deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into sheshachary-5714481

Browse Source
This commit is contained in:
Shesh 2022-04-27 10:49:57 +05:30 committed by GitHub
commit b4b79c7a9e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 51 additions and 150 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.openpublishing.redirection.json
View File

@ -5167,7 +5167,7 @@
},
{
"source_path": "windows/device-security/security-compliance-toolkit-10.md",
"redirect_url": "/windows/security/threat-protection/security-compliance-toolkit-10",
"redirect_url": "/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10",
"redirect_document_id": false
},
{
@ -19505,6 +19505,11 @@
"redirect_url": "/education/",
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/security-compliance-toolkit-10.md",
"redirect_url": "/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10",
"redirect_document_id": false
},
{
"source_path": "windows/education/developers.yml",
"redirect_url": "/education/",

2
browsers/internet-explorer/internet-explorer.yml
View File

@ -46,8 +46,6 @@ landingContent:
url: https://mva.microsoft.com/training-courses/getting-started-with-windows-10-for-it-professionals-10629?l=fCowqpy8_5905094681
- text: 'Windows 10: Top Features for IT Pros'
url: https://mva.microsoft.com/training-courses/windows-10-top-features-for-it-pros-16319?l=xBnT2ihhC_7306218965
- text: Manage and modernize Internet Explorer with Enterprise Mode
url: https://channel9.msdn.com/events/teched/newzealand/2014/pcit307
- text: 'Virtual Lab: Enterprise Mode'
url: https://www.microsoft.com/handsonlabs/SelfPacedLabs/?storyGuid=e4155067-2c7e-4b46-8496-eca38bedca02

4
education/windows/deploy-windows-10-in-a-school-district.md
View File

@ -899,7 +899,7 @@ Deploying a new Configuration Manager infrastructure is beyond the scope of this
Create a Microsoft Endpoint Manager driver package for each device type in your district. For more information, see [Manage drivers in Configuration Manager](/mem/configmgr/osd/get-started/manage-drivers).
4. Add Windows apps.
Install the Windows apps (Windows desktop and Microsoft Store apps) that you want to deploy after the task sequence deploys your customized image (a thick, reference image that include Windows 10 and your core Windows desktop apps). These apps are in addition to the apps included in your reference image. You can only deploy Microsoft Store apps after you deploy Windows 10 because you cannot capture Microsoft Store apps in a reference image. Microsoft Store apps target users, not devices.
Install the Windows apps (Windows desktop and Microsoft Store apps) that you want to deploy after the task sequence deploys your customized image (a thick, reference image that includes Windows 10 and your core Windows desktop apps). These apps are in addition to the apps included in your reference image. You can only deploy Microsoft Store apps after you deploy Windows 10 because you cannot capture Microsoft Store apps in a reference image. Microsoft Store apps target users, not devices.
Create a Configuration Manager application for each Windows desktop or Microsoft Store app that you want to deploy after you apply the reference image to a device. For more information, see [Deploy and manage applications with Configuration Manager](/mem/configmgr/apps/deploy-use/deploy-applications).
@ -1252,7 +1252,7 @@ Table 19 lists the school and individual classroom maintenance tasks, the resour
|Task and resources|Monthly|New semester or academic year|As required|
|--- |--- |--- |--- |
|Verify that Windows Update is active and current with operating system and software updates.<br>For more information about completing this task when you have:<li>Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](/mem/intune/protect/windows-update-for-business-configure)<li>Group Policy, see [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).<li>WSUS, see [Windows Server Update Services](/windows/deployment/deploy-whats-new).<br>Neither Intune, Group Policy, nor WSUS, see “Install, upgrade, & activate” in Windows 10 help.|✔️|✔️|✔️|
|Verify that Windows Defender is active and current with malware Security intelligence.<br>For more information about completing this task, see [Turn Windows Defender on or off](/mem/intune/user-help/turn-on-defender-windows)and [Updating Windows Defender](/mem/intune/user-help/turn-on-defender-windows).|✔️|✔️|✔️|
|Verify that Windows Defender is active and current with malware Security intelligence.<br>For more information about completing this task, see [Turn Windows Defender on or off](/mem/intune/user-help/turn-on-defender-windows) and [Updating Windows Defender](/mem/intune/user-help/turn-on-defender-windows).|✔️|✔️|✔️|
|Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.<br>For more information about completing this task, see the “How do I find and remove a virus?” topic in [Protect my PC from viruses](https://support.microsoft.com/help/17228/windows-protect-my-pc-from-viruses).|✔️|✔️|✔️|
|Download and approve updates for Windows 10, apps, device driver, and other software.<br>For more information, see:<li>[Manage updates by using Intune](#manage-updates-by-using-intune)<li>[Manage updates by using Microsoft Endpoint Configuration Manager](#manage-updates-by-using-microsoft-endpoint-configuration-manager)|✔️|✔️|✔️|
|Verify that youre using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).<br>For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options](/windows/deployment/update/).||✔️|✔️|

12
windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md
View File

@ -52,7 +52,7 @@ An error is generated during publishing refresh when synchronizing packages from
**Workaround**: Upgrade the App-V 5.0 Management server to the App-V Management server for Windows 10 Clients.
## Custom configurations don't get applied for packages that will be published globally if they're set using the App-V Server
If you assign a package to an AD group that contains machine accounts and apply a custom configuration to that group using the App-V Server, the custom configuration won't not be applied to those machines. The App-V Client will publish packages assigned to a machine account globally. However, it stores custom configuration files per user in each users profile. Globally published packages won't have access to this custom configuration.
If you assign a package to an AD group that contains machine accounts and apply a custom configuration to that group using the App-V Server, the custom configuration won't be applied to those machines. The App-V Client will publish packages assigned to a machine account globally. However, it stores custom configuration files per user in each users profile. Globally published packages won't have access to this custom configuration.
**Workaround**: Do one of the following:
@ -64,7 +64,7 @@ If you assign a package to an AD group that contains machine accounts and apply
## Server files not deleted after new App-V Server installation
If you uninstall the App-V 5.0 SP1 Server and then install the App-V Server, the installation fails, the wrong version of the Management server is installed, and an error message is returned. The issue occurs because the Server files are not being deleted when you uninstall App-V 5.0 SP1, so the installation process does an upgrade instead of a new installation.
If you uninstall the App-V 5.0 SP1 Server and then install the App-V Server, the installation fails, the wrong version of the Management server is installed, and an error message is returned. The issue occurs because the Server files aren't being deleted when you uninstall App-V 5.0 SP1, so the installation process does an upgrade instead of a new installation.
**Workaround**: Delete this registry key before you start installing App-V:
@ -72,19 +72,19 @@ Under HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVe
## File type associations added manually are not saved correctly
File type associations added to an application package manually using the Shortcuts and FTAs tab at the end of the application upgrade wizard are not saved correctly. They will not be available to the App-V Client or to the Sequencer when updating the saved package again.
File type associations added to an application package manually using the Shortcuts and FTAs tab at the end of the application upgrade wizard aren't saved correctly. They won't be available to the App-V Client or to the Sequencer when updating the saved package again.
**Workaround**: To add a file type association, open the package for modification and run the update wizard. During the Installation step, add the new file type association through the operating system. The sequencer will detect the new association in the system registry and add it to the packages virtual registry, where it will be available to the client.
## When streaming packages in Shared Content Store (SCS) mode to a client that is also managed with AppLocker, additional data is written to the local disk.
To decrease the amount of data written to a clients local disk, you can enable SCS mode on the App-V Client to stream the contents of a package on demand. However, if AppLocker manages an application within the package, some data might be written to the clients local disk that would not otherwise be written.
To decrease the amount of data written to a clients local disk, you can enable SCS mode on the App-V Client to stream the contents of a package on demand. However, if AppLocker manages an application within the package, some data might be written to the clients local disk that wouldn't otherwise be written.
**Workaround**: None
## In the Management Console Add Package dialog box, the Browse button is not available when using Chrome or Firefox
On the Packages page of the Management Console, if you click **Add or Upgrade** in the lower-right corner, the **Add Package** dialog box appears. If you are accessing the Management Console using Chrome or Firefox as your browser, you will not be able to browse to the location of the package.
On the Packages page of the Management Console, if you click **Add or Upgrade** in the lower-right corner, the **Add Package** dialog box appears. If you're accessing the Management Console using Chrome or Firefox as your browser, you will not be able to browse to the location of the package.
**Workaround**: Type or copy and paste the path to the package into the **Add Package** input field. If the Management Console has access to this path, you will be able to add the package. If the package is on a network share, you can browse to the location using File Explorer by doing these steps:
@ -128,7 +128,7 @@ When you run Repair-AppvClientConnectionGroup, the following error is displayed,
3. If the package is currently published, run **Repair-AppvClientPackage** on that package.
## Icons not displayed properly in Sequencer
Icons in the Shortcuts and File Type Associations tab are not displayed correctly when modifying a package in the App-V Sequencer. This problem occurs when the size of the icons are not 16x16 or 32x32.
Icons in the Shortcuts and File Type Associations tab are not displayed correctly when modifying a package in the App-V Sequencer. This problem occurs when the sizes of the icons are not 16x16 or 32x32.
**Workaround**: Only use icons that are 16x16 or 32x32.

22
windows/deployment/upgrade/resolution-procedures.md
View File

@ -80,20 +80,20 @@ See the following general troubleshooting procedures associated with a result co
|0x80244018|Your machine is connected through a proxy server.|Make sure Automatically Detect Settings is selected in internet options. (Control Panel > Internet Options > Connections > LAN Settings).|
|0xC1900201|The system didn't pass the minimum requirements to install the update.|Contact the hardware vendor to get the latest updates.|
|0x80240017|The upgrade is unavailable for this edition of Windows.|Administrative policies enforced by your organization might be preventing the upgrade. Contact your IT administrator.|
|0x80070020|The existing process cannot access the file because it is being used by another process.|Use the MSCONFIG tool to perform a clean boot on the machine and then try to perform the update again. For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/kb/929135).|
|0x80070522|The user doesnt have required privilege or credentials to upgrade.|Ensure that you have signed in as a local administrator or have local administrator privileges.|
|0xC1900107|A cleanup operation from a previous installation attempt is still pending and a system reboot is required in order to continue the upgrade.|Restart the device and run setup again. If restarting the device does not resolve the issue, then use the Disk Cleanup utility and clean up the temporary files as well as the System files. For more information, see [Disk cleanup in Windows 10](https://support.microsoft.com/windows/disk-cleanup-in-windows-8a96ff42-5751-39ad-23d6-434b4d5b9a68).|
|0xC1900209|The user has chosen to cancel because the system does not pass the compatibility scan to install the update. Setup.exe will report this error when it can upgrade the machine with user data but cannot migrate installed applications.|Incompatible software is blocking the upgrade process. Uninstall the application and try the upgrade again. See [Windows 10 Pre-Upgrade Validation using SETUP.EXE](/archive/blogs/mniehaus/windows-10-pre-upgrade-validation-using-setup-exe) for more information.<p>You can also download the Windows Assessment and Deployment Kit (ADK) for Windows 10 and install Application Compatibility Tools.|
|0x80070020|The existing process can't access the file because it's being used by another process.|Use the MSCONFIG tool to perform a clean boot on the machine and then try to perform the update again. For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/kb/929135).|
|0x80070522|The user doesnt have required privilege or credentials to upgrade.|Ensure that you've signed in as a local administrator or have local administrator privileges.|
|0xC1900107|A cleanup operation from a previous installation attempt is still pending and a system reboot is required in order to continue the upgrade.|Restart the device and run setup again. If restarting the device doesn't resolve the issue, then use the Disk Cleanup utility to clean up the temporary files and the System files. For more information, see [Disk cleanup in Windows 10](https://support.microsoft.com/windows/disk-cleanup-in-windows-8a96ff42-5751-39ad-23d6-434b4d5b9a68).|
|0xC1900209|The user has chosen to cancel because the system doesn't pass the compatibility scan to install the update. Setup.exe will report this error when it can upgrade the machine with user data but cannot migrate installed applications.|Incompatible software is blocking the upgrade process. Uninstall the application and try the upgrade again. See [Windows 10 Pre-Upgrade Validation using SETUP.EXE](/archive/blogs/mniehaus/windows-10-pre-upgrade-validation-using-setup-exe) for more information.<p>You can also download the Windows Assessment and Deployment Kit (ADK) for Windows 10 and install Application Compatibility Tools.|
|0x8007002|This error is specific to upgrades using System Center 2012 Configuration Manager R2 SP1 CU3 (5.00.8238.1403)|Analyze the SMSTS.log and verify that the upgrade is failing on "Apply Operating system" Phase: Error 80072efe DownloadFileWithRanges() failed. 80072efe. ApplyOperatingSystem (0x0760)<p>The error 80072efe means that the connection with the server was terminated abnormally.<p>To resolve this issue, try the OS Deployment test on a client in same VLAN as the Configuration Manager server. Check the network configuration for random client-server connection issues happening on the remote VLAN.|
|0x80240FFF|Occurs when update synchronization fails. It can occur when you are using Windows Server Update Services on its own or when it is integrated with Microsoft Endpoint Configuration Manager. If you enable update synchronization before you install hotfix 3095113, WSUS doesn't recognize the Upgrades classification and instead treats the upgrade like a regular update.|You can prevent this by installing hotfix 3095113 before you enable update synchronization. However, if you have already run into this problem, do the following:<ol><li>Disable the Upgrades classification.<li>Install hotfix 3095113.<li>Delete previously synched updates.<li>Enable the Upgrades classification.<li>Perform a full synch.</ol><p>For detailed information on how to run these steps check out How to delete upgrades in WSUS.|
|0x8007007E|Occurs when update synchronization fails because you do not have hotfix 3095113 installed before you enable update synchronization. Specifically, the CopyToCache operation fails on clients that have already downloaded the upgrade because Windows Server Update Services has bad metadata related to the upgrade. It can occur when you are using standalone Windows Server Update Services or when WSUS is integrated with Microsoft Endpoint Configuration Manager.|Use the following steps to repair Windows Server Update Services. You must run these steps on each WSUS server that synched metadata before you installed the hotfix.<p>Stop the Windows Update service. <li>Sign in as a user with administrative privileges, and then do the following:<li>Open Administrative Tools from the Control Panel.<li>Double-click Services.<li>Find the Windows Update service, right-click it, and then select Stop. If prompted, enter your credentials.<p>Delete all files and folders under c:\Windows\SoftwareDistribution\DataStore.<p>Restart the Windows Update service.|
|0x80240FFF|Occurs when update synchronization fails. It can occur when you're using Windows Server Update Services on its own or when it's integrated with Microsoft Endpoint Configuration Manager. If you enable update synchronization before you install hotfix 3095113, WSUS doesn't recognize the Upgrades classification and instead treats the upgrade like a regular update.|You can prevent this by installing hotfix 3095113 before you enable update synchronization. However, if you have already run into this problem, do the following:<ol><li>Disable the Upgrades classification.<li>Install hotfix 3095113.<li>Delete previously synched updates.<li>Enable the Upgrades classification.<li>Perform a full synch.</ol><p>For detailed information on how to run these steps check out How to delete upgrades in WSUS.|
|0x8007007E|Occurs when update synchronization fails because you don't have hotfix 3095113 installed before you enable update synchronization. Specifically, the CopyToCache operation fails on clients that have already downloaded the upgrade because Windows Server Update Services has bad metadata related to the upgrade. It can occur when you're using standalone Windows Server Update Services or when WSUS is integrated with Microsoft Endpoint Configuration Manager.|Use the following steps to repair Windows Server Update Services. You must run these steps on each WSUS server that synched metadata before you installed the hotfix.<p>Stop the Windows Update service. <li>Sign in as a user with administrative privileges, and then do the following:<li>Open Administrative Tools from the Control Panel.<li>Double-click Services.<li>Find the Windows Update service, right-click it, and then select Stop. If prompted, enter your credentials.<p>Delete all files and folders under c:\Windows\SoftwareDistribution\DataStore.<p>Restart the Windows Update service.|
## Other error codes
| Error Codes | Cause | Mitigation |
| --- | --- | --- |
|0x80070003- 0x20007|This is a failure during SafeOS phase driver installation.|[Verify device drivers](/windows-hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](log-files.md#analyze-log-files) to determine the problem driver.|
|0x8007025D - 0x2000C|This error occurs if the ISO file&#39;s metadata is corrupt or if there is an issue with the storage medium, such as a RAM module containing bad blocks during the installation of Windows.|Re-download the ISO/Media and re-attempt the upgrade<p>Alternatively, re-create installation media the [Media Creation Tool](https://www.microsoft.com/software-download/windows10).|
|0x8007025D - 0x2000C|This error occurs if the ISO file&#39;s metadata is corrupt or if there's an issue with the storage medium, such as a RAM module containing bad blocks during the installation of Windows.|Redownload the ISO/Media and reattempt the upgrade<p>Alternatively, re-create installation media the [Media Creation Tool](https://www.microsoft.com/software-download/windows10).|
|0x80070490 - 0x20007|An incompatible device driver is present.|[Verify device drivers](/windows-hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](log-files.md#analyze-log-files) to determine the problem driver.|
|0xC1900101 - 0x2000c|An unspecified error occurred in the SafeOS phase during WIM apply. This can be caused by an outdated driver or disk corruption.|Run checkdisk to repair the file system. For more information, see the [quick fixes](quick-fixes.md) section in this guide.<br>Update drivers on the computer, and select "Download and install updates (recommended)" during the upgrade process. Disconnect devices other than the mouse, keyboard and display.|
|0xC1900200 - 0x20008|The computer doesnt meet the minimum requirements to download or upgrade to Windows 10.|See [Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications) and verify the computer meets minimum requirements.<p>Review logs for [compatibility information](/archive/blogs/askcore/using-the-windows-10-compatibility-reports-to-understand-upgrade-issues).|
@ -102,7 +102,7 @@ See the following general troubleshooting procedures associated with a result co
|0xC1900101 - 0x4001E|Installation failed in the SECOND_BOOT phase with an error during PRE_OOBE operation.|This is a generic error that occurs during the OOBE phase of setup. See the [0xC1900101](#0xc1900101) section of this guide and review general troubleshooting procedures described in that section.|
|0x80070005 - 0x4000D|The installation failed in the SECOND_BOOT phase with an error in during MIGRATE_DATA operation. This error indicates that access was denied while attempting to migrate data.|[Analyze log files](log-files.md#analyze-log-files) to determine the data point that is reporting access denied.|
|0x80070004 - 0x50012|Windows Setup failed to open a file.|[Analyze log files](log-files.md#analyze-log-files) to determine the data point that is reporting access problems.|
|0xC190020e<br>0x80070070 - 0x50011<br>0x80070070 - 0x50012<br>0x80070070 - 0x60000|These errors indicate the computer does not have enough free space available to install the upgrade.|To upgrade a computer to Windows 10, it requires 16 GB of free hard drive space for a 32-bit OS, and 20 GB for a 64-bit OS. If there is not enough space, attempt to [free up drive space](https://support.microsoft.com/help/17421/windows-free-up-drive-space) before proceeding with the upgrade. <p><div>**Note:** If your device allows it, you can use an external USB drive for the upgrade process. Windows setup will back up the previous version of Windows to a USB external drive. The external drive must be at least 8GB (16GB is recommended). The external drive should be formatted using NTFS. Drives that are formatted in FAT32 may run into errors due to FAT32 file size limitations. USB drives are preferred over SD cards because drivers for SD cards are not migrated if the device does not support Connected Standby.</div>|
|0xC190020e<br>0x80070070 - 0x50011<br>0x80070070 - 0x50012<br>0x80070070 - 0x60000|These errors indicate the computer doesn't have enough free space available to install the upgrade.|To upgrade a computer to Windows 10, it requires 16 GB of free hard drive space for a 32-bit OS, and 20 GB for a 64-bit OS. If there isn't enough space, attempt to [free up drive space](https://support.microsoft.com/help/17421/windows-free-up-drive-space) before proceeding with the upgrade. <p><div>**Note:** If your device allows it, you can use an external USB drive for the upgrade process. Windows setup will back up the previous version of Windows to a USB external drive. The external drive must be at least 8 GB (16 GB is recommended). The external drive should be formatted using NTFS. Drives that are formatted in FAT32 may run into errors due to FAT32 file size limitations. USB drives are preferred over SD cards because drivers for SD cards aren't migrated if the device doesn't support Connected Standby.</div>|
## Modern setup errors
@ -110,10 +110,10 @@ Also see the following sequential list of modern setup (mosetup) error codes wit
| Result code | Message | Description |
| --- | --- | --- |
| 0XC1900100 | MOSETUP_E_VERSION_MISMATCH | An unexpected version of Setup Platform binaries was encountered. Please verify the package contents. |
| 0XC1900100 | MOSETUP_E_VERSION_MISMATCH | An unexpected version of Setup Platform binaries was encountered. Verify the package contents. |
| 0XC1900101 | MOSETUP_E_SETUP_PLATFORM | The Setup Platform has encountered an unspecified error. |
| 0XC1900102 | MOSETUP_E_SHUTDOWN_BLOCK | Unable to create or destroy the shutdown block message. |
| 0XC1900103 | MOSETUP_E_COMPAT_TIMEOUT | The compatibility issues were not resolved within the required time limit. |
| 0XC1900103 | MOSETUP_E_COMPAT_TIMEOUT | The compatibility issues weren't resolved within the required time limit. |
| 0XC1900104 | MOSETUP_E_PROCESS_TIMEOUT | The installation process did not complete within the required time limit. |
| 0XC1900105 | MOSETUP_E_TEST_MODE | The installation process is being used in a test environment. |
| 0XC1900106 | MOSETUP_E_TERMINATE_PROCESS | The installation process was terminated. |
@ -131,7 +131,7 @@ Also see the following sequential list of modern setup (mosetup) error codes wit
| 0XC1900113 | MOSETUP_E_EULA_DECLINED | The user has declined the license terms. |
| 0XC190011e | MOSETUP_E_FLIGHTING_BVT | The installation process has been halted for testing purposes. |
| 0XC190011f | MOSETUP_E_PROCESS_CRASHED | The installation process crashed. |
| 0XC1900120 | MOSETUP_E_EULA_TIMEOUT | The user has not accepted Eula within the required time limit. |
| 0XC1900120 | MOSETUP_E_EULA_TIMEOUT | The user has not accepted the EULA within the required time limit. |
| 0XC1900121 | MOSETUP_E_ADVERTISE_TIMEOUT | The user has not accepted Advertisement within the required time limit. |
| 0XC1900122 | MOSETUP_E_DOWNLOADDISKSPACE_TIMEOUT | The download disk space issues were not resolved within the required time limit. |
| 0XC1900123 | MOSETUP_E_INSTALLDISKSPACE_TIMEOUT | The install disk space issues were not resolved within the required time limit. |

8
windows/deployment/windows-10-enterprise-e3-overview.md
View File

@ -132,18 +132,18 @@ Now that the devices have Windows 10/11 Enterprise, you can implement Device Gu
For more information about implementing Device Guard, see:
- [Planning and getting started on the Device Guard deployment process](https://technet.microsoft.com/itpro/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process)
- [Windows Defender Application Control and virtualization-based protection of code integrity](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control)
- [Device Guard deployment guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide)
### AppLocker management
You can manage AppLocker in Windows 10 Enterprise by using Group Policy. Group Policy requires that the you have AD DS and that the Windows 10/11 Enterprise devices are joined to the your AD DS domain. You can create AppLocker rules by using Group Policy, and then target those rules to the appropriate devices.
You can manage AppLocker in Windows 10 Enterprise by using Group Policy. Group Policy requires that you have AD DS and that the Windows 10/11 Enterprise devices are joined to your AD DS domain. You can create AppLocker rules by using Group Policy, and then target those rules to the appropriate devices.
For more information about AppLocker management by using Group Policy, see [AppLocker deployment guide](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide).
### App-V
App-V requires an App-V server infrastructure to support App-V clients. The primary App-V components that the you must have are as follows:
App-V requires an App-V server infrastructure to support App-V clients. The primary App-V components that you must have are as follows:
- **App-V server**. The App-V server provides App-V management, virtualized app publishing, app streaming, and reporting services. Each of these services can be run on one server or can be run individually on multiple servers. For example, you could have multiple streaming servers. App-V clients contact App-V servers to determine which apps are published to the user or device, and then run the virtualized app from the server.
@ -158,7 +158,7 @@ For more information about implementing the App-V server, App-V sequencer, and A
- [Deploying the App-V Sequencer and Configuring the Client](/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client)
### UE-V
UE-V requires server- and client-side components that you youll need to download, activate, and install. These components include:
UE-V requires server- and client-side components that youll need to download, activate, and install. These components include:
- **UE-V service**. The UE-V service (when enabled on devices) monitors registered applications and Windows for any settings changes, then synchronizes those settings between devices.

10
windows/deployment/windows-deployment-scenarios-and-tools.md
View File

@ -89,7 +89,7 @@ By default USMT migrates many settings, most of which are related to the user pr
- Specific file types. USMT templates migrate the following file types: .accdb, .ch3, .csv, .dif, .doc\*, .dot\*, .dqy, .iqy, .mcw, .mdb\*, .mpp, .one\*, .oqy, .or6, .pot\*, .ppa, .pps\*, .ppt\*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl\*, .vsd, .wk\*, .wpd, .wps, .wq1, .wri, .xl\*, .xla, .xlb, .xls\*.
**Note**
The OpenDocument extensions (\*.odt, \*.odp, \*.ods, etc.) that Microsoft Office applications can use are not migrated by default.
The OpenDocument extensions (\*.odt, \*.odp, \*.ods, etc.) that Microsoft Office applications can use aren't migrated by default.
- Operating system component settings
- Application settings
@ -108,7 +108,7 @@ For more information, see [Windows Imaging and Configuration Designer](/windows/
### Windows System Image Manager (Windows SIM)
Windows SIM is an authoring tool for Unattend.xml files. When using MDT and/or Configuration Manager, you don't need Windows SIM very often because those systems automatically update the Unattend.xml file during the deployment, greatly simplifying the process overall.
Windows SIM is an authoring tool for Unattend.xml files. When using MDT and/or Configuration Manager, you don't need Windows SIM often because those systems automatically update the Unattend.xml file during the deployment, greatly simplifying the process overall.
![Windows answer file opened in Windows SIM.](images/mdt-11-fig07.png)
@ -201,7 +201,7 @@ For more information on MDT, see the [Microsoft Deployment Toolkit](/mem/configm
## Microsoft Security Compliance Manager 2013
[Microsoft SCM](https://go.microsoft.com/fwlink/p/?LinkId=619246) is a free utility used to create baseline security settings for the Windows client and server environment. The baselines can be exported and then deployed via Group Policy, local policies, MDT, or Configuration Manager. The current version of Security Compliance Manager includes baselines for Windows 8.1 and several earlier versions of Windows, Windows Server, and Internet Explorer.
[Microsoft SCM](https://www.microsoft.com/download/details.aspx?id=53353) is a free utility used to create baseline security settings for the Windows client and server environment. The baselines can be exported and then deployed via Group Policy, local policies, MDT, or Configuration Manager. The current version of Security Compliance Manager includes baselines for Windows 8.1 and several earlier versions of Windows, Windows Server, and Internet Explorer.
![The SCM console showing a baseline configuration for a fictional client's computer security compliance.](images/mdt-11-fig14.png)
@ -255,7 +255,7 @@ For many years BIOS has been the industry standard for booting a PC. BIOS has se
BIOS has been in use for approximately 30 years. Even though it clearly has proven to work, it has some limitations, including:
- 16-bit code
- 1 MB address space
- 1-MB address space
- Poor performance on ROM initialization
- MBR maximum bootable disk size of 2.2 TB
@ -274,7 +274,7 @@ With UEFI, you can benefit from:
### Versions
UEFI Version 2.3.1B is the version required for Windows 8 and later logo compliance. Later versions have been released to address issues; a small number of machines may need to upgrade their firmware to fully support the UEFI implementation in Windows 8 and later.
UEFI Version 2.3.1B is the version required for Windows 8 and later logo compliance. Later versions have been released to address issues; a few machines may need to upgrade their firmware to fully support the UEFI implementation in Windows 8 and later.
### Hardware support for UEFI

101
windows/security/threat-protection/security-compliance-toolkit-10.md
View File

@ -1,101 +0,0 @@
---
title: Microsoft Security Compliance Toolkit 1.0
description: This article describes how to use the Security Compliance Toolkit 1.0 in your organization
keywords: virtualization, security, malware
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.author: dansimp
author: dulcemontemayor
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 11/21/2019
ms.reviewer:
ms.technology: windows-sec
---
# Microsoft Security Compliance Toolkit 1.0 Usage
## What is the Security Compliance Toolkit (SCT)?
The Security Compliance Toolkit (SCT) is a set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products.
The SCT enables administrators to effectively manage their enterprises Group Policy Objects (GPOs). Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them broadly through Active Directory or individually through local policy.
<p></p>
The Security Compliance Toolkit consists of:
- Windows 10 security baselines
- Windows 10, Version 21H1 (May 2021 Update)
- Windows 10, Version 20H2 (October 2020 Update)
- Windows 10, Version 2004 (May 2020 Update)
- Windows 10, Version 1909 (November 2019 Update)
- Windows 10, Version 1809 (October 2018 Update)
- Windows 10, Version 1607 (Anniversary Update)
- Windows 10, Version 1507
- Windows Server security baselines
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Microsoft Office security baseline
- Microsoft 365 Apps for enterprise, Version 2104
- Microsoft Edge security baseline
- Version 93
- Windows Update security baseline
- Windows 10 20H2 and below (October 2020 Update)
- Tools
- Policy Analyzer tool
- Local Group Policy Object (LGPO) tool
- Set Object Security tool
- GPO to PolicyRules tool
- Scripts
- Baseline-ADImport.ps1
- Baseline-LocalInstall.ps1
- Remove-EPBaselineSettings.ps1
- MapGuidsToGpoNames.ps1
You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more details about security baseline recommendations, see the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/Microsoft-Security-Baselines/bg-p/Microsoft-Security-Baselines).
## What is the Policy Analyzer tool?
The Policy Analyzer is a utility for analyzing and comparing sets of Group Policy Objects (GPOs). Its main features include:
- Highlight when a set of Group Policies has redundant settings or internal inconsistencies
- Highlight the differences between versions or sets of Group Policies
- Compare GPOs against current local policy and local registry settings
- Export results to a Microsoft Excel spreadsheet
Policy Analyzer lets you treat a set of GPOs as a single unit. This makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values. Policy Analyzer also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set.
More information on the Policy Analyzer tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-tool-policy-analyzer/ba-p/701049) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
## What is the Local Group Policy Object (LGPO) tool?
LGPO.exe is a command-line utility that is designed to help automate management of Local Group Policy.
Using local policy gives administrators a simple way to verify the effects of Group Policy settings, and is also useful for managing non-domain-joined systems.
LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files, security templates, Advanced Auditing backup files, as well as from formatted “LGPO text” files.
It can export local policy to a GPO backup.
It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file.
Documentation for the LGPO tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/lgpo-exe-local-group-policy-object-utility-v1-0/ba-p/701045) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
## What is the Set Object Security tool?
SetObjectSecurity.exe enables you to set the security descriptor for just about any type of Windows securable object (files, directories, registry keys, event logs, services, SMB shares, etc.). For file system and registry objects, you can choose whether to apply inheritance rules. You can also choose to output the security descriptor in a .reg-file-compatible representation of the security descriptor for a REG_BINARY registry value.
Documentation for the Set Object Security tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
## What is the GPO to Policy Rules tool?
Automate the conversion of GPO backups to Policy Analyzer .PolicyRules files and skip the GUI. GPO2PolicyRules is a command-line tool that is included with the Policy Analyzer download.
Documentation for the GPO to PolicyRules tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).

1
windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
View File

@ -46,7 +46,6 @@ The Security Compliance Toolkit consists of:
- Microsoft Office security baseline
- Microsoft 365 Apps for Enterprise Version 2112
- Office 2016
- Microsoft Edge security baseline
- Edge version 98

12
windows/whats-new/ltsc/whats-new-windows-10-2015.md
View File

@ -41,7 +41,7 @@ AppLocker was available for Windows 8.1, and is improved with Windows 10. See [R
Enhancements to AppLocker in Windows 10 include:
- A new parameter was added to the [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**.
- A new [AppLocker](/windows/client-management/mdm/applocker-csp) configuration service provider was add to allow you to enable AppLocker rules by using an MDM server.
- A new [AppLocker](/windows/client-management/mdm/applocker-csp) configuration service provider was added to allow you to enable AppLocker rules by using an MDM server.
[Learn how to manage AppLocker within your organization](/windows/device-security/applocker/applocker-overview).
@ -76,9 +76,9 @@ In Windows 10, security auditing has added some improvements:
In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events:
- [Audit Group Membership](/windows/device-security/auditing/audit-group-membership) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource.
When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information cannot fit in a single security audit event.
- [Audit PNP Activity](/windows/device-security/auditing/audit-pnp-activity) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device.
- [Audit PNP Activity](/windows/security/threat-protection/auditing/audit-pnp-activity) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device.
Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play.
A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs are included in the event.
A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs is included in the event.
#### <a href="" id="bkmk-moreinfo"></a>More info added to existing audit events
@ -126,7 +126,7 @@ The logon event ID 4688 has been updated to include more verbose information to
2. **TargetUserName** String
The account name of the target user.
3. **TargetDomainName** String
The domain of the target user..
The domain of the target user.
4. **TargetLogonId** String
The logon ID of the target user.
5. **ParentProcessName** String
@ -165,7 +165,7 @@ Event ID 4826 has been added to track the following changes to the Boot Configur
Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesnt expect this type of action, such as a domain controller.
[Learn how to manage your security audit policies within your organization](/windows/device-security/auditing/security-auditing-overview).
[Learn how to manage your security audit policies within your organization](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319078(v=ws.11))
### Trusted Platform Module
@ -196,7 +196,7 @@ User Account Control (UAC) helps prevent malware from damaging a computer and he
You should not turn off UAC because this is not a supported scenario for devices running Windows 10. If you do turn off UAC, all Universal Windows Platform apps stop working. You must always set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This is not recommended for devices running Windows 10.
For more info about how manage UAC, see [UAC Group Policy Settings and Registry Key Settings](/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings).
For more info about how to manage UAC, see [UAC Group Policy Settings and Registry Key Settings](/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings).
In Windows 10, User Account Control has added some improvements:

12
windows/whats-new/ltsc/whats-new-windows-10-2016.md
View File

@ -118,12 +118,12 @@ Windows Information Protection (WIP) helps to protect against this potential dat
Several new features and management options have been added to Windows Defender in this version of Windows 10.
- [Windows Defender Offline in Windows 10](/windows/threat-protection/microsoft-defender-antivirus/windows-defender-offline) can be run directly from within Windows, without having to create bootable media.
- [Use PowerShell cmdlets for Windows Defender](/windows/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus) to configure options and run scans.
- [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware.
- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus) to see more information about threat detections and removal.
- [Run a Windows Defender scan from the command line](/windows/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus).
- [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) during download and install times.
- [Windows Defender Offline in Windows 10](/microsoft-365/security/defender-endpoint/microsoft-defender-offline) can be run directly from within Windows, without having to create bootable media.
- [Use PowerShell cmdlets for Windows Defender](/microsoft-365/security/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus) to configure options and run scans.
- [Enable the Block at First Sight feature in Windows 10](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware.
- [Configure enhanced notifications for Windows Defender in Windows 10](/microsoft-365/security/defender-endpoint/configure-notifications-microsoft-defender-antivirus) to see more information about threat detections and removal.
- [Run a Windows Defender scan from the command line](/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus).
- [Detect and block Potentially Unwanted Applications with Windows Defender](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) during download and install times.
### Microsoft Defender for Endpoint

8
windows/whats-new/ltsc/whats-new-windows-10-2019.md
View File

@ -200,7 +200,7 @@ New features in [Windows Hello for Business](/windows/security/identity-protecti
- You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune).
- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-features#pin-reset).
- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset).
[Windows Hello](/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in [Kiosk configuration](#kiosk-configuration).
@ -362,7 +362,7 @@ Until now, Windows logon only supported the use of identities federated to ADFS
1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs).
2. Set the Policy CSP, and the Authentication and EnableWebSignIn polices to enable web sign-in.
2. Set the Policy CSP, and the Authentication and EnableWebSignIn policies to enable web sign-in.
3. On the lock screen, select web sign-in under sign-in options.
4. Click the “Sign in” button to continue.
@ -532,7 +532,7 @@ In Windows 10 Enterprise LTSC 2019, we continue our work to improve the diagnost
### Application Virtualization for Windows (App-V)
Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10 Enterprise LTSC 2019 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart.
Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10 Enterprise LTSC 2019 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically clean up your unpublished packages after a device restart.
For more info, see the following topics:
- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-provision-a-vm)
@ -578,7 +578,7 @@ Users attempt to connect to a Miracast receiver as they did previously. When the
- Users do not have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections.
- No changes to current wireless drivers or PC hardware are required.
- It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct.
- It leverages an existing connection which both reduces the time to connect and provides a very stable stream.
- It leverages an existing connection that both reduces the time to connect and provides a very stable stream.
#### Enabling Miracast over Infrastructure

2
windows/whats-new/windows-11-requirements.md
View File

@ -46,7 +46,7 @@ For information about tools to evaluate readiness, see [Determine eligibility](w
## Operating system requirements
For the best Windows 11 upgrade experience, eligible devices should be running Windows 10, version 2004 or later.
Eligible Windows 10 devices must be on version 2004 or later, and have installed the September 14, 2021 security update or later, to upgrade directly to Windows 11.
> [!NOTE]
> S mode is only supported on the Home edition of Windows 11.