-2. In the **Action** pane, select **Turn TPM On** to display the **Turn on the TPM Security Hardware** page. Read the instructions on this page.
-
-3. Select **Shutdown** (or **Restart**), and then follow the UEFI screen prompts.
-
- After the computer restarts, but before you sign in to Windows, you will be prompted to accept the reconfiguration of the TPM. This ensures that the user has physical access to the computer and that malicious software isn't attempting to make changes to the TPM.
+After the device restarts, but before you sign in to Windows, you'll be prompted to accept the reconfiguration of the TPM. The acceptance ensures that the user has physical access to the computer and that malicious software isn't attempting to make changes to the TPM.
### Turn off the TPM
If you want to stop using the services that are provided by the TPM, you can use the TPM MMC to turn off the TPM.
-**To turn off the TPM (TPM 1.2 with Windows 10, version 1507 and higher)**
-
-1. Open the TPM MMC (tpm.msc).
-
-2. In the **Action** pane, select **Turn TPM Off** to display the **Turn off the TPM security hardware** page.
-
-3. In the **Turn off the TPM security hardware** dialog box, select a method to enter your owner password and turning off the TPM:
-
- - If you saved your TPM owner password on a removable storage device, insert it, and then select **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, select **Browse** to locate the .tpm file that is saved on your removable storage device, select **Open**, and then select **Turn TPM Off**.
-
- - If you don't have the removable storage device with your saved TPM owner password, select **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then select **Turn TPM Off**.
-
- - If you didn't save your TPM owner password or no longer know it, select **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent UEFI screens to turn off the TPM without entering the password.
+1. Open the TPM MMC (`tpm.msc`).
+1. In the **Action** pane, select **Turn TPM Off** to display the **Turn off the TPM security hardware** page.
+1. In the **Turn off the TPM security hardware** dialog box, select a method to enter your owner password and turning off the TPM:
+ - If you saved your TPM owner password on a removable storage device, insert it, and then select **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, select **Browse** to locate the *.tpm* file that is saved on your removable storage device, select **Open**, and then select **Turn TPM Off**.
+ - If you don't have the removable storage device with your saved TPM owner password, select **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then select **Turn TPM Off**.
+ - If you didn't save your TPM owner password or no longer know it, select **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent UEFI screens to turn off the TPM without entering the password.
## Use the TPM cmdlets
You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true).
-
-## Related articles
-
-- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of articles)
diff --git a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
index 6e27cc9532..de49d856c6 100644
--- a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
+++ b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
@@ -1,70 +1,63 @@
---
-title: Understanding PCR banks on TPM 2.0 devices (Windows)
-description: This topic for the IT professional provides background about what happens when you switch PCR banks on TPM 2.0 devices.
-ms.reviewer:
+title: UnderstandPCR banks on TPM 2.0 devices
+description: Learn about what happens when you switch PCR banks on TPM 2.0 devices.
ms.prod: windows-client
-author: dansimp
-ms.author: dansimp
+author: paolomatarazzo
+ms.author: paoloma
manager: aaroncz
ms.topic: conceptual
-ms.date: 09/06/2021
+ms.date: 02/02/2023
ms.technology: itpro-security
+appliesto:
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
---
-# Understanding PCR banks on TPM 2.0 devices
+# PCR banks on TPM 2.0 devices
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
+For steps on how to switch PCR banks on TPM 2.0 devices on your PC, you should contact your OEM or UEFI vendor. This article provides background about what happens when you switch PCR banks on TPM 2.0 devices.
-For steps on how to switch PCR banks on TPM 2.0 devices on your PC, you should contact your OEM or UEFI vendor. This topic provides background about what happens when you switch PCR banks on TPM 2.0 devices.
+A *Platform Configuration Register (PCR)* is a memory location in the TPM that has some unique properties. The size of the value that can be stored in a PCR is determined by the size of a digest generated by an associated hashing algorithm. A SHA-1 PCR can store 20 bytes - the size of a SHA-1 digest. Multiple PCRs associated with the same hashing algorithm are referred to as a *PCR bank*.
-A Platform Configuration Register (PCR) is a memory location in the TPM that has some unique properties. The size of the value that can be stored in a PCR is determined by the size of a digest generated by an associated hashing algorithm. A SHA-1 PCR can store 20 bytes – the size of a SHA-1 digest. Multiple PCRs associated with the same hashing algorithm are referred to as a PCR bank.
+To store a new value in a PCR, the existing value is extended with a new value as follows: `PCR[N] = HASHalg( PCR[N] || ArgumentOfExtend)`
-To store a new value in a PCR, the existing value is extended with a new value as follows:
-PCR\[N\] = HASHalg( PCR\[N\] || ArgumentOfExtend )
+The existing value is concatenated with the argument of the TPM Extend operation. The resulting concatenation is then used as input to the associated hashing algorithm, which computes a digest of the input. The computed digest becomes the new value of the PCR.
-The existing value is concatenated with the argument of the TPM Extend operation. The resulting concatenation is then used as input to the associated hashing algorithm, which computes a digest of the input. This computed digest becomes the new value of the PCR.
+The [TCG PC Client Platform TPM Profile Specification](http://www.trustedcomputinggroup.org/pc-client-platform-tpm-profile-ptp-specification/) defines the inclusion of at least one PCR bank with 24 registers. The only way to reset the first 16 PCRs is to reset the TPM itself. This restriction helps to ensure that the value of those PCRs can only be modified via the TPM Extend operation.
-The [TCG PC Client Platform TPM Profile Specification](http://www.trustedcomputinggroup.org/pc-client-platform-tpm-profile-ptp-specification/) defines the inclusion of at least one PCR bank with 24 registers. The only way to reset the first 16 PCRs is to reset the TPM itself. This restriction helps ensure that the value of those PCRs can only be modified via the TPM Extend operation.
-
-Some TPM PCRs are used as checksums of log events. The log events are extended in the TPM as the events occur. Later, an auditor can validate the logs by computing the expected PCR values from the log and comparing them to the PCR values of the TPM. Since the first 16 TPM PCRs cannot be modified arbitrarily, a match between an expected PCR value in that range and the actual TPM PCR value provides assurance of an unmodified log.
+Some TPM PCRs are used as checksums of log events. The log events are extended in the TPM as the events occur. Later, an auditor can validate the logs by computing the expected PCR values from the log and comparing them to the PCR values of the TPM. Since the first 16 TPM PCRs can't be modified arbitrarily, a match between an expected PCR value in that range and the actual TPM PCR value provides assurance of an unmodified log.
## How does Windows use PCRs?
-To bind the use of a TPM based key to a certain state of the PC, the key can be sealed to an expected set of PCR values. For instance, PCRs 0 through 7 have a well-defined value after the boot process – when the OS is loaded. When the hardware, firmware, or boot loader of the machine changes, the change can be detected in the PCR values. Windows uses this capability to make certain cryptographic keys only available at certain times during the boot process. For instance, the BitLocker key can be used at a certain point in the boot, but not before or after.
+To bind the use of a TPM based key to a certain state of the device, the key can be sealed to an expected set of PCR values.\
+For instance, PCRs 0 through 7 have a well-defined value after the boot process, when the OS is loaded. When the hardware, firmware, or boot loader of the machine changes, the change can be detected in the PCR values. Windows uses this capability to make certain cryptographic keys only available at certain times during the boot process. For instance, the BitLocker key can be used at a certain point in the boot, but not before or after.
-It is important to note that this binding to PCR values also includes the hashing algorithm used for the PCR. For instance, a key can be bound to a specific value of the SHA-1 PCR\[12\], if using the SHA-256 PCR bank, even with the same system configuration. Otherwise, the PCR values will not match.
+It's important to note that this binding to PCR values also includes the hashing algorithm used for the PCR. For instance, a key can be bound to a specific value of the `SHA-1 PCR[12]`, if using the SHA-256 PCR bank, even with the same system configuration. Otherwise, the PCR values won't match.
## What happens when PCR banks are switched?
When the PCR banks are switched, the algorithm used to compute the hashed values stored in the PCRs during extend operations is changed. Each hash algorithm will return a different cryptographic signature for the same inputs.
-As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR\[12\] and subsequently changed the PCR bank to SHA-256, the banks wouldn't match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows will not be able to unseal it if the PCR banks are switched while BitLocker is enabled.
+As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR\[12\] and subsequently changed the PCR bank to SHA-256, the banks wouldn't match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows won't be able to unseal it if the PCR banks are switched while BitLocker is enabled.
## What can I do to switch PCRs when BitLocker is already active?
-Before switching PCR banks you should suspend or disable BitLocker – or have your recovery key ready. For steps on how to switch PCR banks on your PC, you should contact your OEM or UEFI vendor.
+Before switching PCR banks, you should suspend or disable BitLocker or have the recovery key ready. For steps on how to switch PCR banks on your PC, contact your OEM or UEFI vendor.
## How can I identify which PCR bank is being used?
-A TPM can be configured to have multiple PCR banks active. When BIOS is performing measurements it will do so into all active PCR banks, depending on its capability to make these measurements. BIOS may choose to deactivate PCR banks that it does not support or "cap" PCR banks that it does not support by extending a separator. The following registry value identifies which PCR banks are active.
+You can configure a TPM to have multiple PCR banks active. When BIOS performs measurements, it does so into all active PCR banks, depending on its capability to make these measurements. BIOS may choose to deactivate PCR banks that it doesn't support or *cap* PCR banks that it doesn't support by extending a separator. The following registry value identifies which PCR banks are active:
-- Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices
-- DWORD: TPMActivePCRBanks
-- Defines which PCR banks are currently active. (This value should be interpreted as a bitmap for which the bits are defined in the [TCG Algorithm Registry](https://trustedcomputinggroup.org/resource/tcg-algorithm-registry/) Table 21 of Revision 1.27.)
+- Registry key: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices`
+- DWORD: `TPMActivePCRBanks`
+- Defines which PCR banks are currently active. (This value should be interpreted as a bitmap for which the bits are defined in the [TCG Algorithm Registry](https://trustedcomputinggroup.org/resource/tcg-algorithm-registry/) Table 21 of Revision 1.27.)
-Windows checks which PCR banks are active and supported by the BIOS. Windows also checks if the measured boot log supports measurements for all active PCR banks. Windows will prefer the use of the SHA-256 bank for measurements and will fall back to SHA1 PCR bank if one of the pre-conditions is not met.
+Windows checks which PCR banks are active and supported by the BIOS. Windows also checks if the measured boot log supports measurements for all active PCR banks. Windows will prefer the use of the SHA-256 bank for measurements and will fall back to SHA1 PCR bank if one of the pre-conditions isn't met.
-You can identify which PCR bank is currently used by Windows by looking at the registry.
+You can identify which PCR bank is currently used by Windows by looking at the registry:
-- Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices
-- DWORD: TPMDigestAlgID
-- Algorithm ID of the PCR bank that Windows is currently using. (This value represents an algorithm identifier as defined in the [TCG Algorithm Registry](https://trustedcomputinggroup.org/resource/tcg-algorithm-registry/) Table 3 of Revision 1.27.)
+- Registry key: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices`
+- DWORD: `TPMDigestAlgID`
+- Algorithm ID of the PCR bank that Windows is currently using. (This value represents an algorithm identifier as defined in the [TCG Algorithm Registry](https://trustedcomputinggroup.org/resource/tcg-algorithm-registry/) Table 3 of Revision 1.27.)
-Windows only uses one PCR bank to continue boot measurements. All other active PCR banks will be extended with a separator to indicate that they are not used by Windows and measurements that appear to be from Windows should not be trusted.
-
-## Related topics
-
-- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
+Windows only uses one PCR bank to continue boot measurements. All other active PCR banks will be extended with a separator to indicate that they aren't used by Windows and measurements that appear to be from Windows shouldn't be trusted.
diff --git a/windows/security/information-protection/tpm/tpm-fundamentals.md b/windows/security/information-protection/tpm/tpm-fundamentals.md
index e6fafb1224..78c253cc6c 100644
--- a/windows/security/information-protection/tpm/tpm-fundamentals.md
+++ b/windows/security/information-protection/tpm/tpm-fundamentals.md
@@ -1,71 +1,63 @@
---
-title: Trusted Platform Module (TPM) fundamentals (Windows)
-description: Inform yourself about the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and how they are used to mitigate dictionary attacks.
+title: Trusted Platform Module (TPM) fundamentals
+description: Learn about the components of the Trusted Platform Module and how they're used to mitigate dictionary attacks.
ms.reviewer:
ms.prod: windows-client
author: dansimp
ms.author: dansimp
manager: aaroncz
ms.topic: conceptual
-ms.date: 12/27/2021
+ms.date: 02/22/2023
ms.technology: itpro-security
+appliesto:
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
---
# TPM fundamentals
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and later
+This article provides a description of the *Trusted Platform Module* (TPM 1.2 and TPM 2.0) components, and explains how they're used to mitigate dictionary attacks.
-This article for the IT professional provides a description of the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and explains how they are used to mitigate dictionary attacks.
+A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is installed on the motherboard of a computer, and it communicates with the rest of the system by using a hardware bus.
-A Trusted Platform Module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is installed on the motherboard of a computer, and it communicates with the rest of the system by using a hardware bus.
+Devices that incorporate a TPM can create cryptographic keys and encrypt them, so that the keys can only be decrypted by the TPM. This process, often called *wrapping* or *binding a key*, can help protect the key from disclosure. Each TPM has a *master wrapping key*, called the *storage root key*, which is stored within the TPM itself. The private portion of a storage root key, or *endorsement key*, that is created in a TPM is never exposed to any other component, software, process, or user.
-Computers that incorporate a TPM can create cryptographic keys and encrypt them so that they can only be decrypted by the TPM. This process, often called wrapping or binding a key, can help protect the key from disclosure. Each TPM has a master wrapping key, called the storage root key, which is stored within the TPM itself. The private portion of a storage root key or endorsement key that is created in a TPM is never exposed to any other component, software, process, or user.
+You can specify whether encryption keys that are created by the TPM can be migrated or not. If you specify that they can be migrated, the public and private portions of the key can be exposed to other components, software, processes, or users. If you specify that encryption keys can't be migrated, the private portion of the key is never exposed outside the TPM.
-You can specify whether encryption keys that are created by the TPM can be migrated or not. If you specify that they can be migrated, the public and private portions of the key can be exposed to other components, software, processes, or users. If you specify that encryption keys cannot be migrated, the private portion of the key is never exposed outside the TPM.
-
-Computers that incorporate a TPM can also create a key that is wrapped and tied to certain platform measurements. This type of key can be unwrapped only when those platform measurements have the same values that they had when the key was created. This process is referred to as "sealing the key to the TPM." Decrypting the key is called unsealing. The TPM can also seal and unseal data that is generated outside the TPM. With this sealed key and software, such as BitLocker Drive Encryption, you can lock data until specific hardware or software conditions are met.
+Devices that incorporate a TPM can also create a key wrapped and tied to certain platform measurements. This type of key can be unwrapped only when those platform measurements have the same values that they had when the key was created. This process is referred to as *sealing the key to the TPM*. Decrypting the key is called *unsealing*. The TPM can also seal and unseal data that is generated outside the TPM. With sealed key and software, such as BitLocker Drive Encryption, data can be locked until specific hardware or software conditions are met.
With a TPM, private portions of key pairs are kept separate from the memory that is controlled by the operating system. Keys can be sealed to the TPM, and certain assurances about the state of a system (assurances that define the trustworthiness of a system) can be made before the keys are unsealed and released for use. The TPM uses its own internal firmware and logic circuits to process instructions. Hence, it doesn't rely on the operating system and it isn't exposed to vulnerabilities that might exist in the operating system or application software.
-For info about which versions of Windows support which versions of the TPM, see [Trusted Platform Module technology overview](trusted-platform-module-overview.md). The features that are available in the versions are defined in specifications by the Trusted Computing Group (TCG). For more info, see the Trusted Platform Module page on the Trusted Computing Group website: [Trusted Platform Module](http://www.trustedcomputinggroup.org/developers/trusted_platform_module).
+For information about which versions of Windows support which versions of the TPM, see [Trusted Platform Module technology overview](trusted-platform-module-overview.md). The features that are available in the versions are defined in specifications by the Trusted Computing Group (TCG). For more information, see the Trusted Platform Module page on the Trusted Computing Group website: [Trusted Platform Module](http://www.trustedcomputinggroup.org/developers/trusted_platform_module).
The following sections provide an overview of the technologies that support the TPM:
-- [Measured Boot with support for attestation](#measured-boot-with-support-for-attestation)
+- [Measured Boot with support for attestation](#measured-boot-with-support-for-attestation)
+- [TPM-based Virtual Smart Card](#tpm-based-virtual-smart-card)
+- [TPM-based certificate storage](#tpm-based-certificate-storage)
+- [TPM Cmdlets](#tpm-cmdlets)
+- [Physical presence interface](#physical-presence-interface)
+- [TPM 1.2 states and initialization](#tpm-12-states-and-initialization)
+- [Endorsement keys](#endorsement-keys)
+- [TPM Key Attestation](#key-attestation)
+- [Anti-hammering](#anti-hammering)
-- [TPM-based Virtual Smart Card](#tpm-based-virtual-smart-card)
-
-- [TPM-based certificate storage](#tpm-based-certificate-storage)
-
-- [TPM Cmdlets](#tpm-cmdlets)
-
-- [Physical presence interface](#physical-presence-interface)
-
-- [TPM 1.2 states and initialization](#tpm-12-states-and-initialization)
-
-- [Endorsement keys](#endorsement-keys)
-
-- [TPM Key Attestation](#key-attestation)
-
-- [Anti-hammering](#anti-hammering)
-
-The following topic describes the TPM Services that can be controlled centrally by using Group Policy settings:
+The following article describes the TPM services that can be controlled centrally by using Group Policy settings:
[TPM Group Policy Settings](trusted-platform-module-services-group-policy-settings.md).
## Measured Boot with support for attestation
-The Measured Boot feature provides antimalware software with a trusted (resistant to spoofing and tampering) log of all boot components. Antimalware software can use the log to determine whether components that ran before it are trustworthy versus infected with malware. It can also send the Measured Boot logs to a remote server for evaluation. The remote server can start remediation actions by interacting with software on the client or through out-of-band mechanisms, as appropriate.
+The *Measured Boot* feature provides anti-malware software with a trusted (resistant to spoofing and tampering) log of all boot components. Anti-malware software can use the log to determine whether components that ran before it are trustworthy or infected with malware. It can also send the Measured Boot logs to a remote server for evaluation. The remote server can start remediation actions by interacting with software on the client or through out-of-band mechanisms, as appropriate.
## TPM-based Virtual Smart Card
-The Virtual Smart Card emulates the functionality of traditional smart cards. Virtual Smart Cards use the TPM chip that is available on an organization's computers, rather than using a separate physical smart card and reader. This greatly reduces the management and deployment cost of smart cards in an enterprise. To the end user, the Virtual Smart Card is always available on the computer. If a user needs to use more than one computer, a Virtual Smart Card must be issued to the user for each computer. A computer that is shared among multiple users can host multiple Virtual Smart Cards, one for each user.
+[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)]
+
+The Virtual Smart Card emulates the functionality of traditional smart cards. Virtual Smart Cards use the TPM chip, rather than using a separate physical smart card and reader. This greatly reduces the management and deployment cost of smart cards in an enterprise. To the end user, the Virtual Smart Card is always available on the device. If a user needs to use more than one device, a Virtual Smart Card must be issued to the user for each device. A computer that is shared among multiple users can host multiple Virtual Smart Cards, one for each user.
## TPM-based certificate storage
-The TPM protects certificates and RSA keys. The TPM key storage provider (KSP) provides easy and convenient use of the TPM as a way of strongly protecting private keys. The TPM KSP generates keys when an organization enrolls for certificates. The KSP is managed by templates in the UI. The TPM also protects certificates that are imported from an outside source. TPM-based certificates are standard certificates. The certificate can never leave the TPM from which the keys are generated. The TPM can now be used for crypto-operations through Cryptography API: Next Generation (CNG). For more info, see [Cryptography API: Next Generation](/windows/win32/seccng/cng-portal).
+The TPM protects certificates and RSA keys. The TPM key storage provider (KSP) provides easy and convenient use of the TPM as a way of strongly protecting private keys. The TPM KSP generates keys when an organization enrolls for certificates. The TPM also protects certificates that are imported from an outside source. TPM-based certificates are standard certificates. The certificate can never leave the TPM from which the keys are generated. The TPM can now be used for crypto-operations through Cryptography API: Next Generation (CNG). For more info, see [Cryptography API: Next Generation](/windows/win32/seccng/cng-portal).
## TPM Cmdlets
@@ -73,7 +65,7 @@ You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets i
## Physical presence interface
-For TPM 1.2, the TCG specifications for TPMs require physical presence (typically, pressing a key) for turning on the TPM, turning it off, or clearing it. These actions typically cannot be automated with scripts or other automation tools unless the individual OEM supplies them.
+For TPM 1.2, the TCG specifications for TPMs require physical presence (typically, pressing a key) for turning on the TPM, turning it off, or clearing it. These actions typically can't be automated with scripts or other automation tools unless the individual OEM supplies them.
## TPM 1.2 states and initialization
@@ -81,59 +73,53 @@ TPM 1.2 has multiple possible states. Windows automatically initializes the TPM,
## Endorsement keys
-A trusted application can use TPM only if the TPM contains an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM and it is never revealed or accessible outside the TPM.
+A trusted application can use TPM only if the TPM contains an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM and it's never revealed or accessible outside the TPM.
## Key attestation
-TPM key attestation allows a certification authority to verify that a private key is protected by a TPM and that the TPM is one that the certification authority trusts. Endorsement keys proven valid are used to bind the user identity to a device. The user certificate with a TPM attested key provides higher security assurance backed up by the non-exportability, anti-hammering, and isolation of keys provided by a TPM.
+*TPM key attestation* allows a certification authority to verify that a private key is protected by a TPM and that the TPM is one that the certification authority trusts. Endorsement keys proven valid are used to bind the user identity to a device. The user certificate with a TPM-attested key provides higher security assurance backed up by non-exportability, anti-hammering, and isolation of keys provided by a TPM.
## Anti-hammering
-When a TPM processes a command, it does so in a protected environment, for example, a dedicated microcontroller on a discrete chip or a special hardware-protected mode on the main CPU. A TPM is used to create a cryptographic key that is not disclosed outside the TPM. It is used in the TPM after the correct authorization value is provided.
+When a TPM processes a command, it does so in a protected environment. For example a dedicated micro controller on a discrete chip, or a special hardware-protected mode on the main CPU. A TPM is used to create a cryptographic key that isn't disclosed outside the TPM. It's used in the TPM after the correct authorization value is provided.
-TPMs have anti-hammering protection that is designed to prevent brute force attacks, or more complex dictionary attacks, that attempt to determine authorization values for using a key. The basic approach is for the TPM to allow only a limited number of authorization failures before it prevents more attempts to use keys and locks. Providing a failure count for individual keys is not technically practical, so TPMs have a global lockout when too many authorization failures occur.
+TPMs have anti-hammering protection that is designed to prevent brute force attacks, or more complex dictionary attacks, that attempt to determine authorization values for using a key. The basic approach is for the TPM to allow only a limited number of authorization failures before it prevents more attempts to use keys and locks. Providing a failure count for individual keys isn't technically practical, so TPMs have a global lockout when too many authorization failures occur.
-Because many entities can use the TPM, a single authorization success cannot reset the TPM's anti-hammering protection. This prevents an attacker from creating a key with a known authorization value and then using it to reset the TPM's protection. TPMs are designed to forget about authorization failures after a period of time so the TPM does not enter a lockout state unnecessarily. A TPM owner password can be used to reset the TPM's lockout logic.
+Because many entities can use the TPM, a single authorization success can't reset the TPM's anti-hammering protection. This prevents an attacker from creating a key with a known authorization value and then using it to reset the TPM's protection. TPMs are designed to forget about authorization failures after a period of time so the TPM doesn't enter a lockout state unnecessarily. A TPM owner password can be used to reset the TPM's lockout logic.
-### TPM 2.0 anti-hammering
+### TPM 2.0 anti-hammering
-TPM 2.0 has well defined anti-hammering behavior. This is in contrast to TPM 1.2 for which the anti-hammering protection was implemented by the manufacturer and the logic varied widely throughout the industry.
+TPM 2.0 has well defined anti-hammering behavior. This is in contrast to TPM 1.2 for which the anti-hammering protection was implemented by the manufacturer and the logic varied widely throughout the industry.
-For systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every 10 minutes. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts.
+For systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every 10 minutes. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts.
-Attempts to use a key with an authorization value for the next 10 minutes would not return success or failure; instead the response indicates that the TPM is locked. After 10 minutes, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31, so the TPM leaves the locked state and returns to normal operation. With the correct authorization value, keys could be used normally if no authorization failures occur during the next 10 minutes. If a period of 320 minutes elapses with no authorization failures, the TPM does not remember any authorization failures, and 32 failed attempts could occur again.
+Attempts to use a key with an authorization value for the next 10 minutes wouldn't return success or failure. Instead, the response indicates that the TPM is locked.\
+After 10 minutes, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31. The TPM leaves the locked state and returns to normal operation.\
+With the correct authorization value, keys could be used normally if no authorization failures occur during the next 10 minutes. If a period of 320 minutes elapses with no authorization failures, the TPM doesn't remember any authorization failures, and 32 failed attempts could occur again.
-Windows 8 Certification does not require TPM 2.0 systems to forget about authorization failures when the system is fully powered off or when the system has hibernated. Windows does require that authorization failures are forgotten when the system is running normally, in a sleep mode, or in low power states other than off. If a Windows system with TPM 2.0 is locked, the TPM leaves lockout mode if the system is left on for 10 minutes.
+Windows doesn't require TPM 2.0 systems to forget about authorization failures when the system is fully powered off or when the system has hibernated.\
+Windows requires that authorization failures are forgotten when the system is running normally, in a sleep mode, or in low power states other than off. If a Windows system with TPM 2.0 is locked, the TPM leaves lockout mode if the system is left on for 10 minutes.
-The anti-hammering protection for TPM 2.0 can be fully reset immediately by sending a reset lockout command to the TPM and providing the TPM owner password. By default, Windows automatically provisions TPM 2.0 and stores the TPM owner password for use by system administrators.
+The anti-hammering protection for TPM 2.0 can be fully reset immediately by sending a reset lockout command to the TPM, and providing the TPM owner password. By default, Windows automatically provisions TPM 2.0 and stores the TPM owner password for use by system administrators.
-In some enterprise situations, the TPM owner authorization value is configured to be stored centrally in Active Directory, and it is not stored on the local system. An administrator can launch the TPM MMC and choose to reset the TPM lockout time. If the TPM owner password is stored locally, it is used to reset the lockout time. If the TPM owner password is not available on the local system, the administrator needs to provide it. If an administrator attempts to reset the TPM lockout state with the wrong TPM owner password, the TPM does not allow another attempt to reset the lockout state for 24 hours.
+In some implementations, the TPM owner authorization value is stored centrally in Active Directory, and not on the local system. An administrator can execute `tpm.msc` and choose to reset the TPM lockout time. If the TPM owner password is stored locally, it's used to reset the lockout time. If the TPM owner password isn't available on the local system, the administrator must provide it. If an administrator attempts to reset the TPM lockout state with the wrong TPM owner password, the TPM doesn't allow another attempt to reset the lockout state for 24 hours.
-TPM 2.0 allows some keys to be created without an authorization value associated with them. These keys can be used when the TPM is locked. For example, BitLocker with a default TPM-only configuration is able to use a key in the TPM to start Windows, even when the TPM is locked.
+TPM 2.0 allows some keys to be created without an authorization value associated with them. These keys can be used when the TPM is locked. For example, BitLocker with a default TPM-only configuration is able to use a key in the TPM to start Windows, even when the TPM is locked.
### Rationale behind the defaults
Originally, BitLocker allowed from 4 to 20 characters for a PIN.
-Windows Hello has its own PIN for logon, which can be 4 to 127 characters.
+Windows Hello has its own PIN for sign-in, which can be 4 to 127 characters.
Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
-Windows 10, version 1607 and earlier used Dictionary Attack Prevention parameters. The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This totals a maximum of about 4415 guesses per year. If the PIN is 4 digits, all 9999 possible PIN combinations could be attempted in a little over two years.
+Windows 10, version 1607 and earlier used Dictionary Attack Prevention parameters. The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This totals a maximum of about 4415 guesses per year. If the PIN is four digits, all 9999 possible PIN combinations could be attempted in a little over two years.
-Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello. Increasing the PIN length requires a greater number of guesses for an attacker. Therefore, the lockout duration between each guess was shortened to allow legitimate users to retry a failed attempt sooner while maintaining a similar level of protection. In case the legacy parameters for lockout threshold and recovery time need to be used, make sure that GPO is enabled and [configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0](/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings#configure-the-system-to-use-legacy-dictionary-attack-prevention-parameters-setting-for-tpm-20).
+Staring in Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to six characters, to better align with other Windows features that use TPM 2.0, including Windows Hello. Increasing the PIN length requires a greater number of guesses for an attacker. Therefore, the lockout duration between each guess was shortened to allow legitimate users to retry a failed attempt sooner while maintaining a similar level of protection. In case the legacy parameters for lockout threshold and recovery time need to be used, make sure that GPO is enabled and [configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0](/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings#configure-the-system-to-use-legacy-dictionary-attack-prevention-parameters-setting-for-tpm-20).
### TPM-based smart cards
The Windows TPM-based smart card, which is a virtual smart card, can be configured to allow sign in to the system. In contrast with physical smart cards, the sign-in process uses a TPM-based key with an authorization value. The following list shows the advantages of virtual smart cards:
-
-- Physical smart cards can enforce lockout for only the physical smart card PIN, and they can reset the lockout after the correct PIN is entered. With a virtual smart card, the TPM's anti-hammering protection is not reset after a successful authentication. The allowed number of authorization failures before the TPM enters lockout includes many factors.
-
-- Hardware manufacturers and software developers have the option to use the security features of the TPM to meet their requirements.
-
-- The intent of selecting 32 failures as the lock-out threshold is so users rarely lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must to wait 10 minutes or use some other credential to sign in, such as a user name and password.
-
-## Related topics
-
-- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
-- [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/)
-- [TPM WMI providers](/windows/win32/secprov/security-wmi-providers-reference)
-- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](../bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md#tpm-hardware-configurations)
+- Physical smart cards can enforce lockout for only the physical smart card PIN, and they can reset the lockout after the correct PIN is entered.
+ With a virtual smart card, the TPM's anti-hammering protection isn't reset after a successful authentication. The allowed number of authorization failures before the TPM enters lockout includes many factors
+- Hardware manufacturers and software developers can use the security features of the TPM to meet their requirements
+- The intent of selecting 32 failures as the lock-out threshold is to avoid users to lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must wait 10 minutes or use other credentials to sign in, such as a user name and password
\ No newline at end of file
diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md
index 6207a1192c..49ae107749 100644
--- a/windows/security/information-protection/tpm/tpm-recommendations.md
+++ b/windows/security/information-protection/tpm/tpm-recommendations.md
@@ -1,28 +1,23 @@
---
title: TPM recommendations (Windows)
description: This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows.
-ms.reviewer:
ms.prod: windows-client
-ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: paolomatarazzo
+ms.author: paoloma
manager: aaroncz
+ms.topic: conceptual
+ms.date: 02/02/2023
+ms.technology: itpro-security
+appliesto:
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
ms.collection:
- highpri
- tier1
-ms.topic: conceptual
-ms.date: 09/06/2021
-ms.technology: itpro-security
---
# TPM recommendations
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows.
For a basic feature description of TPM, see the [Trusted Platform Module Technology Overview](trusted-platform-module-overview.md).
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
index f484ac475a..2c2f23d5cb 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
@@ -1,47 +1,38 @@
---
-title: Trusted Platform Module Technology Overview (Windows)
-description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
-ms.reviewer:
+title: Trusted Platform Module Technology Overview
+description: Learn about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
ms.prod: windows-client
-ms.localizationpriority: high
-author: dansimp
-ms.author: dansimp
+author: paolomatarazzo
+ms.author: paoloma
manager: aaroncz
+ms.topic: conceptual
+ms.date: 02/22/2023
+ms.technology: itpro-security
+appliesto:
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
ms.collection:
- highpri
- tier1
-ms.topic: conceptual
-adobe-target: true
-ms.technology: itpro-security
-ms.date: 12/31/2017
---
# Trusted Platform Module Technology Overview
-**Applies to**
-- Windows 11
-- Windows 10
-- Windows Server 2022
-- Windows Server 2019
-- Windows Server 2016
-
-This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
+This article describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
## Feature description
-[Trusted Platform Module (TPM)](/windows/security/information-protection/tpm/trusted-platform-module-top-node) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can:
+The [*Trusted Platform Module (TPM)*](/windows/security/information-protection/tpm/trusted-platform-module-top-node) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the advantages of using TPM technology are:
-- Generate, store, and limit the use of cryptographic keys.
-
-- Use TPM technology for platform device authentication by using the TPM's unique RSA key, which is burned into it.
-
-- Help ensure platform integrity by taking and storing security measurements.
+- Generate, store, and limit the use of cryptographic keys
+- Use it for device authentication by using the TPM's unique RSA key, which is burned into the chip
+- Help ensure platform integrity by taking and storing security measurements of the boot process
The most common TPM functions are used for system integrity measurements and for key creation and use. During the boot process of a system, the boot code that is loaded (including firmware and the operating system components) can be measured and recorded in the TPM. The integrity measurements can be used as evidence for how a system started and to make sure that a TPM-based key was used only when the correct software was used to boot the system.
TPM-based keys can be configured in a variety of ways. One option is to make a TPM-based key unavailable outside the TPM. This is good to mitigate phishing attacks because it prevents the key from being copied and used without the TPM. TPM-based keys can also be configured to require an authorization value to use them. If too many incorrect authorization guesses occur, the TPM will activate its dictionary attack logic and prevent further authorization value guesses.
-Different versions of the TPM are defined in specifications by the Trusted Computing Group (TCG). For more information, consult the [TCG Web site](http://www.trustedcomputinggroup.org/work-groups/trusted-platform-module/).
+Different versions of the TPM are defined in specifications by the Trusted Computing Group (TCG). For more information, see the [TCG Web site](http://www.trustedcomputinggroup.org/work-groups/trusted-platform-module/).
### Automatic initialization of the TPM with Windows
@@ -51,11 +42,11 @@ In certain specific enterprise scenarios limited to Windows 10, versions 1507 an
## Practical applications
-Certificates can be installed or created on computers that are using the TPM. After a computer is provisioned, the RSA private key for a certificate is bound to the TPM and cannot be exported. The TPM can also be used as a replacement for smart cards, which reduces the costs associated with creating and disbursing smart cards.
+Certificates can be installed or created on computers that are using the TPM. After a computer is provisioned, the RSA private key for a certificate is bound to the TPM and can't be exported. The TPM can also be used as a replacement for smart cards, which reduces the costs associated with creating and disbursing smart cards.
Automated provisioning in the TPM reduces the cost of TPM deployment in an enterprise. New APIs for TPM management can determine if TPM provisioning actions require physical presence of a service technician to approve TPM state change requests during the boot process.
-Antimalware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10 or Windows 11 or Windows Server 2016. These measurements include the launch of Hyper-V to test that datacenters using virtualization are not running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry.
+Anti-malware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10 or Windows 11 or Windows Server 2016. These measurements include the launch of Hyper-V to test that datacenters using virtualization aren't running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry.
The TPM has several Group Policy settings that might be useful in certain enterprise scenarios. For more info, see [TPM Group Policy Settings](trusted-platform-module-services-group-policy-settings.md).
@@ -67,16 +58,14 @@ For more info on new and changed functionality for Trusted Platform Module in Wi
Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device heath attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource.
-Some things that you can check on the device are:
+Some security issues that you can check on the device include the following:
-- Is Data Execution Prevention supported and enabled?
-
-- Is BitLocker Drive Encryption supported and enabled?
-
-- Is SecureBoot supported and enabled?
+- Is Data Execution Prevention supported and enabled?
+- Is BitLocker Drive Encryption supported and enabled?
+- Is SecureBoot supported and enabled?
> [!NOTE]
-> Windows 11, Windows 10, Windows Server 2016, and Windows Server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows 10, version 1607. TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected.
+> Windows supports Device Health Attestation with TPM 2.0. TPM 2.0 requires UEFI firmware. A device with legacy BIOS and TPM 2.0 won't work as expected.
## Supported versions for device health attestation
@@ -84,16 +73,3 @@ Some things that you can check on the device are:
|-------------|-------------|-------------|---------------------|---------------------|---------------------|
| TPM 1.2 | | >= ver 1607 | | Yes | >= ver 1607 |
| TPM 2.0 | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** |
-
-## Related topics
-
-- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
-- [Details on the TPM standard](https://www.microsoft.com/research/project/the-trusted-platform-module-tpm/) (has links to features using TPM)
-- [TPM Base Services Portal](/windows/desktop/TBS/tpm-base-services-portal)
-- [TPM Base Services API](/windows/desktop/api/_tbs/)
-- [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule)
-- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](../bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md)
-- [Azure device provisioning: Identity attestation with TPM](https://azure.microsoft.com/blog/device-provisioning-identity-attestation-with-tpm/)
-- [Azure device provisioning: A manufacturing timeline for TPM devices](https://azure.microsoft.com/blog/device-provisioning-a-manufacturing-timeline-for-tpm-devices/)
-- [Windows 10: Enabling vTPM (Virtual TPM)](https://social.technet.microsoft.com/wiki/contents/articles/34431.windows-10-enabling-vtpm-virtual-tpm.aspx)
-- [How to Multiboot with Bitlocker, TPM, and a Non-Windows OS](https://social.technet.microsoft.com/wiki/contents/articles/9528.how-to-multiboot-with-bitlocker-tpm-and-a-non-windows-os.aspx)
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
index b6ff1df198..beefbdf4be 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
@@ -1,22 +1,20 @@
---
title: TPM Group Policy settings (Windows)
description: This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
-ms.reviewer:
ms.prod: windows-client
-author: dansimp
-ms.author: dansimp
+author: paolomatarazzo
+ms.author: paoloma
manager: aaroncz
ms.topic: conceptual
-ms.date: 09/06/2021
+ms.date: 02/02/2023
ms.technology: itpro-security
+appliesto:
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
---
# TPM Group Policy settings
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md
index ca9f536057..fb8113bcd3 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md
@@ -2,25 +2,22 @@
title: Trusted Platform Module (Windows)
description: This topic for the IT professional provides links to information about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
ms.prod: windows-client
-ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: paolomatarazzo
+ms.author: paoloma
manager: aaroncz
+ms.topic: conceptual
+ms.date: 02/02/2023
+ms.technology: itpro-security
+appliesto:
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
ms.collection:
- highpri
- tier1
-ms.topic: conceptual
-ms.date: 09/06/2021
-ms.technology: itpro-security
---
# Trusted Platform Module
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that helps you with actions such as generating, storing, and limiting the use of cryptographic keys. The following topics provide details.
diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
index 12fd396283..2145eb7a1a 100644
--- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
@@ -24,7 +24,7 @@ After you've created and deployed your Windows Information Protection (WIP) poli
To associate your WIP policy with your organization's existing VPN policy, use the following steps:
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** > **Configuration profiles** > **Create profile**.
3. Enter the following properties:
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index d60c78b01f..7b9a855583 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -1,6 +1,6 @@
---
title: Create a WIP policy in Intune
-description: Learn how to use the Microsoft Endpoint Manager admin center to create and deploy your Windows Information Protection (WIP) policy to protect data on your network.
+description: Learn how to use the Microsoft Intune admin center to create and deploy your Windows Information Protection (WIP) policy to protect data on your network.
ms.prod: windows-client
author: aczechowski
ms.author: aaroncz
@@ -53,7 +53,7 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or
## Create a WIP policy
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Open Microsoft Intune and select **Apps** > **App protection policies** > **Create policy**.
diff --git a/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md b/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md
index 8356183a84..cef1666430 100644
--- a/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md
+++ b/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md
@@ -34,7 +34,7 @@ When you unassign an existing policy, it removes the intent to deploy WIP from t
If you're currently deploying a WIP policy for enrolled or unenrolled devices, you switch the WIP policy to Off. When devices check in after this change, the devices will proceed to unprotect files previously protected by WIP.
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Open Microsoft Intune and select **Apps** > **App protection policies**.
1. Select the existing policy to turn off, and then select the **Properties**.
1. Edit **Required settings**.
diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md
index 6b8c5f1841..4bcc628d6a 100644
--- a/windows/security/information-protection/windows-information-protection/wip-learning.md
+++ b/windows/security/information-protection/windows-information-protection/wip-learning.md
@@ -25,7 +25,7 @@ In the **Website learning report**, you can view a summary of the devices that h
## Access the WIP Learning reports
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Apps** > **Monitor** > **App protection status** > **Reports**.
diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
index d8992b23c1..1ab3f3f08e 100644
--- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
+++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
@@ -66,7 +66,7 @@ To complete this procedure, you must be signed in as a member of the built-in Ad
## More considerations
-- After you turn on object access auditing, view the security login Event Viewer to review the results of your changes.
+- After you turn on object access auditing, view the security log in Event Viewer to review the results of your changes.
- You can set up file and folder auditing only on NTFS drives.
- Because the security log is limited in size, carefully select the files and folders to be audited. Also, consider the amount of disk space that you want to devote to the security log. The maximum size for the security log is defined in Event Viewer.
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
index 0b7b4ac15b..43d0713f40 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
@@ -99,7 +99,7 @@ Application Guard functionality is turned off by default. However, you can quick
:::image type="content" source="images/MDAG-EndpointMgr-newprofile.jpg" alt-text="Enroll devices in Intune.":::
-1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** > **Configuration profiles** > **+ Create profile**, and do the following:
+1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** > **Configuration profiles** > **+ Create profile**, and do the following:
1. In the **Platform** list, select **Windows 10 and later**.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
index 642b8ea960..56ce82d42e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
@@ -38,15 +38,16 @@ To use AppLocker, you need:
- For Group Policy deployment, at least one device with the Group Policy Management Console (GPMC) or Remote Server Administration Tools (RSAT) installed to host the AppLocker rules.
- Devices running a supported operating system to enforce the AppLocker rules that you create.
->**Note:** You can use Software Restriction Policies with AppLocker, but with some limitations. For more info, see [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md).
+>[!NOTE]
+>As of [KB 5024351](https://support.microsoft.com/help/5024351), Windows 10 versions 2004 and newer and all Windows 11 versions no longer require a specific edition of Windows to enforce AppLocker policies
## Operating system requirements
-The following table shows the on which operating systems AppLocker features are supported.
+The following table shows the Windows versions on which AppLocker features are supported.
| Version | Can be configured | Can be enforced | Available rules | Notes |
| - | - | - | - | - |
-| Windows 10 and Windows 11| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| You can use the [AppLocker CSP](/windows/client-management/mdm/applocker-csp) to configure AppLocker policies on any edition of Windows 10 and Windows 11 supported by Mobile Device Management (MDM). You can only manage AppLocker with Group Policy on devices running Windows 10 and Windows 11 Enterprise, Windows 10 and Windows 11 Education, and Windows Server 2016. |
+| Windows 10 and Windows 11| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| Policies are supported on all editions Windows 10 version 2004 and newer with [KB 5024351](https://support.microsoft.com/help/5024351).
Windows versions older than version 2004, including Windows Server 2019:
- Policies deployed through GP are only supported on Enterprise and Server editions.
- Policies deployed through MDM are supported on all editions.
|
| Windows Server 2019
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| |
| Windows 8.1 Pro| Yes| No| N/A||
| Windows 8.1 Enterprise| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| |
@@ -54,16 +55,19 @@ The following table shows the on which operating systems AppLocker features are
| Windows 8 Pro| Yes| No| N/A||
| Windows 8 Enterprise| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL||
| Windows RT| No| No| N/A| |
-| Windows Server 2008 R2 Standard| Yes| Yes| Executable
Windows Installer
Script
DLL| Packaged app rules will not be enforced.|
-| Windows Server 2008 R2 Enterprise|Yes| Yes| Executable
Windows Installer
Script
DLL| Packaged app rules will not be enforced.|
-| Windows Server 2008 R2 Datacenter| Yes| Yes| Executable
Windows Installer
Script
DLL| Packaged app rules will not be enforced.|
-| Windows Server 2008 R2 for Itanium-Based Systems| Yes| Yes| Executable
Windows Installer
Script
DLL| Packaged app rules will not be enforced.|
-| Windows 7 Ultimate| Yes| Yes| Executable
Windows Installer
Script
DLL| Packaged app rules will not be enforced.|
-| Windows 7 Enterprise| Yes| Yes| Executable
Windows Installer
Script
DLL| Packaged app rules will not be enforced.|
+| Windows Server 2008 R2 Standard| Yes| Yes| Executable
Windows Installer
Script
DLL| Packaged app rules won't be enforced.|
+| Windows Server 2008 R2 Enterprise|Yes| Yes| Executable
Windows Installer
Script
DLL| Packaged app rules won't be enforced.|
+| Windows Server 2008 R2 Datacenter| Yes| Yes| Executable
Windows Installer
Script
DLL| Packaged app rules won't be enforced.|
+| Windows Server 2008 R2 for Itanium-Based Systems| Yes| Yes| Executable
Windows Installer
Script
DLL| Packaged app rules won't be enforced.|
+| Windows 7 Ultimate| Yes| Yes| Executable
Windows Installer
Script
DLL| Packaged app rules won't be enforced.|
+| Windows 7 Enterprise| Yes| Yes| Executable
Windows Installer
Script
DLL| Packaged app rules won't be enforced.|
| Windows 7 Professional| Yes| No| Executable
Windows Installer
Script
DLL| No AppLocker rules are enforced.|
-AppLocker is not supported on versions of the Windows operating system not listed above. Software Restriction Policies can be used with those versions. However, the SRP Basic User feature is not supported on the above operating systems.
+AppLocker isn't supported on versions of the Windows operating system not listed above. Software Restriction Policies can be used with those versions. However, the SRP Basic User feature isn't supported on the above operating systems.
+
+>[!NOTE]
+>You can use Software Restriction Policies with AppLocker, but with some limitations. For more info, see [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md).
## See also
- [Administer AppLocker](administer-applocker.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
index 0286b18ad3..1d37a88d20 100644
--- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
@@ -14,7 +14,7 @@ author: jsuther1974
ms.reviewer: jogeurte
ms.author: vinpa
manager: aaroncz
-ms.date: 11/02/2022
+ms.date: 02/27/2023
ms.technology: itpro-security
---
@@ -35,8 +35,8 @@ When you create policies for use with Windows Defender Application Control (WDAC
| **Example Base Policy** | **Description** | **Where it can be found** |
|-------------------------|---------------------------------------------------------------|--------|
-| **DefaultWindows_\*.xml** | This example policy is available in both audit and enforced mode. It includes rules to allow Windows, third-party hardware and software kernel drivers, and Windows Store apps. Used as the basis for all [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) policies. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_\*.xml
%ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\DefaultWindows_Audit.xml |
-| **AllowMicrosoft.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed by the Microsoft product root certificate. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowMicrosoft.xml
%ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\AllowMicrosoft.xml |
+| **DefaultWindows_\*.xml** | This example policy is available in both audit and enforced mode. It includes rules to allow Windows, third-party hardware and software kernel drivers, and Windows Store apps. Used as the basis for the [Microsoft Intune product family](https://www.microsoft.com/security/business/endpoint-management/microsoft-intune) policies. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_\*.xml
%ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\DefaultWindows_Audit.xml |
+| **AllowMicrosoft.xml** | This example policy is available in enforcement mode. It includes the rules from DefaultWindows and adds rules to trust apps signed by the Microsoft product root certificate. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowMicrosoft.xml
%ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\AllowMicrosoft.xml |
| **AllowAll.xml** | This example policy is useful when creating a blocklist. All block policies should include rules allowing all other code to run and then add the DENY rules for your organization's needs. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml |
| **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](https://support.microsoft.com/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78) (also known as hypervisor-protected code integrity) using WDAC. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll_EnableHVCI.xml |
| **DenyAllAudit.xml** | ***Warning: May cause long boot time on Windows Server 2019.*** Only deploy this example policy in audit mode to track all binaries running on critical systems or to meet regulatory requirements. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DenyAllAudit.xml |
diff --git a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
index 23e85b02c4..53ab972b90 100644
--- a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
+++ b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
@@ -27,7 +27,7 @@ ms.topic: overview
| Capability | Windows Defender Application Control | AppLocker |
|-------------|------|-------------|
| Platform support | Available on Windows 10, Windows 11, and Windows Server 2016 or later. | Available on Windows 8 or later. |
-| SKU availability | Available on Windows 10, Windows 11, and Windows Server 2016 or later.
WDAC PowerShell cmdlets aren't available on Home edition, but policies are effective on all editions. | Policies deployed through GP are only supported on Enterprise and Server editions.
Policies deployed through MDM are supported on all editions. |
+| SKU availability | Available on Windows 10, Windows 11, and Windows Server 2016 or later.
WDAC PowerShell cmdlets aren't available on Home edition, but policies are effective on all editions. | Policies are supported on all editions Windows 10 version 2004 and newer with [KB 5024351](https://support.microsoft.com/help/5024351).
Windows versions older than version 2004, including Windows Server 2019:
- Policies deployed through GP are only supported on Enterprise and Server editions.
- Policies deployed through MDM are supported on all editions.
|
| Management solutions | - [Intune](./deployment/deploy-windows-defender-application-control-policies-using-intune.md)
- [Microsoft Configuration Manager](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via software distribution)
- [Group policy](./deployment/deploy-windows-defender-application-control-policies-using-group-policy.md)
- [Script](/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script)
| - [Intune](/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)
- Configuration Manager (custom policy deployment via software distribution only)
- [Group Policy](./applocker/determine-group-policy-structure-and-rule-enforcement.md)
- PowerShell
|
| Per-User and Per-User group rules | Not available (policies are device-wide). | Available on Windows 8+. |
| Kernel mode policies | Available on Windows 10, Windows 11, and Windows Server 2016 or later. | Not available. |
diff --git a/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md b/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
index 272fed2a81..25276608c2 100644
--- a/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
+++ b/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
@@ -1,26 +1,12 @@
---
title: Add Production Devices to the Membership Group for a Zone (Windows)
description: Learn how to add production devices to the membership group for a zone and refresh the group policy on the devices in the membership group.
-ms.assetid: 7141de15-5840-4beb-aabe-21c1dd89eb23
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Add Production Devices to the Membership Group for a Zone
diff --git a/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md b/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
index 12a0d5018e..632879c8fa 100644
--- a/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
+++ b/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
@@ -1,26 +1,12 @@
---
title: Add Test Devices to the Membership Group for a Zone (Windows)
description: Learn how to add devices to the group for a zone to test whether your Windows Defender Firewall with Advanced Security implementation works as expected.
-ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Add Test Devices to the Membership Group for a Zone
diff --git a/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
index 5bb2312dbe..1d83bb85fd 100644
--- a/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
+++ b/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
@@ -1,26 +1,12 @@
---
title: Appendix A Sample GPO Template Files for Settings Used in this Guide (Windows)
description: Use sample template files import an XML file containing customized registry preferences into a Group Policy Object (GPO).
-ms.assetid: 75930afd-ab1b-4e53-915b-a28787814b38
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Appendix A: Sample GPO Template Files for Settings Used in this Guide
diff --git a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
index c1666220e4..c7559e5687 100644
--- a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
@@ -1,29 +1,15 @@
---
title: Assign Security Group Filters to the GPO (Windows)
description: Learn how to use Group Policy Management MMC to assign security group filters to a GPO to make sure that the GPO is applied to the correct computers.
-ms.assetid: bcbe3299-8d87-4ec1-9e86-8e4a680fd7c8
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.collection:
- highpri
- tier3
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Assign Security Group Filters to the GPO
diff --git a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
index 11fb40c04f..5c6763d795 100644
--- a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
@@ -1,25 +1,11 @@
---
title: Basic Firewall Policy Design (Windows)
description: Protect the devices in your organization from unwanted network traffic that gets through the perimeter defenses by using basic firewall policy design.
-ms.assetid: 6f7af99e-6850-4522-b7f5-db98e6941418
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
ms.date: 12/31/2017
---
diff --git a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
index b607d65908..e090a1ea53 100644
--- a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
+++ b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
@@ -1,25 +1,15 @@
---
title: Best practices for configuring Windows Defender Firewall
description: Learn about best practices for configuring Windows Defender Firewall
-keywords: firewall, best practices, security, network security, network, rules, filters,
ms.prod: windows-client
ms.date: 11/09/2022
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: paoloma
-author: paolomatarazzo
-ms.localizationpriority: medium
-manager: aaroncz
-audience: ITPro
ms.collection:
- highpri
- tier3
ms.topic: article
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10 and later
- - ✅ Windows Server 2016 and later
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Best practices for configuring Windows Defender Firewall
diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md b/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md
index 35518f5c27..fc07a5e4d8 100644
--- a/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md
@@ -1,26 +1,12 @@
---
title: Boundary Zone GPOs (Windows)
description: Learn about GPOs to create that must align with the group you create for the boundary zone in Windows Defender Firewall with Advanced Security.
-ms.assetid: 1ae66088-02c3-47e4-b7e8-74d0b8f8646e
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Boundary Zone GPOs
diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone.md b/windows/security/threat-protection/windows-firewall/boundary-zone.md
index fc8ce50228..4d101a8462 100644
--- a/windows/security/threat-protection/windows-firewall/boundary-zone.md
+++ b/windows/security/threat-protection/windows-firewall/boundary-zone.md
@@ -1,26 +1,12 @@
---
title: Boundary Zone (Windows)
description: Learn how a boundary zone supports devices that must receive traffic from beyond an isolated domain in Windows Defender Firewall with Advanced Security.
-ms.assetid: ed98b680-fd24-44bd-a7dd-26c522e45a20
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Boundary Zone
diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
index 7684a782be..cdcbe5df44 100644
--- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
@@ -1,26 +1,12 @@
---
title: Certificate-based Isolation Policy Design Example (Windows)
description: This example uses a fictitious company to illustrate certificate-based isolation policy design in Windows Defender Firewall with Advanced Security.
-ms.assetid: 509b513e-dd49-4234-99f9-636fd2f749e3
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Certificate-based Isolation Policy Design Example
diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
index ae9e0d2610..8d72f5d261 100644
--- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
@@ -1,26 +1,12 @@
---
title: Certificate-based Isolation Policy Design (Windows)
description: Explore the methodology behind Certificate-based Isolation Policy Design and how it defers from Domain Isolation and Server Isolation Policy Design.
-ms.assetid: 63e01a60-9daa-4701-9472-096c85e0f862
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Certificate-based isolation policy design
diff --git a/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md b/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md
index 98faaf9390..0fe1d36358 100644
--- a/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md
+++ b/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md
@@ -1,26 +1,12 @@
---
title: Change Rules from Request to Require Mode (Windows)
description: Learn how to convert a rule from request to require mode and apply the modified GPOs to the client devices.
-ms.assetid: ad969eda-c681-48cb-a2c4-0b6cae5f4cff
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Change Rules from Request to Require Mode
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md
index 6e55af017d..b7488176fa 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md
@@ -1,26 +1,12 @@
---
title: Checklist Configuring Basic Firewall Settings (Windows)
description: Configure Windows Firewall to set inbound and outbound behavior, display notifications, record log files and more of the necessary function for Firewall.
-ms.assetid: 0d10cdae-da3d-4a33-b8a4-6b6656b6d1f9
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Checklist: Configuring Basic Firewall Settings
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
index 42dedfb5a6..a10f355d7a 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
@@ -1,26 +1,12 @@
---
title: Checklist Configuring Rules for an Isolated Server Zone (Windows)
description: Use these tasks to configure connection security rules and IPsec settings in GPOs for servers in an isolated server zone that are part of an isolated domain.
-ms.assetid: 67c50a91-e71e-4f1e-a534-dad2582e311c
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Checklist: Configuring Rules for an Isolated Server Zone
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
index 7a27fdafd9..ad3c072c15 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
@@ -1,26 +1,12 @@
---
title: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone (Windows)
description: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone
-ms.assetid: ccc09d06-ef75-43b0-9c77-db06f2940955
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
index e13496eb9d..e0f4a4d830 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
@@ -1,26 +1,12 @@
---
title: Checklist Configuring Rules for the Boundary Zone (Windows)
description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain.
-ms.assetid: 25fe0197-de5a-4b4c-bc44-c6f0620ea94b
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Checklist: Configuring Rules for the Boundary Zone
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
index 1a33764cd6..e026d05ea7 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
@@ -1,26 +1,12 @@
---
title: Checklist Configuring Rules for the Encryption Zone (Windows)
description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain.
-ms.assetid: 87b1787b-0c70-47a4-ae52-700bff505ea4
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Checklist: Configuring Rules for the Encryption Zone
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
index 146c7be617..553a621f37 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
@@ -1,26 +1,12 @@
---
title: Checklist Configuring Rules for the Isolated Domain (Windows)
description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain.
-ms.assetid: bfd2d29e-4011-40ec-a52e-a67d4af9748e
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Checklist: Configuring Rules for the Isolated Domain
diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md b/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md
index 2437571f7b..2db03bf2b4 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md
@@ -1,26 +1,12 @@
---
title: Checklist Creating Group Policy Objects (Windows)
description: Learn to deploy firewall settings, IPsec settings, firewall rules, or connection security rules, by using Group Policy in AD DS.
-ms.assetid: e99bd6a4-34a7-47b5-9791-ae819977a559
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Checklist: Creating Group Policy Objects
diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md b/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md
index a334a5eedd..2358c7d807 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md
@@ -1,26 +1,12 @@
---
title: Checklist Creating Inbound Firewall Rules (Windows)
description: Use these tasks for creating inbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security.
-ms.assetid: 0520e14e-5c82-48da-8fbf-87cef36ce02f
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Checklist: Creating Inbound Firewall Rules
diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md b/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md
index 556a01f1c5..e7f1a2a9ce 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md
@@ -1,26 +1,12 @@
---
title: Checklist Creating Outbound Firewall Rules (Windows)
description: Use these tasks for creating outbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security.
-ms.assetid: 611bb98f-4e97-411f-82bf-7a844a4130de
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Checklist: Creating Outbound Firewall Rules
diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
index 7a3a496e98..1a5e7d2ae6 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
@@ -1,26 +1,12 @@
---
title: Create Rules for Standalone Isolated Server Zone Clients (Windows)
description: Checklist for when creating rules for clients of a Standalone Isolated Server Zone
-ms.assetid: 6a5e6478-add3-47e3-8221-972549e013f6
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone
diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
index 70b910425b..4a7816bc4d 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
@@ -1,26 +1,12 @@
---
title: Checklist Implementing a Basic Firewall Policy Design (Windows)
description: Follow this parent checklist for implementing a basic firewall policy design to ensure successful implementation.
-ms.assetid: 6caf0c1e-ac72-4f9d-a986-978b77fbbaa3
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Checklist: Implementing a Basic Firewall Policy Design
diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
index f5cc9a2ba8..75e334503f 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
@@ -1,26 +1,12 @@
---
title: Checklist Implementing a Certificate-based Isolation Policy Design (Windows)
description: Use these references to learn about using certificates as an authentication option and configure a certificate-based isolation policy design.
-ms.assetid: 1e34b5ea-2e77-4598-a765-550418d33894
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Checklist: Implementing a Certificate-based Isolation Policy Design
diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
index ce9abfe303..922dc06a9f 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
@@ -1,26 +1,12 @@
---
title: Checklist Implementing a Domain Isolation Policy Design (Windows)
description: Use these references to learn about the domain isolation policy design and links to other checklists to complete tasks require to implement this design.
-ms.assetid: 76586eb3-c13c-4d71-812f-76bff200fc20
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Checklist: Implementing a Domain Isolation Policy Design
diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
index db49df08e9..e283e43a55 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
@@ -1,26 +1,12 @@
---
title: Checklist Implementing a Standalone Server Isolation Policy Design (Windows)
description: Use these tasks to create a server isolation policy design that isn't part of an isolated domain. See references to concepts and links to other checklists.
-ms.assetid: 50a997d8-f079-408c-8ac6-ecd02078ade3
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Checklist: Implementing a Standalone Server Isolation Policy Design
diff --git a/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md
index eb155239ab..bab0dffc8e 100644
--- a/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md
+++ b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md
@@ -1,26 +1,12 @@
---
title: Configure Authentication Methods (Windows)
description: Learn how to configure authentication methods for devices in an isolated domain or standalone server zone in Windows Defender Firewall with Advanced Security.
-ms.assetid: 5fcdc523-617f-4233-9213-15fe19f4cd02
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Configure Authentication Methods
diff --git a/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md b/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
index 089e73a9ab..b9b04feed8 100644
--- a/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
+++ b/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
@@ -1,26 +1,12 @@
---
title: Configure Data Protection (Quick Mode) Settings (Windows)
description: Learn how to configure the data protection settings for connection security rules in an isolated domain or a standalone isolated server zone.
-ms.assetid: fdcb1b36-e267-4be7-b842-5df9a067c9e0
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Configure Data Protection (Quick Mode) Settings
diff --git a/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md b/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
index 2526c140bf..365f1423db 100644
--- a/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
+++ b/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
@@ -1,26 +1,12 @@
---
title: Configure Group Policy to Autoenroll and Deploy Certificates (Windows)
description: Learn how to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network.
-ms.assetid: faeb62b5-2cc3-42f7-bee5-53ba45d05c09
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Configure Group Policy to Autoenroll and Deploy Certificates
diff --git a/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md b/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
index dc610001a5..83ef251330 100644
--- a/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
+++ b/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
@@ -1,26 +1,12 @@
---
title: Configure Key Exchange (Main Mode) Settings (Windows)
description: Learn how to configure the main mode key exchange settings used to secure the IPsec authentication traffic in Windows Defender Firewall with Advanced Security.
-ms.assetid: 5c593b6b-2cd9-43de-9b4e-95943fe82f52
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Configure Key Exchange (Main Mode) Settings
diff --git a/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md b/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md
index 35828e953a..1bb9ff6c3c 100644
--- a/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md
+++ b/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md
@@ -1,26 +1,12 @@
---
title: Configure the Rules to Require Encryption (Windows)
description: Learn how to configure rules to add encryption algorithms and delete the algorithm combinations that don't use encryption for zones that require encryption.
-ms.assetid: 07b7760f-3225-4b4b-b418-51787b0972a0
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Configure the Rules to Require Encryption
diff --git a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
index c025101f58..74f57aec8b 100644
--- a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
+++ b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
@@ -1,26 +1,12 @@
---
title: Configure the Windows Defender Firewall Log (Windows)
description: Learn how to configure Windows Defender Firewall with Advanced Security to log dropped packets or successful connections by using Group Policy Management MMC.
-ms.assetid: f037113d-506b-44d3-b9c0-0b79d03e7d18
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Configure the Windows Defender Firewall with Advanced Security Log
diff --git a/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
index 3e77330596..c10e472cbc 100644
--- a/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
+++ b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
@@ -1,24 +1,11 @@
---
title: Configure the Workstation Authentication Template (Windows)
description: Learn how to configure a workstation authentication certificate template, which is used for device certificates that are enrolled and deployed to workstations.
-ms.assetid: c3ac9960-6efc-47c1-bd69-d9d4bf84f7a6
-ms.reviewer: jekrynit
-manager: aaroncz
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
ms.topic: conceptual
---
diff --git a/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md b/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
index 26b8f6be29..de731f58a0 100644
--- a/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
+++ b/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
@@ -1,26 +1,12 @@
---
title: Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program is Blocked (Windows)
description: Configure Windows Defender Firewall with Advanced Security to suppress notifications when a program is Blocked
-ms.assetid: b7665d1d-f4d2-4b5a-befc-8b6bd940f69b
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program Is Blocked
diff --git a/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md b/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md
index c94e5e84a3..54b9527285 100644
--- a/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md
+++ b/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md
@@ -1,19 +1,12 @@
---
title: Confirm That Certificates Are Deployed Correctly (Windows)
description: Learn how to confirm that a Group Policy is being applied as expected and that the certificates are being properly installed on the workstations.
-ms.author: paoloma
ms.prod: windows-client
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 01/24/2023
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Confirm That Certificates Are Deployed Correctly
diff --git a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
index ed4354a524..7a95770682 100644
--- a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
@@ -1,26 +1,12 @@
---
title: Copy a GPO to Create a New GPO (Windows)
description: Learn how to make a copy of a GPO by using the Active Directory Users and devices MMC snap-in to create a GPO for boundary zone devices.
-ms.assetid: 7f6a23e5-4b3f-40d6-bf6d-7895558b1406
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Copy a GPO to Create a New GPO
diff --git a/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md b/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md
index 1987320e47..6fd5ce3ffc 100644
--- a/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md
+++ b/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md
@@ -1,26 +1,12 @@
---
title: Create a Group Account in Active Directory (Windows)
description: Learn how to create a security group for the computers that are to receive Group Policy settings by using the Active Directory Users and Computers console.
-ms.assetid: c3700413-e02d-4d56-96b8-7991f97ae432
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Create a Group Account in Active Directory
diff --git a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md
index 8fcc33e6d3..2eef741da8 100644
--- a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md
+++ b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md
@@ -1,29 +1,15 @@
---
title: Create a Group Policy Object (Windows)
description: Learn how to use the Active Directory Users and Computers MMC snap-in to create a GPO. You must be a member of the Domain Administrators group.
-ms.assetid: 72a50dd7-5033-4d97-a5eb-0aff8a35cced
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.collection:
- highpri
- tier3
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Create a Group Policy Object
diff --git a/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
index 7a0d8b8743..8c9b8675b6 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
@@ -1,26 +1,12 @@
---
title: Create an Authentication Exemption List Rule (Windows)
description: Learn how to create rules that exempt devices that cannot communicate by using IPSec from the authentication requirements of your isolation policies.
-ms.assetid: 8f6493f3-8527-462a-82c0-fd91a6cb5dd8
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Create an Authentication Exemption List Rule
diff --git a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md
index 1c1d6c0e60..b8efe4ed2a 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md
@@ -1,26 +1,12 @@
---
title: Create an Authentication Request Rule (Windows)
description: Create a new rule for Windows Defender Firewall with Advanced Security so devices on the network use IPsec protocols and methods before they can communicate.
-ms.assetid: 1296e048-039f-4d1a-aaf2-8472ad05e359
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Create an Authentication Request Rule
diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md
index 8045d1975d..058c8148ed 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md
@@ -1,26 +1,12 @@
---
title: Create an Inbound ICMP Rule (Windows)
description: Learn how to allow inbound ICMP traffic by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security.
-ms.assetid: 267b940a-79d9-4322-b53b-81901e357344
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Create an Inbound ICMP Rule
diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md
index 2f4b0c3d20..fbbf4a06b1 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md
@@ -1,29 +1,15 @@
---
title: Create an Inbound Port Rule (Windows)
description: Learn to allow traffic on specific ports by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security.
-ms.assetid: a7b6c6ca-32fa-46a9-a5df-a4e43147da9f
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.collection:
- highpri
- tier3
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Create an Inbound Port Rule
diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md
index 5c79645f58..d477bd3dec 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md
@@ -1,26 +1,12 @@
---
title: Create an Inbound Program or Service Rule (Windows)
description: Learn how to allow inbound traffic to a program or service by using the Group Policy Management MMC snap-in to create firewall rules.
-ms.assetid: 00b7fa60-7c64-4ba5-ba95-c542052834cf
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Create an Inbound Program or Service Rule
diff --git a/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md
index 9ce8ea91f2..539d7fcf90 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md
@@ -1,26 +1,12 @@
---
title: Create an Outbound Port Rule (Windows)
description: Learn to block outbound traffic on a port by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security.
-ms.assetid: 59062b91-756b-42ea-8f2a-832f05d77ddf
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Create an Outbound Port Rule
diff --git a/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md
index 02116e5f9f..6083981a32 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md
@@ -1,21 +1,12 @@
---
title: Create an Outbound Program or Service Rule (Windows)
description: Use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Create an Outbound Program or Service Rule
diff --git a/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
index 4ecf74444b..85de932389 100644
--- a/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
+++ b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
@@ -1,21 +1,12 @@
---
title: Create Inbound Rules to Support RPC (Windows)
description: Learn how to allow RPC network traffic by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Create Inbound Rules to Support RPC
diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
index 4782bb53e2..83d9d7ca2e 100644
--- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
+++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
@@ -1,20 +1,11 @@
---
title: Create Windows Firewall rules in Intune (Windows)
description: Learn how to use Intune to create rules in Windows Defender Firewall with Advanced Security. Start by creating a profile in Device Configuration in Intune.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
ms.date: 12/31/2017
---
@@ -24,9 +15,9 @@ ms.date: 12/31/2017
>[!IMPORTANT]
>This information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-To get started, Open the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), and then go to **Devices** > **Windows** > **Configuration profiles** > **Create profile** > Choose **Windows 10 and later** as the platform, Choose **Templates**, then **Endpoint protection** as the profile type.
+To get started, Open the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), and then go to **Devices** > **Windows** > **Configuration profiles** > **Create profile** > Choose **Windows 10 and later** as the platform, Choose **Templates**, then **Endpoint protection** as the profile type.
Select Windows Defender Firewall.
-:::image type="content" source="images/windows-firewall-intune.png" alt-text="Example of a Windows Defender Firewall policy in Microsoft Intune and the Endpoint Manager admin center.":::
+:::image type="content" source="images/windows-firewall-intune.png" alt-text="Example of a Windows Defender Firewall policy in Microsoft Intune and the Intune admin center.":::
>[!IMPORTANT]
>A single Endpoint Protection profile may contain up to a maximum of 150 firewall rules. If a client device requires more than 150 rules, then multiple profiles must be assigned to it.
diff --git a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
index cce89be934..aadb54b9eb 100644
--- a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
@@ -1,24 +1,15 @@
---
title: Create WMI Filters for the GPO (Windows)
description: Learn how to use WMI filters on a GPO to make sure that each GPO for a group can only be applied to devices running the correct version of Windows.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.collection:
- highpri
- tier3
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Create WMI Filters for the GPO
diff --git a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
index 5d7dc149f9..8df474f3c3 100644
--- a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
+++ b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
@@ -1,21 +1,12 @@
---
title: Designing a Windows Defender Firewall Strategy (Windows)
description: Answer the question in this article to design an effective Windows Defender Firewall with Advanced Security Strategy.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Designing a Windows Defender Firewall with Advanced Security Strategy
diff --git a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
index 68a9b98493..5089c8d823 100644
--- a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
+++ b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
@@ -1,21 +1,12 @@
---
title: Determining the Trusted State of Your Devices (Windows)
description: Learn how to define the trusted state of devices in your enterprise to help design your strategy for using Windows Defender Firewall with Advanced Security.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Determining the Trusted State of Your Devices
diff --git a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md
index 8694e3c9fc..4db33e1b27 100644
--- a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md
+++ b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md
@@ -1,21 +1,12 @@
---
title: Documenting the Zones (Windows)
description: Learn how to document the zone placement of devices in your design for Windows Defender Firewall with Advanced Security.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Documenting the Zones
diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
index 60932b1a3d..e481999a70 100644
--- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
@@ -1,21 +1,12 @@
---
title: Domain Isolation Policy Design Example (Windows)
description: This example uses a fictitious company to illustrate domain isolation policy design in Windows Defender Firewall with Advanced Security.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Domain Isolation Policy Design Example
diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md
index d906a7fa27..8186a03186 100644
--- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md
@@ -1,21 +1,12 @@
---
title: Domain Isolation Policy Design (Windows)
description: Learn how to design a domain isolation policy, based on which devices accept only connections from authenticated members of the same isolated domain.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Domain Isolation Policy Design
diff --git a/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md b/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md
index 8e5cbc491c..c4377b8254 100644
--- a/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md
+++ b/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md
@@ -1,21 +1,12 @@
---
title: Enable Predefined Inbound Rules (Windows)
description: Learn the rules for Windows Defender Firewall with Advanced Security for common networking roles and functions.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Enable Predefined Inbound Rules
diff --git a/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md
index 818f3191e4..83d2eec6b3 100644
--- a/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md
+++ b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md
@@ -1,21 +1,12 @@
---
title: Enable Predefined Outbound Rules (Windows)
description: Learn to deploy predefined firewall rules that block outbound network traffic for common network functions in Windows Defender Firewall with Advanced Security.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/07/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Enable Predefined Outbound Rules
diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md
index ec8427d677..f26b60d3f2 100644
--- a/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md
@@ -1,21 +1,12 @@
---
title: Encryption Zone GPOs (Windows)
description: Learn how to add a device to an encryption zone by adding the device account to the encryption zone group in Windows Defender Firewall with Advanced Security.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Encryption Zone GPOs
diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone.md b/windows/security/threat-protection/windows-firewall/encryption-zone.md
index 0cf4b23338..4dc931b4ea 100644
--- a/windows/security/threat-protection/windows-firewall/encryption-zone.md
+++ b/windows/security/threat-protection/windows-firewall/encryption-zone.md
@@ -1,21 +1,12 @@
---
title: Encryption Zone (Windows)
description: Learn how to create an encryption zone to contain devices that host sensitive data and require that the sensitive network traffic be encrypted.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Encryption Zone
diff --git a/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md b/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md
index a37aa1bb81..410c3c56be 100644
--- a/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md
+++ b/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md
@@ -1,21 +1,12 @@
---
title: Exempt ICMP from Authentication (Windows)
description: Learn how to add exemptions for any network traffic that uses the ICMP protocol in Windows Defender Firewall with Advanced Security.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Exempt ICMP from Authentication
diff --git a/windows/security/threat-protection/windows-firewall/exemption-list.md b/windows/security/threat-protection/windows-firewall/exemption-list.md
index e90686a631..52d0334bfa 100644
--- a/windows/security/threat-protection/windows-firewall/exemption-list.md
+++ b/windows/security/threat-protection/windows-firewall/exemption-list.md
@@ -1,21 +1,12 @@
---
title: Exemption List (Windows)
description: Learn about reasons to add devices to an exemption list in Windows Defender Firewall with Advanced Security and the trade-offs of having too many exemptions.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Exemption List
diff --git a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md
index 9f9f8dbc43..5b4fbe6b78 100644
--- a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md
+++ b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md
@@ -1,20 +1,11 @@
---
title: Filter origin audit log improvements
description: Filter origin documentation audit log improvements
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: normal
-author: paolomatarazzo
-manager: aaroncz
ms.topic: troubleshooting
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
ms.date: 12/31/2017
---
diff --git a/windows/security/threat-protection/windows-firewall/firewall-gpos.md b/windows/security/threat-protection/windows-firewall/firewall-gpos.md
index 08a86364ba..d281e5120c 100644
--- a/windows/security/threat-protection/windows-firewall/firewall-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/firewall-gpos.md
@@ -1,21 +1,12 @@
---
title: Firewall GPOs (Windows)
description: In this example, a Group Policy Object is linked to the domain container because the domain controllers aren't part of the isolated domain.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Firewall GPOs
diff --git a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
index 948e5e1bab..3a7fd73b29 100644
--- a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
@@ -1,21 +1,12 @@
---
title: Basic Firewall Policy Design Example (Windows)
description: This example features a fictitious company and illustrates firewall policy design for Windows Defender Firewall with Advanced Security.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Basic Firewall Policy Design Example
diff --git a/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md b/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md
index ae7a47f809..2f28d5f315 100644
--- a/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md
+++ b/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md
@@ -1,20 +1,11 @@
---
title: Troubleshooting Windows Firewall settings after a Windows upgrade
description: Firewall settings lost on upgrade
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: troubleshooting
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
ms.date: 12/31/2017
---
diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
index 7e8e014d6c..8f60efe829 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
@@ -1,21 +1,12 @@
---
title: Gathering Information about Your Active Directory Deployment (Windows)
description: Learn about gathering Active Directory information, including domain layout, organizational unit architecture, and site topology, for your firewall deployment.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Gathering Information about Your Active Directory Deployment
diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
index 5a815ce133..3aa6cef30a 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
@@ -1,21 +1,12 @@
---
title: Gathering Info about Your Network Infrastructure (Windows)
description: Learn how to gather info about your network infrastructure so that you can effectively plan for Windows Defender Firewall with Advanced Security deployment.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Gathering Information about Your Current Network Infrastructure
diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md
index c004735816..1f0cbb3885 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md
@@ -1,21 +1,12 @@
---
title: Gathering Information about Your Devices (Windows)
description: Learn what information to gather about the devices in your enterprise to plan your Windows Defender Firewall with Advanced Security deployment.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Gathering Information about Your Devices
diff --git a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
index 8655113adc..a4fa1bcbac 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
@@ -1,21 +1,12 @@
---
title: Gathering Other Relevant Information (Windows)
description: Learn about additional information you may need to gather to deploy Windows Defender Firewall with Advanced Security policies in your organization.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Gathering Other Relevant Information
diff --git a/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md
index 27014f95a8..69323a3def 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md
@@ -1,21 +1,12 @@
---
title: Gathering the Information You Need (Windows)
description: Collect and analyze information about your network, directory services, and devices to prepare for Windows Defender Firewall with Advanced Security deployment.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Gathering the Information You Need
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md
index e01a4c33c8..08115f7e6c 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md
@@ -1,21 +1,12 @@
---
title: GPO\_DOMISO\_Boundary (Windows)
description: This example GPO supports devices that aren't part of the isolated domain to access specific servers that must be available to those untrusted devices.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# GPO\_DOMISO\_Boundary
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
index abf7fcbadf..e25451e208 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
@@ -1,21 +1,12 @@
---
title: GPO\_DOMISO\_Encryption\_WS2008 (Windows)
description: This example GPO supports the ability for servers that contain sensitive data to require encryption for all connection requests.
-ms.reviewer: jekrynit
-ms.author: paoloma
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.prod: windows-client
-ms.localizationpriority: medium
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# GPO\_DOMISO\_Encryption\_WS2008
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md
index 19d5d2f4fe..8f51e224f1 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md
@@ -1,21 +1,12 @@
---
title: GPO\_DOMISO\_Firewall (Windows)
description: Learn about the settings and rules in this example GPO, which is authored by using the Group Policy editing tools.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# GPO\_DOMISO\_Firewall
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
index 8147d76ef7..b2372a88c2 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
@@ -1,21 +1,12 @@
---
title: GPO\_DOMISO\_IsolatedDomain\_Clients (Windows)
description: Author this GPO by using Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# GPO\_DOMISO\_IsolatedDomain\_Clients
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
index fadc52139d..100d7233bc 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
@@ -1,21 +1,12 @@
---
title: GPO\_DOMISO\_IsolatedDomain\_Servers (Windows)
description: Author this GPO by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# GPO\_DOMISO\_IsolatedDomain\_Servers
diff --git a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
index 877c262554..d4e5b71479 100644
--- a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
+++ b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
@@ -1,21 +1,12 @@
---
title: Identify implementation goals for Windows Defender Firewall with Advanced Security Deployment (Windows)
description: Identifying Your Windows Defender Firewall with Advanced Security (WFAS) implementation goals
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Identifying Windows Defender Firewall with Advanced Security implementation goals
diff --git a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
index c745825369..86253b807a 100644
--- a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
+++ b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
@@ -1,21 +1,12 @@
---
title: Implementing Your Windows Defender Firewall with Advanced Security Design Plan (Windows)
description: Implementing Your Windows Defender Firewall with Advanced Security Design Plan
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Implementing Your Windows Defender Firewall with Advanced Security Design Plan
diff --git a/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md b/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md
index 2cede95e14..4cab3c840b 100644
--- a/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md
@@ -1,21 +1,12 @@
---
title: Isolated Domain GPOs (Windows)
description: Learn about GPOs for isolated domains in this example configuration of Windows Defender Firewall with Advanced Security.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Isolated Domain GPOs
diff --git a/windows/security/threat-protection/windows-firewall/isolated-domain.md b/windows/security/threat-protection/windows-firewall/isolated-domain.md
index 2f854ff73f..d11cfd0fa4 100644
--- a/windows/security/threat-protection/windows-firewall/isolated-domain.md
+++ b/windows/security/threat-protection/windows-firewall/isolated-domain.md
@@ -1,21 +1,12 @@
---
title: Isolated Domain (Windows)
description: Learn about the isolated domain, which is the primary zone for trusted devices, which use connection security and firewall rules to control communication.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Isolated Domain
diff --git a/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md b/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md
index 5724da80ea..6d41f4d5e5 100644
--- a/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md
+++ b/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md
@@ -2,20 +2,11 @@
title: Isolating Microsoft Store Apps on Your Network (Windows)
description: Learn how to customize your firewall configuration to isolate the network access of the new Microsoft Store apps that run on devices added to your network.
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.reviewer: jekrynit
-ms.author: paoloma
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Isolating Microsoft Store Apps on Your Network
diff --git a/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md b/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md
index f3eb72f2e3..f875516002 100644
--- a/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md
+++ b/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md
@@ -1,21 +1,12 @@
---
title: Link the GPO to the Domain (Windows)
description: Learn how to link a GPO to the Active Directory container for the target devices, after you configure it in Windows Defender Firewall with Advanced Security.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Link the GPO to the Domain
diff --git a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
index b0597ddac5..12d13c2b22 100644
--- a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
+++ b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
@@ -1,21 +1,12 @@
---
title: Mapping your implementation goals to a Windows Firewall with Advanced Security design (Windows)
description: Mapping your implementation goals to a Windows Firewall with Advanced Security design
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Mapping your implementation goals to a Windows Firewall with Advanced Security design
diff --git a/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
index 2db48a89d3..d5f3a66214 100644
--- a/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
+++ b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
@@ -1,21 +1,12 @@
---
title: Modify GPO Filters (Windows)
description: Learn how to modify GPO filters to apply to a different zone or version of windows in Windows Defender Firewall with Advanced Security.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Modify GPO Filters to Apply to a Different Zone or Version of Windows
diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md
index e55dca92b4..992acb97d6 100644
--- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md
+++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md
@@ -1,21 +1,12 @@
---
title: Open the Group Policy Management Console to IP Security Policies (Windows)
description: Learn how to open the Group Policy Management Console to IP Security Policies to configure GPOs for earlier versions of the Windows operating system.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Open the Group Policy Management Console to IP Security Policies
diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
index 7bd82a831e..4752a0a65d 100644
--- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
@@ -1,24 +1,15 @@
---
title: Group Policy Management of Windows Firewall with Advanced Security (Windows)
description: Group Policy Management of Windows Firewall with Advanced Security
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.collection:
- highpri
- tier3
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Group Policy Management of Windows Firewall with Advanced Security
diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
index f51325daf5..ce8f5b6d70 100644
--- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
+++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
@@ -1,21 +1,12 @@
---
title: Group Policy Management of Windows Defender Firewall (Windows)
description: Group Policy Management of Windows Defender Firewall with Advanced Security
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Group Policy Management of Windows Defender Firewall
diff --git a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
index 85c5fb4099..ff0894fbe9 100644
--- a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
@@ -1,21 +1,12 @@
---
title: Open Windows Defender Firewall with Advanced Security (Windows)
description: Learn how to open the Windows Defender Firewall with Advanced Security console. You must be a member of the Administrators group.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Open Windows Defender Firewall with Advanced Security
diff --git a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md
index 64238d1abd..0d2b6f0d17 100644
--- a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md
+++ b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md
@@ -1,21 +1,12 @@
---
title: Planning Certificate-based Authentication (Windows)
description: Learn how a device unable to join an Active Directory domain can still participate in an isolated domain by using certificate-based authentication.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Planning Certificate-based Authentication
diff --git a/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md
index a29847e44c..b9416b2c65 100644
--- a/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md
@@ -1,21 +1,12 @@
---
title: Planning Domain Isolation Zones (Windows)
description: Learn how to use information you've gathered to make decisions about isolation zones for your environment in Windows Defender Firewall with Advanced Security.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Planning Domain Isolation Zones
diff --git a/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md
index 7e46a275c4..13d93e09de 100644
--- a/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md
+++ b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md
@@ -1,21 +1,12 @@
---
title: Planning GPO Deployment (Windows)
description: Learn how to use security group filtering and WMI filtering to provide the most flexible options for applying GPOs to devices in Active Directory.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Planning GPO Deployment
diff --git a/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md
index 02e00fb3c5..8fd656a093 100644
--- a/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md
@@ -1,21 +1,12 @@
---
title: Planning Group Policy Deployment for Your Isolation Zones (Windows)
description: Learn how to plan a group policy deployment for your isolation zones after you determine the best logical design for your isolation environment.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Planning Group Policy Deployment for Your Isolation Zones
diff --git a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
index 4eefdea9e1..1c78f627e8 100644
--- a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
@@ -1,21 +1,12 @@
---
title: Planning Isolation Groups for the Zones (Windows)
description: Learn about planning isolation groups for the zones in Microsoft Firewall, including information on universal groups and GPOs.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Planning Isolation Groups for the Zones
diff --git a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
index 4515218f2b..a347ceb834 100644
--- a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
+++ b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
@@ -1,21 +1,12 @@
---
title: Planning Network Access Groups (Windows)
description: Learn how to implement a network access group for users and devices that can access an isolated server in Windows Defender Firewall with Advanced Security.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Planning Network Access Groups
diff --git a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
index c96545cf8b..07b4cbd666 100644
--- a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
@@ -1,21 +1,12 @@
---
title: Planning Server Isolation Zones (Windows)
description: Learn how to restrict access to a server to approved users by using a server isolation zone in Windows Defender Firewall with Advanced Security.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Planning Server Isolation Zones
diff --git a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
index 027506a427..44044b6641 100644
--- a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
+++ b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
@@ -1,21 +1,12 @@
---
title: Planning Settings for a Basic Firewall Policy (Windows)
description: Learn how to design a basic policy for Windows Defender Firewall with Advanced Security, the settings and rules that enforce your requirements on devices.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Planning Settings for a Basic Firewall Policy
diff --git a/windows/security/threat-protection/windows-firewall/planning-the-gpos.md b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md
index 572fa33116..1a3b157e57 100644
--- a/windows/security/threat-protection/windows-firewall/planning-the-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md
@@ -1,21 +1,12 @@
---
title: Planning the GPOs (Windows)
description: Learn about planning Group Policy Objects for your isolation zones in Windows Defender Firewall with Advanced Security, after you design the zone layout.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Planning the GPOs
diff --git a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
index e9691ceada..1e06c6b8aa 100644
--- a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
@@ -1,21 +1,12 @@
---
title: Plan to Deploy Windows Defender Firewall with Advanced Security (Windows)
description: Use the design information in this article to plan for the deployment of Windows Defender Firewall with Advanced Security in your organization.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Planning to Deploy Windows Defender Firewall with Advanced Security
diff --git a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
index 22b46bd189..8909eac102 100644
--- a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
+++ b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
@@ -1,21 +1,12 @@
---
title: Planning Your Windows Defender Firewall with Advanced Security Design (Windows)
description: After you gather the relevant information, select the design or combination of designs for Windows Defender Firewall with Advanced Security in your environment.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Planning Your Windows Defender Firewall with Advanced Security Design
diff --git a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
index 3cb9728be9..9fcf79f2f1 100644
--- a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
+++ b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
@@ -1,21 +1,12 @@
---
title: Protect devices from unwanted network traffic (Windows)
description: Learn how running a host-based firewall on every device in your organization can help protect against attacks as part of a defense-in-depth security strategy.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 01/18/2022
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Protect devices from unwanted network traffic
diff --git a/windows/security/threat-protection/windows-firewall/quarantine.md b/windows/security/threat-protection/windows-firewall/quarantine.md
index 55de70d2af..5b7c793f7f 100644
--- a/windows/security/threat-protection/windows-firewall/quarantine.md
+++ b/windows/security/threat-protection/windows-firewall/quarantine.md
@@ -1,21 +1,12 @@
---
title: Quarantine behavior
description: Quarantine behavior is explained in detail.
-ms.author: paoloma
-author: paolomatarazzo
-manager: aaroncz
-ms.reviewer: jekrynit
ms.prod: windows-client
-ms.localizationpriority: normal
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Quarantine behavior
diff --git a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
index d478752b6a..44cc1d2090 100644
--- a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
+++ b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
@@ -1,21 +1,12 @@
---
title: Require Encryption When Accessing Sensitive Network Resources (Windows)
description: Windows Defender Firewall with Advanced Security allows you to require that all network traffic in an isolated domain be encrypted.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Require Encryption When Accessing Sensitive Network Resources
diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
index efc90aca28..54222bff1a 100644
--- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
+++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
@@ -1,21 +1,12 @@
---
title: Restrict Access to Only Specified Users or Devices (Windows)
description: Restrict access to devices and users that are members of domain groups authorized to access that device using Windows Defender Firewall with Advanced Security.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Restrict Access to Only Specified Users or Computers
diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
index 7dca23dc7e..c2298b824a 100644
--- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
+++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
@@ -1,21 +1,12 @@
---
title: Restrict access to only trusted devices (Windows)
description: Windows Defender Firewall with Advanced Security enables you to isolate devices you trust and restrict access of untrusted devices to trusted devices.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Restrict access to only trusted devices
diff --git a/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md
index 091d80f05a..5132add40c 100644
--- a/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md
+++ b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md
@@ -1,21 +1,12 @@
---
title: Restrict Server Access to Members of a Group Only (Windows)
description: Create a firewall rule to access isolated servers running Windows Server 2008 or later and restrict server access to members of a group.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Restrict Server Access to Members of a Group Only
diff --git a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
index 03f3651091..8f7f607d58 100644
--- a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
+++ b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
@@ -2,20 +2,11 @@
title: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012 (Windows)
description: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.reviewer: jekrynit
-ms.author: paoloma
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Securing End-to-End IPsec connections by using IKEv2
diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md
index f4d1fc60c6..11d7750b21 100644
--- a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md
@@ -1,21 +1,12 @@
---
title: Server Isolation GPOs (Windows)
description: Learn about required GPOs for isolation zones and how many server isolation zones you need in Windows Defender Firewall with Advanced Security.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Server Isolation GPOs
diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
index 97ae77f6c1..41824b3e09 100644
--- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
@@ -1,21 +1,12 @@
---
title: Server Isolation Policy Design Example (Windows)
description: Learn about server isolation policy design in Windows Defender Firewall with Advanced Security by referring to this example of a fictitious company.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Server Isolation Policy Design Example
diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
index 1b500c186c..f2bedf42fb 100644
--- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
@@ -1,21 +1,12 @@
---
title: Server Isolation Policy Design (Windows)
description: Learn about server isolation policy design, where you assign servers to a zone that allows access only to members of an approved network access group.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Server Isolation Policy Design
diff --git a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md
index 08eda94fb7..2716e511cc 100644
--- a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md
+++ b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md
@@ -1,20 +1,11 @@
---
title: Troubleshooting UWP App Connectivity Issues in Windows Firewall
description: Troubleshooting UWP App Connectivity Issues in Windows Firewall
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: troubleshooting
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
ms.date: 12/31/2017
---
diff --git a/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md b/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md
index 5e70140b77..b51780f073 100644
--- a/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md
+++ b/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md
@@ -1,21 +1,12 @@
---
title: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior (Windows)
description: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior
diff --git a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
index cbf01ad656..0658883723 100644
--- a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
+++ b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
@@ -2,20 +2,11 @@
title: Understand WFAS Deployment (Windows)
description: Resources for helping you understand the Windows Defender Firewall with Advanced Security (WFAS) Design Process
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.reviewer: jekrynit
-ms.author: paoloma
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Understanding the Windows Defender Firewall with Advanced Security Design Process
diff --git a/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
index f260e9c06d..c535da432a 100644
--- a/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
+++ b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
@@ -1,21 +1,12 @@
---
title: Verify That Network Traffic Is Authenticated (Windows)
description: Learn how to confirm that network traffic is being protected by IPsec authentication after you configure your domain isolation rule to require authentication.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Verify That Network Traffic Is Authenticated
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
index cf9152516d..db4d835bdb 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
@@ -2,20 +2,11 @@
title: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell (Windows)
description: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.reviewer: jekrynit
-ms.author: paoloma
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Windows Defender Firewall with Advanced Security Administration with Windows PowerShell
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
index 6a6d733678..708fe115d7 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
@@ -1,21 +1,12 @@
---
title: Windows Defender Firewall with Advanced Security deployment overview (Windows)
description: Use this guide to deploy Windows Defender Firewall with Advanced Security for your enterprise to help protect devices and data that they share across a network.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Windows Defender Firewall with Advanced Security deployment overview
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
index e095007a7d..75c5a94168 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
@@ -1,21 +1,12 @@
---
title: Windows Defender Firewall with Advanced Security design guide (Windows)
description: Learn about common goals for using Windows Defender Firewall with Advanced Security to choose or create a design for deploying the firewall in your enterprise.
-ms.reviewer: jekrynit
-ms.author: paoloma
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
ms.topic: conceptual
ms.date: 09/08/2021
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Windows Defender Firewall with Advanced Security design guide
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
index 13cf7bd61a..282125d3bd 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
@@ -2,24 +2,14 @@
title: Windows Defender Firewall with Advanced Security (Windows)
description: Learn overview information about the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features.
ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
ms.collection:
- highpri
- tier3
ms.topic: conceptual
ms.date: 09/08/2021
-ms.reviewer: jekrynit
-ms.custom: asr
-ms.technology: itpro-security
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
+ - ✅ Windows 10 and later
+ - ✅ Windows Server 2016 and later
---
# Windows Defender Firewall with Advanced Security
diff --git a/windows/whats-new/deprecated-features-resources.md b/windows/whats-new/deprecated-features-resources.md
index e2f67c9051..f00940e722 100644
--- a/windows/whats-new/deprecated-features-resources.md
+++ b/windows/whats-new/deprecated-features-resources.md
@@ -8,8 +8,8 @@ ms.localizationpriority: medium
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.reviewer:
ms.topic: reference
+ms.collection: highpri, tier1
---
# Resources for deprecated features
diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md
index c32948df18..9780d97968 100644
--- a/windows/whats-new/deprecated-features.md
+++ b/windows/whats-new/deprecated-features.md
@@ -8,8 +8,8 @@ ms.localizationpriority: medium
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.reviewer:
ms.topic: article
+ms.collection: highpri, tier1
---
# Deprecated features for Windows client
diff --git a/windows/whats-new/feature-lifecycle.md b/windows/whats-new/feature-lifecycle.md
index 11eaa12e7e..d97cc8895b 100644
--- a/windows/whats-new/feature-lifecycle.md
+++ b/windows/whats-new/feature-lifecycle.md
@@ -7,9 +7,9 @@ author: mestew
manager: aaroncz
ms.author: mstewart
ms.topic: article
-ms.custom: seo-marvel-apr2020
ms.technology: itpro-fundamentals
ms.date: 10/28/2022
+ms.collection: highpri, tier2
---
# Windows client features lifecycle
diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md
index 66e69fb814..78b5590c17 100644
--- a/windows/whats-new/ltsc/index.md
+++ b/windows/whats-new/ltsc/index.md
@@ -2,12 +2,12 @@
title: Windows 10 Enterprise LTSC
description: New and updated IT Pro content about new features in Windows 10, LTSC (also known as Windows 10 LTSB).
ms.prod: windows-client
-author: aczechowski
-ms.author: aaroncz
-manager: dougeby
+author: mestew
+ms.author: mstewart
+manager: aaroncz
ms.localizationpriority: low
ms.topic: article
-ms.collection: highpri
+ms.collection: highpri, tier1
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
---
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md
index 60f00167d7..0663fe6cd9 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md
@@ -1,12 +1,11 @@
---
title: What's new in Windows 10 Enterprise LTSC 2015
-ms.reviewer:
-manager: dougeby
-ms.author: aaroncz
+manager: aaroncz
+ms.author: mstewart
description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2015 (also known as Windows 10 Enterprise 2015 LTSB).
ms.prod: windows-client
-author: aczechowski
-ms.localizationpriority: medium
+author: mestew
+ms.localizationpriority: low
ms.topic: article
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md
index 43da9f13c3..1b70c22e66 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md
@@ -1,11 +1,10 @@
---
title: What's new in Windows 10 Enterprise LTSC 2016
-ms.reviewer:
-manager: dougeby
-ms.author: aaroncz
+manager: aaroncz
+ms.author: mstewart
description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2016 (also known as Windows 10 Enterprise 2016 LTSB).
ms.prod: windows-client
-author: aczechowski
+author: mestew
ms.localizationpriority: low
ms.topic: article
ms.technology: itpro-fundamentals
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index ac0e6ef2cc..14d7f14fa9 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -1,15 +1,13 @@
---
title: What's new in Windows 10 Enterprise LTSC 2019
-ms.reviewer:
-manager: dougeby
-ms.author: aaroncz
+manager: aaroncz
+ms.author: mstewart
description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2019 (also known as Windows 10 Enterprise 2019 LTSB).
ms.prod: windows-client
-author: aczechowski
+author: mestew
ms.localizationpriority: medium
ms.topic: article
-ms.collection:
- - highpri
+ms.collection: highpri, tier1
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
---
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index ac2853f72a..c6f1572c34 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -1,15 +1,13 @@
---
title: What's new in Windows 10 Enterprise LTSC 2021
-ms.reviewer:
-manager: dougeby
-ms.author: aaroncz
+manager: aaroncz
+ms.author: mstewart
description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2021.
ms.prod: windows-client
-author: aczechowski
-ms.localizationpriority: low
+author: mestew
+ms.localizationpriority: high
ms.topic: article
-ms.collection:
- - highpri
+ms.collection: highpri, tier1
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
---
@@ -165,7 +163,7 @@ Windows Hello enhancements include:
### Microsoft Intune family of products
-Configuration Manager, Intune, Desktop Analytics, Co-Management, and the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) are now part of the [Microsoft endpoint management services](/mem/endpoint-manager-overview). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/).
+Configuration Manager, Intune, Desktop Analytics, Co-Management, and the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) are now part of the [Microsoft endpoint management services](/mem/endpoint-manager-overview). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/).
### Configuration Manager
diff --git a/windows/whats-new/removed-features.md b/windows/whats-new/removed-features.md
index bdaca31c06..d0825bcd12 100644
--- a/windows/whats-new/removed-features.md
+++ b/windows/whats-new/removed-features.md
@@ -7,9 +7,9 @@ author: mestew
ms.author: mstewart
manager: aaroncz
ms.topic: article
-ms.custom: seo-marvel-apr2020
ms.technology: itpro-fundamentals
ms.date: 01/05/2023
+ms.collection: highpri, tier1
---
# Features and functionality removed in Windows client
diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
index 8c1413f87f..02ecc6cade 100644
--- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
+++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
@@ -1,11 +1,10 @@
---
title: What's new in Windows 10, versions 1507 and 1511 (Windows 10)
description: What's new in Windows 10 for Windows 10 (versions 1507 and 1511)?
-ms.reviewer:
ms.prod: windows-client
-author: aczechowski
-manager: dougeby
-ms.author: aaroncz
+author: mestew
+manager: aaroncz
+ms.author: mstewart
ms.localizationpriority: medium
ms.topic: article
ROBOTS: NOINDEX
diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md
index b37fc54c61..d0b7cbda02 100644
--- a/windows/whats-new/whats-new-windows-10-version-1607.md
+++ b/windows/whats-new/whats-new-windows-10-version-1607.md
@@ -3,10 +3,9 @@ title: What's new in Windows 10, version 1607 (Windows 10)
description: What's new in Windows 10 for Windows 10 (version 1607)?
ms.prod: windows-client
ms.localizationpriority: medium
-ms.reviewer:
-author: aczechowski
-manager: dougeby
-ms.author: aaroncz
+author: mestew
+manager: aaroncz
+ms.author: mstewart
ms.topic: article
ROBOTS: NOINDEX
ms.technology: itpro-fundamentals
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index 0b0ebd0b2a..8a8e9a3e7e 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -3,10 +3,9 @@ title: What's new in Windows 10, version 1703
description: New and updated features in Windows 10, version 1703 (also known as the Creators Updated).
ms.prod: windows-client
ms.localizationpriority: medium
-ms.reviewer:
-author: aczechowski
-manager: dougeby
-ms.author: aaroncz
+author: mestew
+manager: aaroncz
+ms.author: mstewart
ms.topic: article
ROBOTS: NOINDEX
ms.technology: itpro-fundamentals
diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md
index 24468089e9..55b211215b 100644
--- a/windows/whats-new/whats-new-windows-10-version-1709.md
+++ b/windows/whats-new/whats-new-windows-10-version-1709.md
@@ -2,10 +2,9 @@
title: What's new in Windows 10, version 1709
description: New and updated features in Windows 10, version 1709 (also known as the Fall Creators Update).
ms.prod: windows-client
-ms.reviewer:
-author: aczechowski
-manager: dougeby
-ms.author: aaroncz
+author: mestew
+manager: aaroncz
+ms.author: mstewart
ms.localizationpriority: medium
ms.topic: article
ROBOTS: NOINDEX
diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md
index 4bfc545809..9c77663750 100644
--- a/windows/whats-new/whats-new-windows-10-version-1803.md
+++ b/windows/whats-new/whats-new-windows-10-version-1803.md
@@ -2,10 +2,9 @@
title: What's new in Windows 10, version 1803
description: New and updated features in Windows 10, version 1803 (also known as the Windows 10 April 2018 Update).
ms.prod: windows-client
-ms.reviewer:
-author: aczechowski
-manager: dougeby
-ms.author: aaroncz
+author: mestew
+manager: aaroncz
+ms.author: mstewart
ms.localizationpriority: medium
ms.topic: article
ROBOTS: NOINDEX
diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md
index 8fd4016b72..b617d899f5 100644
--- a/windows/whats-new/whats-new-windows-10-version-1809.md
+++ b/windows/whats-new/whats-new-windows-10-version-1809.md
@@ -1,6 +1,5 @@
---
title: What's new in Windows 10, version 1809
-ms.reviewer:
description: Learn about features for Windows 10, version 1809, including features and fixes included in previous cumulative updates to Windows 10, version 1803.
ms.prod: windows-client
author: mestew
diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md
index 703e8af27b..f4005118e9 100644
--- a/windows/whats-new/whats-new-windows-10-version-1903.md
+++ b/windows/whats-new/whats-new-windows-10-version-1903.md
@@ -2,9 +2,9 @@
title: What's new in Windows 10, version 1903
description: New and updated features in Windows 10, version 1903 (also known as the Windows 10 May 2019 Update).
ms.prod: windows-client
-author: aczechowski
-ms.author: aaroncz
-manager: dougeby
+author: mestew
+ms.author: mstewart
+manager: aaroncz
ms.localizationpriority: medium
ms.topic: article
ROBOTS: NOINDEX
diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md
index 9b27125a3b..602a7fcac7 100644
--- a/windows/whats-new/whats-new-windows-10-version-1909.md
+++ b/windows/whats-new/whats-new-windows-10-version-1909.md
@@ -2,9 +2,9 @@
title: What's new in Windows 10, version 1909
description: New and updated features in Windows 10, version 1909 (also known as the Windows 10 November 2019 Update).
ms.prod: windows-client
-author: aczechowski
-ms.author: aaroncz
-manager: dougeby
+author: mestew
+ms.author: mstewart
+manager: aaroncz
ms.localizationpriority: medium
ms.topic: article
ROBOTS: NOINDEX
@@ -73,7 +73,7 @@ Windows Virtual Desktop is a comprehensive desktop and app virtualization servic
### Microsoft Intune family of products
-Configuration Manager, Intune, Desktop Analytics, Co-Management, and the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) are now part of the [Microsoft endpoint management services](/mem/endpoint-manager-overview). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/).
+Configuration Manager, Intune, Desktop Analytics, Co-Management, and the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) are now part of the [Microsoft endpoint management services](/mem/endpoint-manager-overview). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/).
### Windows 10 Pro and Enterprise in S mode
diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md
index d61e9c57ec..22d328d14f 100644
--- a/windows/whats-new/whats-new-windows-10-version-2004.md
+++ b/windows/whats-new/whats-new-windows-10-version-2004.md
@@ -2,9 +2,9 @@
title: What's new in Windows 10, version 2004
description: New and updated features in Windows 10, version 2004 (also known as the Windows 10 May 2020 Update).
ms.prod: windows-client
-author: aczechowski
-ms.author: aaroncz
-manager: dougeby
+author: mestew
+ms.author: mstewart
+manager: aaroncz
ms.localizationpriority: medium
ms.topic: article
ROBOTS: NOINDEX
diff --git a/windows/whats-new/whats-new-windows-10-version-20H2.md b/windows/whats-new/whats-new-windows-10-version-20H2.md
index 118d9441cc..078b022d66 100644
--- a/windows/whats-new/whats-new-windows-10-version-20H2.md
+++ b/windows/whats-new/whats-new-windows-10-version-20H2.md
@@ -2,12 +2,12 @@
title: What's new in Windows 10, version 20H2
description: New and updated features in Windows 10, version 20H2 (also known as the Windows 10 October 2020 Update).
ms.prod: windows-client
-author: aczechowski
-ms.author: aaroncz
-manager: dougeby
+author: mestew
+ms.author: mstewart
+manager: aaroncz
ms.localizationpriority: high
ms.topic: article
-ms.collection: highpri
+ms.collection: highpri, tier2
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
---
@@ -71,7 +71,7 @@ Activities are grouped into the following phases: **Plan** > **Prepare** > **Dep
Enhancements to Windows Autopilot since the last release of Windows 10 include:
- [Windows Autopilot for HoloLens](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-autopilot-for-hololens-2/ba-p/1371494): Set up HoloLens 2 devices with Windows Autopilot for HoloLens 2 self-deploying mode.
- [Windows Autopilot with co-management](/mem/configmgr/comanage/quickstart-autopilot): Co-management and Autopilot together can help you reduce cost and improve the end user experience.
-- Enhancements to Windows Autopilot deployment reporting are in preview. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Monitor** and scroll down to the **Enrollment** section. Select **Autopilot deployment (preview)**.
+- Enhancements to Windows Autopilot deployment reporting are in preview. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Monitor** and scroll down to the **Enrollment** section. Select **Autopilot deployment (preview)**.
### Windows Assessment and Deployment Toolkit (ADK)
diff --git a/windows/whats-new/whats-new-windows-10-version-21H1.md b/windows/whats-new/whats-new-windows-10-version-21H1.md
index cdf34929de..77d6e3c52f 100644
--- a/windows/whats-new/whats-new-windows-10-version-21H1.md
+++ b/windows/whats-new/whats-new-windows-10-version-21H1.md
@@ -2,12 +2,12 @@
title: What's new in Windows 10, version 21H1
description: New and updated features in Windows 10, version 21H1 (also known as the Windows 10 May 2021 Update).
ms.prod: windows-client
-author: aczechowski
-ms.author: aaroncz
-manager: dougeby
+author: mestew
+ms.author: mstewart
+manager: aaroncz
ms.localizationpriority: high
ms.topic: article
-ms.collection: highpri
+ms.collection: highpri, tier2
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
---
diff --git a/windows/whats-new/whats-new-windows-10-version-21H2.md b/windows/whats-new/whats-new-windows-10-version-21H2.md
index 0b5aea83f8..c6aaf4368c 100644
--- a/windows/whats-new/whats-new-windows-10-version-21H2.md
+++ b/windows/whats-new/whats-new-windows-10-version-21H2.md
@@ -1,14 +1,13 @@
---
title: What's new in Windows 10, version 21H2 for IT pros
description: Learn more about what's new in Windows 10 version 21H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more.
-manager: dougeby
+manager: aaroncz
ms.prod: windows-client
-ms.author: aaroncz
-author: aczechowski
+ms.author: mstewart
+author: mestew
ms.localizationpriority: medium
ms.topic: article
-ms.collection: highpri
-ms.custom: intro-overview
+ms.collection: highpri, tier2
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
---
diff --git a/windows/whats-new/whats-new-windows-10-version-22H2.md b/windows/whats-new/whats-new-windows-10-version-22H2.md
index 19a2bb9c46..99199e8037 100644
--- a/windows/whats-new/whats-new-windows-10-version-22H2.md
+++ b/windows/whats-new/whats-new-windows-10-version-22H2.md
@@ -5,10 +5,11 @@ ms.prod: windows-client
ms.technology: itpro-fundamentals
ms.author: mstewart
author: mestew
-manager: dougeby
+manager: aaroncz
ms.localizationpriority: medium
-ms.topic: overview
+ms.topic: article
ms.date: 10/18/2022
+ms.collection: highpri, tier1
---
# What's new in Windows 10, version 22H2
diff --git a/windows/whats-new/whats-new-windows-11-version-22H2.md b/windows/whats-new/whats-new-windows-11-version-22H2.md
index 273e6b1c68..9879efdeab 100644
--- a/windows/whats-new/whats-new-windows-11-version-22H2.md
+++ b/windows/whats-new/whats-new-windows-11-version-22H2.md
@@ -1,14 +1,13 @@
---
title: What's new in Windows 11, version 22H2 for IT pros
description: Learn more about what's new in Windows 11 version 21H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more.
-manager: dougeby
+manager: aaroncz
ms.prod: windows-client
ms.author: mstewart
author: mestew
ms.localizationpriority: medium
ms.topic: article
-ms.collection: highpri
-ms.custom: intro-overview
+ms.collection: highpri, tier1
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
---
diff --git a/windows/whats-new/windows-11-overview.md b/windows/whats-new/windows-11-overview.md
index 165bd132d3..93f8c35444 100644
--- a/windows/whats-new/windows-11-overview.md
+++ b/windows/whats-new/windows-11-overview.md
@@ -1,7 +1,6 @@
---
title: Windows 11 overview for administrators
description: Learn more about Windows 11. Read about the features IT professionals and administrators should know about Windows 11, including security, using apps, using Android apps, the new desktop, and deploying and servicing PCs.
-ms.reviewer:
manager: aaroncz
author: mestew
ms.author: mstewart
@@ -10,8 +9,7 @@ ms.date: 09/20/2022
ms.technology: itpro-fundamentals
ms.localizationpriority: medium
ms.topic: overview
-ms.collection: highpri
-ms.custom: intro-overview
+ms.collection: highpri, tier1
---
# Windows 11 overview
diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md
index 38dd1a3030..d61ccbad1a 100644
--- a/windows/whats-new/windows-11-plan.md
+++ b/windows/whats-new/windows-11-plan.md
@@ -2,12 +2,12 @@
title: Plan for Windows 11
description: Windows 11 deployment planning, IT Pro content.
ms.prod: windows-client
-author: aczechowski
-ms.author: aaroncz
-manager: dougeby
+author: mestew
+ms.author: mstewart
+manager: aaroncz
ms.localizationpriority: high
ms.topic: article
-ms.collection: highpri
+ms.collection: highpri, tier1
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
---
@@ -73,7 +73,7 @@ The recommended method to determine if your infrastructure, deployment processes
As you plan your endpoint management strategy for Windows 11, consider moving to cloud-based mobile device management (MDM), such as [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). If a cloud-only approach isn't right for your organization yet, you can still modernize and streamline essential pieces of your endpoint management strategy as follows:
- Create a [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview) (CMG) to manage Configuration Manager clients over the internet.
-- Attach your existing Configuration Management estate to the cloud with [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions) so you can manage all devices from within the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+- Attach your existing Configuration Management estate to the cloud with [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions) so you can manage all devices from within the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
- Use [co-management](/mem/configmgr/comanage/overview) to concurrently manage devices using both Configuration Manager and Microsoft Intune. This concurrent management allows you to take advantage of cloud-powered capabilities like [Conditional Access](/azure/active-directory/conditional-access/overview).
For more information on the benefits of these approaches, see [Cloud Attach Your Future: The Big 3](https://techcommunity.microsoft.com/t5/configuration-manager-blog/cloud-attach-your-future-part-ii-quot-the-big-3-quot/ba-p/1750664).
diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md
index 6f5f8d35ad..46740f84c3 100644
--- a/windows/whats-new/windows-11-prepare.md
+++ b/windows/whats-new/windows-11-prepare.md
@@ -2,12 +2,12 @@
title: Prepare for Windows 11
description: Prepare your infrastructure and tools to deploy Windows 11, IT Pro content.
ms.prod: windows-client
-author: aczechowski
-ms.author: aaroncz
-manager: dougeby
+author: mestew
+ms.author: mstewart
+manager: aaroncz
ms.localizationpriority: high
ms.topic: article
-ms.collection: highpri
+ms.collection: highpri, tier1
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
---
diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md
index 3c6653f5b0..f264fb396a 100644
--- a/windows/whats-new/windows-11-requirements.md
+++ b/windows/whats-new/windows-11-requirements.md
@@ -7,7 +7,7 @@ ms.author: mstewart
ms.prod: windows-client
ms.localizationpriority: medium
ms.topic: article
-ms.collection: highpri
+ms.collection: highpri, tier1
ms.technology: itpro-fundamentals
ms.date: 02/13/2023
---