diff --git a/.acrolinx-config.edn b/.acrolinx-config.edn index 0ffbb03551..4adf09ac5a 100644 --- a/.acrolinx-config.edn +++ b/.acrolinx-config.edn @@ -4,15 +4,14 @@ :targets { :counts { - ;;:spelling 10 - ;;:grammar 3 + ;;:correctness 13 ;;:total 15 ;; absolute flag count but i don't know the difference between this and issues ;;:issues 15 ;; coming from the platform, will need to be tested. } :scores { ;;:terminology 100 :qualityscore 80 ;; Confirmed with Hugo that you just comment out the single score and leave the structure in place - ;;:spelling 40 + ;;:correctness 40 } } @@ -22,7 +21,7 @@ { "languageId" "en" "ruleSetName" "Standard" - "requestedFlagTypes" ["SPELLING" "GRAMMAR" "STYLE" + "requestedFlagTypes" ["CORRECTNESS" "SPELLING" "GRAMMAR" "STYLE" "TERMINOLOGY_DEPRECATED" "TERMINOLOGY_VALID" "VOICE_GUIDANCE" @@ -35,7 +34,7 @@ " ## Acrolinx Scorecards -**The minimum Acrolinx topic score of 80 is required for all MARVEL content merged to the default branch.** +**The minimum Acrolinx topic score of 80 is required for all MAGIC content merged to the default branch.** If you need a scoring exception for content in this PR, add the *Sign off* and the *Acrolinx exception* labels to the PR. The PubOps Team will review the exception request and may take one or more of the following actions: @@ -47,12 +46,12 @@ For more information about the exception criteria and exception process, see [Mi Click the scorecard links for each article to review the Acrolinx feedback on grammar, spelling, punctuation, writing style, and terminology: -| Article | Score | Issues | Correctness
issues | Scorecard | Processed | +| Article | Score | Issues | Correctness
score | Scorecard | Processed | | ------- | ----- | ------ | ------ | --------- | --------- | " :template-change - "| ${s/file} | ${acrolinx/qualityscore} | ${acrolinx/flags/issues} | ${acrolinx/flags/correctness} | [link](${acrolinx/scorecard}) | ${s/status} | + "| ${s/file} | ${acrolinx/qualityscore} | ${acrolinx/flags/issues} | ${acrolinx/scores/correctness} | [link](${acrolinx/scorecard}) | ${s/status} | " :template-footer diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000000..deb2888417 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,39 @@ + + + +## Why + + + +- Closes #[Issue Number] + +## Changes + + + + \ No newline at end of file diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index afe30ff75b..2c59b009f8 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1,5 +1,15 @@ { "redirections": [ + { + "source_path": "windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md", + "redirect_url": "/windows/security/windows/security/identity-protection/hello-for-business/webauthn-apis", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/manage-windows-mixed-reality.md", + "redirect_url": "/windows/mixed-reality/enthusiast-guide/manage-windows-mixed-reality", + "redirect_document_id": false + }, { "source_path": "windows/client-management/mdm/browserfavorite-csp.md", "redirect_url": "https://support.microsoft.com/windows/windows-phone-8-1-end-of-support-faq-7f1ef0aa-0aaf-0747-3724-5c44456778a3", diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 3bf0503686..e09fdb10e8 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -2,7 +2,7 @@ Thank you for your interest in the Windows IT professional documentation! We appreciate your feedback, edits, and additions to our docs. This page covers the basic steps for editing our technical documentation. -For a more up-to-date and complete contribution guide, see the main [Microsoft Docs contributor guide overview](https://docs.microsoft.com/contribute/). +For a more up-to-date and complete contribution guide, see the main [contributor guide overview](https://docs.microsoft.com/contribute/). ## Sign a CLA @@ -19,16 +19,16 @@ We've tried to make editing an existing, public file as simple as possible. ### To edit a topic -1. Go to the page on [docs.microsoft.com](https://docs.microsoft.com/) that you want to update. +1. Browse to the [Microsoft Docs](https://docs.microsoft.com/) article that you want to update. > **Note**
> If you're a Microsoft employee or vendor, before you edit the article, append `review.` to the beginning of the URL. This action lets you use the private repository, **windows-docs-pr**. For more information, see the [internal contributor guide](https://review.docs.microsoft.com/help/get-started/edit-article-in-github?branch=main). 1. Then select the **Pencil** icon. - ![Microsoft Docs Web, showing the Edit This Document link.](images/contribute-link.png) + ![Screenshot showing the Pencil icon to edit a published article.](images/contribute-link.png) - If the pencil icon isn't present, the content might not be open to public contributions. Some pages are generated (for example, from inline documentation in code) and must be edited in the project they belong to. This isn't always the case and you might be able to find the documentation by searching the [Microsoft Docs Organization on GitHub](https://github.com/MicrosoftDocs). + If the pencil icon isn't present, the content might not be open to public contributions. Some pages are generated (for example, from inline documentation in code) and must be edited in the project they belong to. This isn't always the case and you might be able to find the documentation by searching the [MicrosoftDocs organization on GitHub](https://github.com/MicrosoftDocs). > **TIP**
> View the page source in your browser, and look for the following metadata: `original_content_git_url`. This path always points to the source markdown file for the article. @@ -37,7 +37,7 @@ We've tried to make editing an existing, public file as simple as possible. ![GitHub Web, showing the Pencil icon.](images/pencil-icon.png) -1. Using Markdown language, make your changes to the file. For info about how to edit content using Markdown, see the [Microsoft Docs Markdown reference](https://docs.microsoft.com/contribute/markdown-reference) and GitHub's [Mastering Markdown](https://guides.github.com/features/mastering-markdown/) documentation. +1. Using Markdown language, make your changes to the file. For info about how to edit content using Markdown, see the [Docs Markdown reference](https://docs.microsoft.com/contribute/markdown-reference) and GitHub's [Mastering Markdown](https://guides.github.com/features/mastering-markdown/) documentation. 1. Make your suggested change, and then select **Preview changes** to make sure it looks correct. @@ -82,4 +82,4 @@ In the new issue form, enter a brief title. In the body of the form, describe th - You can use your favorite text editor to edit Markdown files. We recommend [Visual Studio Code](https://code.visualstudio.com/), a free lightweight open source editor from Microsoft. - You can learn the basics of Markdown in just a few minutes. To get started, check out [Mastering Markdown](https://guides.github.com/features/mastering-markdown/). -- Microsoft Docs uses several custom Markdown extensions. To learn more, see the [Microsoft Docs Markdown reference](https://docs.microsoft.com/contribute/markdown-reference). +- Microsoft technical documentation uses several custom Markdown extensions. To learn more, see the [Docs Markdown reference](https://docs.microsoft.com/contribute/markdown-reference). diff --git a/browsers/enterprise-mode/enterprise-mode-and-enterprise-site-list-include.md b/browsers/enterprise-mode/enterprise-mode-and-enterprise-site-list-include.md index 25f58fb19f..a8f90c3697 100644 --- a/browsers/enterprise-mode/enterprise-mode-and-enterprise-site-list-include.md +++ b/browsers/enterprise-mode/enterprise-mode-and-enterprise-site-list-include.md @@ -5,7 +5,7 @@ Starting with Windows 10, version 1511 (also known as the Anniversary Update), y ### Site list xml file -This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypflug/9e9961de771d2fcbd86b#file-emie-v2-schema-xml). There are equivalent Enterprise Mode Site List policies for both [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/emie-to-improve-compatibility) and [Internet Explorer 11](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list). The Microsoft Edge list is used to determine which sites should open in IE11; while the IE11 list is used to determine the compat mode for a site, and which sites should open in Microsoft Edge. We recommend using one list for both browsers, where each policy points to the same XML file location. +This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypflug/9e9961de771d2fcbd86b#file-emie-v2-schema-xml). There are equivalent Enterprise Mode Site List policies for both [Microsoft Edge](/microsoft-edge/deploy/emie-to-improve-compatibility) and [Internet Explorer 11](/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list). The Microsoft Edge list is used to determine which sites should open in IE11; while the IE11 list is used to determine the compat mode for a site, and which sites should open in Microsoft Edge. We recommend using one list for both browsers, where each policy points to the same XML file location. ```xml @@ -47,4 +47,4 @@ This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypf -``` \ No newline at end of file +``` diff --git a/browsers/includes/helpful-topics-include.md b/browsers/includes/helpful-topics-include.md index 0a0f72e971..21e15f6d8d 100644 --- a/browsers/includes/helpful-topics-include.md +++ b/browsers/includes/helpful-topics-include.md @@ -35,4 +35,4 @@ ms.topic: include - [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/browser/mt612809.aspx) - [Download Internet Explorer 11](https://go.microsoft.com/fwlink/p/?linkid=290956) - [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](https://go.microsoft.com/fwlink/p/?LinkId=760646) -- [Fix web compatibility issues using document modes and the Enterprise Mode site list](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list) +- [Fix web compatibility issues using document modes and the Enterprise Mode site list](/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list) diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json index 37391cc166..83d51cf7f0 100644 --- a/browsers/internet-explorer/docfx.json +++ b/browsers/internet-explorer/docfx.json @@ -26,12 +26,6 @@ "recommendations": true, "breadcrumb_path": "/internet-explorer/breadcrumb/toc.json", "ROBOTS": "INDEX, FOLLOW", - "audience": "ITPro", - "ms.technology": "internet-explorer", - "ms.prod": "ie11", - "ms.topic": "article", - "manager": "dansimp", - "ms.date": "04/05/2017", "feedback_system": "None", "hideEdit": true, "_op_documentIdPathDepotMapping": { diff --git a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md index ca1542a952..83c7c6b9b8 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md +++ b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md @@ -7,6 +7,7 @@ ms.reviewer: audience: itpro manager: dansimp ms.author: dansimp +ms.prod: ie11 --- # Full-sized flowchart detailing how document modes are chosen in IE11 diff --git a/browsers/internet-explorer/internet-explorer.yml b/browsers/internet-explorer/internet-explorer.yml index 05e93f6e25..17eee2393b 100644 --- a/browsers/internet-explorer/internet-explorer.yml +++ b/browsers/internet-explorer/internet-explorer.yml @@ -9,6 +9,7 @@ metadata: author: aczechowski ms.author: aaroncz ms.date: 07/29/2022 + ms.prod: ie11 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new diff --git a/education/breadcrumb/toc.yml b/education/breadcrumb/toc.yml index 93f929e957..41fb052a33 100644 --- a/education/breadcrumb/toc.yml +++ b/education/breadcrumb/toc.yml @@ -1,3 +1,4 @@ +items: - name: Docs tocHref: / topicHref: / @@ -12,4 +13,7 @@ - name: Windows tocHref: /education/windows topicHref: /education/windows/index - \ No newline at end of file + - name: Windows + tocHref: /windows/security/ + topicHref: /education/windows/index + diff --git a/education/docfx.json b/education/docfx.json index 105c802404..7aabd80dfc 100644 --- a/education/docfx.json +++ b/education/docfx.json @@ -17,7 +17,8 @@ "files": [ "**/*.png", "**/*.jpg", - "**/*.svg" + "**/*.svg", + "**/*.gif" ], "exclude": [ "**/obj/**", diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md index e06d4cfd48..47c8557394 100644 --- a/education/includes/education-content-updates.md +++ b/education/includes/education-content-updates.md @@ -2,6 +2,46 @@ +## Week of September 05, 2022 + + +| Published On |Topic title | Change | +|------|------------|--------| +| 9/8/2022 | [Education scenarios Microsoft Store for Education](/education/windows/education-scenarios-store-for-business) | modified | +| 9/8/2022 | [Get Minecraft Education Edition](/education/windows/get-minecraft-for-education) | modified | +| 9/8/2022 | [For teachers get Minecraft Education Edition](/education/windows/teacher-get-minecraft) | modified | +| 9/9/2022 | [Take tests in Windows](/education/windows/take-tests-in-windows-10) | modified | + + +## Week of August 29, 2022 + + +| Published On |Topic title | Change | +|------|------------|--------| +| 8/31/2022 | [Configure applications with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-apps) | added | +| 8/31/2022 | [Configure and secure devices with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-settings) | added | +| 8/31/2022 | [Configure devices with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-devices-overview) | added | +| 8/31/2022 | [Enrollment in Intune with standard out-of-box experience (OOBE)](/education/windows/tutorial-school-deployment/enroll-aadj) | added | +| 8/31/2022 | [Enrollment in Intune with Windows Autopilot](/education/windows/tutorial-school-deployment/enroll-autopilot) | added | +| 8/31/2022 | [Device enrollment overview](/education/windows/tutorial-school-deployment/enroll-overview) | added | +| 8/31/2022 | [Enrollment of Windows devices with provisioning packages](/education/windows/tutorial-school-deployment/enroll-package) | added | +| 8/31/2022 | [Introduction](/education/windows/tutorial-school-deployment/index) | added | +| 8/31/2022 | [Manage devices with Microsoft Intune](/education/windows/tutorial-school-deployment/manage-overview) | added | +| 8/31/2022 | [Management functionalities for Surface devices](/education/windows/tutorial-school-deployment/manage-surface-devices) | added | +| 8/31/2022 | [Reset and wipe Windows devices](/education/windows/tutorial-school-deployment/reset-wipe) | added | +| 8/31/2022 | [Set up Azure Active Directory](/education/windows/tutorial-school-deployment/set-up-azure-ad) | added | +| 8/31/2022 | [Set up device management](/education/windows/tutorial-school-deployment/set-up-microsoft-intune) | added | +| 8/31/2022 | [Troubleshoot Windows devices](/education/windows/tutorial-school-deployment/troubleshoot-overview) | added | + + +## Week of August 15, 2022 + + +| Published On |Topic title | Change | +|------|------------|--------| +| 8/17/2022 | [For IT administrators get Minecraft Education Edition](/education/windows/school-get-minecraft) | modified | + + ## Week of August 08, 2022 @@ -39,14 +79,3 @@ | 8/10/2022 | [What is Windows 11 SE](/education/windows/windows-11-se-overview) | modified | | 8/10/2022 | [Windows 11 SE settings list](/education/windows/windows-11-se-settings-list) | modified | | 8/10/2022 | [Windows 10 editions for education customers](/education/windows/windows-editions-for-education-customers) | modified | - - -## Week of July 25, 2022 - - -| Published On |Topic title | Change | -|------|------------|--------| -| 7/26/2022 | [Upgrade Windows Home to Windows Education on student-owned devices](/education/windows/change-home-to-edu) | added | -| 7/26/2022 | [Secure the Windows boot process](/education/windows/change-home-to-edu) | modified | -| 7/25/2022 | Edit an existing topic using the Edit link | removed | -| 7/26/2022 | [Windows Hello for Business Videos](/education/windows/change-home-to-edu) | modified | diff --git a/education/windows/TOC.yml b/education/windows/TOC.yml index f2d04a9792..f90e7d595f 100644 --- a/education/windows/TOC.yml +++ b/education/windows/TOC.yml @@ -1,73 +1,99 @@ -- name: Windows 11 SE for Education +items: +- name: Windows for Education Documentation + href: index.yml +- name: Tutorials + expanded: true items: - - name: Overview - href: windows-11-se-overview.md - - name: Settings and CSP list - href: windows-11-se-settings-list.md -- name: Windows 10 for Education - href: index.md + - name: Deploy and manage Windows devices in a school + href: tutorial-school-deployment/toc.yml +- name: Concepts items: + - name: Windows 11 SE + items: + - name: Overview + href: windows-11-se-overview.md + - name: Settings and CSP list + href: windows-11-se-settings-list.md + - name: Windows in S Mode + items: + - name: Test Windows 10 in S mode on existing Windows 10 education devices + href: test-windows10s-for-edu.md + - name: Enable Windows 10 in S mode on Surface Go devices + href: enable-s-mode-on-surface-go-devices.md - name: Windows 10 editions for education customers href: windows-editions-for-education-customers.md + - name: Shared PC mode for school devices + href: set-up-school-pcs-shared-pc-mode.md - name: Windows 10 configuration recommendations for education customers href: configure-windows-for-education.md - - name: Deployment recommendations for school IT administrators - href: edu-deployment-recommendations.md - - name: Set up Windows devices for education - href: set-up-windows-10.md +- name: How-to-guides + items: + - name: Use the Set up School PCs app + href: use-set-up-school-pcs-app.md + - name: Take tests and assessments in Windows items: - - name: What's new in Set up School PCs - href: set-up-school-pcs-whats-new.md - - name: Technical reference for the Set up School PCs app - href: set-up-school-pcs-technical.md - items: - - name: Azure AD Join for school PCs - href: set-up-school-pcs-azure-ad-join.md - - name: Shared PC mode for school devices - href: set-up-school-pcs-shared-pc-mode.md - - name: Provisioning package settings - href: set-up-school-pcs-provisioning-package.md - - name: Use the Set up School PCs app - href: use-set-up-school-pcs-app.md - - name: Set up student PCs to join domain - href: set-up-students-pcs-to-join-domain.md - - name: Provision student PCs with apps - href: set-up-students-pcs-with-apps.md - - name: Take tests in Windows 10 - href: take-tests-in-windows-10.md - items: - - name: Set up Take a Test on a single PC + - name: Overview + href: take-tests-in-windows-10.md + - name: Configure Take a Test on a single PC href: take-a-test-single-pc.md - - name: Set up Take a Test on multiple PCs + - name: Configure a Test on multiple PCs href: take-a-test-multiple-pcs.md - - name: Take a Test app technical reference - href: take-a-test-app-technical.md + - name: Change Windows edition + items: + - name: Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode + href: s-mode-switch-to-edu.md + - name: Change to Windows 10 Pro Education from Windows 10 Pro + href: change-to-pro-education.md + - name: Upgrade Windows Home to Windows Education on student-owned devices + href: change-home-to-edu.md + - name: "Get and deploy Minecraft: Education Edition" + items: + - name: "Get Minecraft: Education Edition" + href: get-minecraft-for-education.md + - name: "For IT administrators: get Minecraft Education Edition" + href: school-get-minecraft.md + - name: "For teachers: get Minecraft Education Edition" + href: teacher-get-minecraft.md + - name: Work with Microsoft Store for Education + href: education-scenarios-store-for-business.md + - name: Migrate from Chromebook to Windows + items: + - name: Chromebook migration guide + href: chromebook-migration-guide.md + - name: Deploy Windows 10 devices in a school + items: + - name: Overview + href: deploy-windows-10-overview.md + - name: Deploy Windows 10 in a school + href: deploy-windows-10-in-a-school.md + - name: Deploy Windows 10 in a school district + href: deploy-windows-10-in-a-school-district.md + - name: Deployment recommendations for school IT administrators + href: edu-deployment-recommendations.md + - name: Set up Windows devices for education + items: + - name: Overview + href: set-up-windows-10.md + - name: Azure AD join for school PCs + href: set-up-school-pcs-azure-ad-join.md + - name: Active Directory join for school PCs + href: set-up-students-pcs-to-join-domain.md + - name: Provision student PCs with apps + href: set-up-students-pcs-with-apps.md - name: Reset devices with Autopilot Reset href: autopilot-reset.md - - name: Working with Microsoft Store for Education - href: education-scenarios-store-for-business.md - - name: "Get Minecraft: Education Edition" - href: get-minecraft-for-education.md - items: - - name: "For teachers: get Minecraft Education Edition" - href: teacher-get-minecraft.md - - name: "For IT administrators: get Minecraft Education Edition" - href: school-get-minecraft.md - - name: Test Windows 10 in S mode on existing Windows 10 education devices - href: test-windows10s-for-edu.md - - name: Enable Windows 10 in S mode on Surface Go devices - href: enable-s-mode-on-surface-go-devices.md - - name: Deploy Windows 10 in a school - href: deploy-windows-10-in-a-school.md - - name: Deploy Windows 10 in a school district - href: deploy-windows-10-in-a-school-district.md - - name: Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode - href: s-mode-switch-to-edu.md - - name: Change to Windows 10 Pro Education from Windows 10 Pro - href: change-to-pro-education.md - - name: Upgrade Windows Home to Windows Education on student-owned devices - href: change-home-to-edu.md - - name: Chromebook migration guide - href: chromebook-migration-guide.md +- name: Reference + items: + - name: Set up School PCs + items: + - name: Set up School PCs app technical reference + href: set-up-school-pcs-technical.md + - name: Provisioning package settings + href: set-up-school-pcs-provisioning-package.md + - name: What's new in Set up School PCs + href: set-up-school-pcs-whats-new.md + - name: Take a Test app technical reference + href: take-a-test-app-technical.md - name: Change history for Windows 10 for Education href: change-history-edu.md + diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md index 9a1acea7a1..2b3d262830 100644 --- a/education/windows/change-history-edu.md +++ b/education/windows/change-history-edu.md @@ -17,7 +17,7 @@ appliesto: --- # Change history for Windows 10 for Education -This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation. +This topic lists new and updated topics in the [Windows 10 for Education](index.yml) documentation. ## May 2019 diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md index b7d6452223..6893cd17a9 100644 --- a/education/windows/chromebook-migration-guide.md +++ b/education/windows/chromebook-migration-guide.md @@ -1,12 +1,8 @@ --- title: Chromebook migration guide (Windows 10) description: In this guide, you'll learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. -ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA -keywords: migrate, automate, device, Chromebook migration -ms.prod: windows -ms.mktglfcycl: plan -ms.sitesec: library -ms.pagetype: edu, devices +ms.prod: windows-client +ms.technology: itpro-edu ms.localizationpriority: medium ms.collection: education author: paolomatarazzo @@ -142,7 +138,7 @@ Table 3. Settings in the Security node in the Google Admin Console |Set up single sign-on (SSO)|This section is used to configure SSO for Google web-based apps (such as Google Apps Gmail or Google Apps Calendar). While you don’t need to migrate any settings in this section, you probably will want to configure Azure Active Directory synchronization to replace Google-based SSO.| |Advanced settings|This section is used to configure administrative access to user data and to configure the Google Secure Data Connector (which allows Google Apps to access data on your local network). You don’t need to migrate any settings in this section.| -**Identify locally-configured settings to migrate** +**Identify locally configured settings to migrate** In addition to the settings configured in the Google Admin Console, users may have locally configured their devices based on their own personal preferences (as shown in Figure 2). Table 4 lists the Chromebook user and device settings that you can locally configure. Review the settings and determine which settings you'll migrate to Windows. Some of the settings listed in Table 4 can only be seen when you click the **Show advanced settings** link (as shown in Figure 2). @@ -150,7 +146,7 @@ In addition to the settings configured in the Google Admin Console, users may ha Figure 2. Locally configured settings on Chromebook -Table 4. Locally-configured settings +Table 4. Locally configured settings | Section | Settings | |------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| @@ -206,7 +202,7 @@ In addition to Chromebook devices, users may have companion devices (smartphones After you've identified each companion device, verify the settings for the device that are used to access Office 365. You only need to test one type of each companion device. For example, if users use Android phones to access Google Apps Gmail mailboxes, configure the device to access Office 365 and then record those settings. You can publish those settings on a website or to your helpdesk staff so that users will know how to access their Office 365 mailbox. -In most instances, users will only need to provide in their Office 365 email account and password. However, you should verify these credentials on each type of companion device. For more information about how to configure a companion device to work with Office 365, see [Compare how different mobile devices work with Office 365](https://go.microsoft.com/fwlink/p/?LinkId=690254). +In most instances, users will only need to provide in their Office 365 email account and password. However, you should verify these credentials on each type of companion device. For more information about how to configure a companion device to work with Office 365, see [Compare how different mobile devices work with Office 365](https://support.microsoft.com/office/compare-how-different-mobile-devices-work-with-office-365-bdd06229-776a-4824-947c-82425d72597b). **Identify the optimal timing for the migration** @@ -416,11 +412,11 @@ Examine each of the following network infrastructure technologies and services a For more information that compares Internet bandwidth consumption for Chromebook and Windows devices, see the following resources: - - [Chromebook vs. Windows Notebook Network Traffic Analysis](https://go.microsoft.com/fwlink/p/?LinkId=690255) + - [Chromebook vs. Windows Notebook Network Traffic Analysis](https://www.principledtechnologies.com/Microsoft/Chromebook_PC_network_traffic_0613.pdf) - - [Hidden Cost of Chromebook Deployments](https://go.microsoft.com/fwlink/p/?LinkId=690256) + - [Hidden Cost of Chromebook Deployments](https://www.principledtechnologies.com/Microsoft/Windows_Chromebook_bandwidth_0514.pdf) - - [Microsoft Windows 8.1 Notebook vs. Chromebooks for Education](https://go.microsoft.com/fwlink/p/?LinkId=690257) + - [Microsoft Windows 8.1 Notebook vs. Chromebooks for Education](https://www.principledtechnologies.com/Microsoft/Windows_8.1_vs_Chromebooks_in_Education_0715.pdf) - **Power.** Although not specifically a network infrastructure, you need to ensure your classrooms have adequate power. Chromebook and Windows devices should consume similar amounts of power. This condition means that your existing power outlets should support the same number of Windows devices. @@ -442,15 +438,11 @@ You must perform some of the steps in this section in a specific sequence. Each The first migration task is to perform any network infrastructure remediation. In the [Plan network infrastructure remediation](#plan-network-infra-remediation) section, you determined the network infrastructure remediation (if any) that you needed to perform. -It's important that you perform any network infrastructure remediation first because the remaining migration steps are dependent on the network infrastructure. Table 7 lists the Microsoft network infrastructure products and technologies and deployment resources for each. +It's important that you perform any network infrastructure remediation first because the remaining migration steps are dependent on the network infrastructure. Use the following Microsoft network infrastructure products and technologies: -Table 7. Network infrastructure products and technologies and deployment resources - -|Product or technology|Resources| -|--- |--- | -|DHCP|
  • [Core Network Guide](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11))
  • [DHCP Deployment Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd283051(v=ws.10))| -|DNS|
  • [Core Network Guide](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11))
  • [Deploying Domain Name System (DNS)](/previous-versions/windows/it-pro/windows-server-2003/cc780661(v=ws.10))| - +- [Core network guidance for Windows Server](/windows-server/networking/core-network-guide/core-network-guide-windows-server) +- [DHCP overview](/windows-server/networking/technologies/dhcp/dhcp-top) +- [DNS overview](/windows-server/networking/dns/dns-top) If you use network infrastructure products and technologies from other vendors, refer to the vendor documentation on how to perform the necessary remediation. If you determined that no remediation is necessary, you can skip this section. @@ -459,34 +451,39 @@ If you use network infrastructure products and technologies from other vendors, It's important that you perform AD DS and Azure AD services deployment or remediation right after you finish network infrastructure remediation. Many of the remaining migration steps are dependent on you having your identity system (AD DS or Azure AD) in place and up to necessary expectations. -In the [Plan for Active Directory services](#plan-adservices) section, you determined the AD DS and/or Azure AD deployment or remediation (if any) that needed to be performed. Table 8 list AD DS, Azure AD, and the deployment resources for both. Use the resources in this table to deploy or remediate on-premises AD DS, Azure AD, or both. +In the [Plan for Active Directory services](#plan-adservices) section, you determined the AD DS and/or Azure AD deployment or remediation (if any) that needed to be performed. Use the following resources to deploy or remediate on-premises AD DS, Azure AD, or both: -Table 8. AD DS, Azure AD and deployment resources - -|Product or technology|Resources| -|--- |--- | -|AD DS|
  • [Core Network Guide](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11))
  • [Active Directory Domain Services Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831484(v=ws.11))| -|Azure AD|
  • [Azure Active Directory documentation](/azure/active-directory/)
  • [Manage and support Azure Active Directory Premium](https://go.microsoft.com/fwlink/p/?LinkId=690259)
  • [Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines](/windows-server/identity/ad-ds/introduction-to-active-directory-domain-services-ad-ds-virtualization-level-100)| +- [Core network guidance for Windows Server](/windows-server/networking/core-network-guide/core-network-guide-windows-server) +- [AD DS overview](/windows-server/identity/ad-ds/active-directory-domain-services) +- [Azure AD documentation](/azure/active-directory/) +- [Azure AD Premium](https://azure.microsoft.com/pricing/details/active-directory/) +- [Safely virtualizing Active Directory Domain Services (AD DS)](/windows-server/identity/ad-ds/introduction-to-active-directory-domain-services-ad-ds-virtualization-level-100)| If you decided not to migrate to AD DS or Azure AD as a part of the migration, or if you determined that no remediation is necessary, you can skip this section. If you use identity products and technologies from another vendor, refer to the vendor documentation on how to perform the necessary steps. ## Prepare device, user, and app management systems - In the [Plan device, user, and app management](#plan-userdevapp-manage) section of this guide, you selected the products and technologies that you'll use to manage devices, users, and apps on Windows devices. You need to prepare your management systems prior to Windows 10 device deployment. You'll use these management systems to manage the user and device settings that you selected to migrate in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section. You need to prepare these systems prior to the migration of user and device settings. -Table 9 lists the Microsoft management systems and the deployment resources for each. Use the resources in this table to prepare (deploy or remediate) these management systems. +Use the following Microsoft management systems and the deployment resources to prepare (deploy or remediate) these management systems. -Table 9. Management systems and deployment resources +- [Microsoft Intune](/mem/intune/fundamentals/setup-steps) -|Management system|Resources| -|--- |--- | -|Windows provisioning packages|
  • [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
  • [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd)
  • [Step-By-Step: Building Windows 10 Provisioning Packages](/archive/blogs/canitpro/step-by-step-building-windows-10-provisioning-packages)| -|Group Policy|
  • [Core Network Companion Guide: Group Policy Deployment](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj899807(v=ws.11))
  • [Deploying Group Policy](/previous-versions/windows/it-pro/windows-server-2003/cc737330(v=ws.10))"| -|Configuration Manager|
  • [Site Administration for Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg681983(v=technet.10))
  • [Deploying Clients for Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699391(v=technet.10))| -|Intune|
  • [Set up and manage devices with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=690262)
  • [System Center 2012 R2 Configuration Manager & Windows Intune](/learn/?l=fCzIjVKy_6404984382)| -|MDT|
  • [Step-By-Step: Installing Windows 8.1 From A USB Key](/archive/blogs/canitpro/step-by-step-installing-windows-8-1-from-a-usb-key)| +- [Windows Autopilot](/mem/autopilot/windows-autopilot) +- Microsoft Endpoint Configuration Manager [core infrastructure documentation](/mem/configmgr/core/) + +- Provisioning packages: + + - [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package) + - [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) + - [Step-By-Step: Building Windows 10 Provisioning Packages](/archive/blogs/canitpro/step-by-step-building-windows-10-provisioning-packages) + +- Group policy + + - [Core Network Companion Guide: Group Policy Deployment](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj899807(v=ws.11)) + - [Deploying Group Policy](/previous-versions/windows/it-pro/windows-server-2003/cc737330(v=ws.10)) + If you determined that no new management system or no remediation of existing systems is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps. ## Perform app migration or replacement @@ -494,21 +491,19 @@ If you determined that no new management system or no remediation of existing sy In the [Plan for app migration or replacement](#plan-app-migrate-replace) section, you identified the apps currently in use on Chromebook devices and selected the Windows apps that will replace the Chromebook apps. You also performed app compatibility testing for web apps to ensure that web apps on the Chromebook devices would run on Microsoft Edge and Internet Explorer. -In this step, you need to configure your management system to deploy the apps to the appropriate Windows users and devices. Table 10 lists the Microsoft management systems and the app deployment resources for each. Use the resources in this table to configure these management systems to deploy the apps that you selected in the [Plan for app migration or replacement](#plan-app-migrate-replace) section of this guide. +In this step, you need to configure your management system to deploy the apps to the appropriate Windows users and devices. Use the following Microsoft management systems and the app deployment resources to configure these management systems to deploy the apps that you selected in the [Plan for app migration or replacement](#plan-app-migrate-replace) section of this guide. -Table 10. Management systems and app deployment resources - -|Management system|Resources| -|--- |--- | -|Group Policy|
  • [Editing an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10))
  • [Group Policy Software Deployment Background](/previous-versions/windows/it-pro/windows-server-2003/cc739305(v=ws.10))
  • [Assigning and Publishing Software](/previous-versions/windows/it-pro/windows-server-2003/cc783635(v=ws.10))| -|Configuration Manager|
  • [How to Deploy Applications in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682082(v=technet.10))
  • [Application Management in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699373(v=technet.10))| -|Intune|
  • [Manage apps with Microsoft Intune](/mem/intune/)| +- [Manage apps in Microsoft Intune](/mem/intune/apps/) +- [App management in Configuration Manager](/mem/configmgr/apps/) +- Group policy + - [Edit an AppLocker policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10)) + - [Group policy software deployment background](/previous-versions/windows/it-pro/windows-server-2003/cc739305(v=ws.10)) + - [Assigning and publishing software](/previous-versions/windows/it-pro/windows-server-2003/cc783635(v=ws.10)) If you determined that no deployment of apps is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps. ## Perform migration of user and device settings - In the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, you determined the user and device settings that you want to migrate. You selected settings that are configured in the Google Admin Console and locally on the Chromebook device. Perform the user and device setting migration by using the following steps: @@ -534,7 +529,7 @@ Alternatively, if you want to migrate to Office 365 from: - **On-premises Microsoft Exchange Server.** Use the following resources to migrate to Office 365 from an on-premises Microsoft Exchange Server: - - [Cutover Exchange Migration and Single Sign-On](https://go.microsoft.com/fwlink/p/?LinkId=690266) + - [What you need to know about a cutover email migration in Exchange Online](/exchange/mailbox-migration/what-to-know-about-a-cutover-migration) - [Step-By-Step: Migration of Exchange 2003 Server to Office 365](/archive/blogs/canitpro/step-by-step-migration-of-exchange-2003-server-to-office-365) @@ -544,7 +539,6 @@ Alternatively, if you want to migrate to Office 365 from: ## Perform cloud storage migration - In the [Plan for cloud storage migration](#plan-cloud-storage-migration) section, you identified the cloud storage services currently in use, selected the Microsoft cloud storage services that you'll use, and optimized your cloud storage services migration plan. You can perform the cloud storage migration before or after you deploy the Windows devices. Manually migrate the cloud storage migration by using the following steps: @@ -577,7 +571,9 @@ In the [Select a Windows device deployment strategy](#select-windows-device-depl For example, if you selected to deploy Windows devices by each classroom, start with the first classroom and then proceed through all of the classrooms until you’ve deployed all Windows devices. -In some instances, you may receive the devices with Windows 10 already deployed, and want to use provisioning packages. In other cases, you may have a custom Windows 10 image that you want to deploy to the devices by using Configuration Manager and/or MDT. For information on how to deploy Windows 10 images to the devices, see the following resources: +In some instances, you may receive the devices with Windows 10 already deployed, and want to use provisioning packages. In other cases, you may have a custom Windows 10 image that you want to deploy to the devices by using Configuration Manager or MDT. For more information on how to deploy Windows 10 images to the devices, see the following resources: + +- [OS deployment in Configuration Manager](/mem/configmgr/osd/) - [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) @@ -585,8 +581,6 @@ In some instances, you may receive the devices with Windows 10 already deployed - [Step-By-Step: Installing Windows 8.1 From A USB Key](/archive/blogs/canitpro/step-by-step-installing-windows-8-1-from-a-usb-key) -- [Operating System Deployment in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682018(v=technet.10)) - In addition to the Windows 10 image deployment, you may need to perform the following tasks as a part of device deployment: - Enroll the device with your management system. @@ -601,10 +595,6 @@ After you complete these steps, your management system should take over the day- ## Related topics - [Try it out: Windows 10 deployment (for education)](../index.yml) [Try it out: Windows 10 in the classroom](../index.yml) - - - diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md index d0a8aa44bd..6f72f69d44 100644 --- a/education/windows/deploy-windows-10-in-a-school-district.md +++ b/education/windows/deploy-windows-10-in-a-school-district.md @@ -1278,9 +1278,9 @@ You've now identified the tasks you need to perform monthly, at the end of an ac * [Try it out: Windows 10 in the classroom](../index.yml) * [Chromebook migration guide](./chromebook-migration-guide.md) * [Deploy Windows 10 in a school](./deploy-windows-10-in-a-school.md) -* [Automate common Windows 10 deployment and configuration tasks for a school environment (video)](./index.md) -* [Deploy a custom Windows 10 Start menu layout for a school (video)](./index.md) -* [Manage Windows 10 updates and upgrades in a school environment (video)](./index.md) -* [Reprovision devices at the end of the school year (video)](./index.md) -* [Use MDT to deploy Windows 10 in a school (video)](./index.md) -* [Use Microsoft Store for Business in a school environment (video)](./index.md) +* [Automate common Windows 10 deployment and configuration tasks for a school environment (video)](./index.yml) +* [Deploy a custom Windows 10 Start menu layout for a school (video)](./index.yml) +* [Manage Windows 10 updates and upgrades in a school environment (video)](./index.yml) +* [Reprovision devices at the end of the school year (video)](./index.yml) +* [Use MDT to deploy Windows 10 in a school (video)](./index.yml) +* [Use Microsoft Store for Business in a school environment (video)](./index.yml) diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md index d9d1aff417..ee97678d29 100644 --- a/education/windows/deploy-windows-10-in-a-school.md +++ b/education/windows/deploy-windows-10-in-a-school.md @@ -19,11 +19,6 @@ appliesto: # Deploy Windows 10 in a school - -**Applies to** - -- Windows 10 - This guide shows you how to deploy the Windows 10 operating system in a school environment. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Intune and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you'll perform after initial deployment and the automated tools and built-in features of the operating system. ## Prepare for school deployment diff --git a/education/windows/index.md b/education/windows/deploy-windows-10-overview.md similarity index 100% rename from education/windows/index.md rename to education/windows/deploy-windows-10-overview.md diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md index 4fbe0e9f89..0a06370a11 100644 --- a/education/windows/education-scenarios-store-for-business.md +++ b/education/windows/education-scenarios-store-for-business.md @@ -16,6 +16,8 @@ ms.reviewer: manager: aaroncz appliesto: - ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE --- # Working with Microsoft Store for Education @@ -133,18 +135,10 @@ Teachers can: ## Distribute apps -Manage and distribute apps to students and others in your organization. Different options are available for admins and teachers. - -Applies to: IT admins - **To manage and distribute apps** - For info on how to distribute **Minecraft: Education Edition**, see [For IT admins – Minecraft: Education Edition](./school-get-minecraft.md#distribute-minecraft) - For info on how to manage and distribute other apps, see [App inventory management - Microsoft Store for Business](/microsoft-store/app-inventory-management-windows-store-for-business) -Applies to: Teachers - -For info on how to distribute **Minecraft: Education Edition**, see [For teachers – Minecraft: Education Edition](./teacher-get-minecraft.md#distribute-minecraft). - **To assign an app to a student** 1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). @@ -177,4 +171,4 @@ You can manage your orders through Microsoft Store for Business. For info on ord It can take up to 24 hours after a purchase, before a receipt is available on your **Order history page**. > [!NOTE] -> For **Minecraft: Education Edition**, you can request a refund through Microsoft Store for Business for two months from the purchase date. After two months, refunds require a support call. \ No newline at end of file +> For **Minecraft: Education Edition**, you can request a refund through Microsoft Store for Business for two months from the purchase date. After two months, refunds require a support call. diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index f03899ae3d..a29c2d277f 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -16,6 +16,8 @@ ms.reviewer: manager: aaroncz appliesto: - ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE --- # Get Minecraft: Education Edition @@ -24,23 +26,18 @@ appliesto: -Teachers and IT administrators can now get early access to **Minecraft: Education Edition** and add it their Microsoft Store for Business for distribution. - - +Teachers and IT administrators can now get access to **Minecraft: Education Edition** and add it their Microsoft Admin Center for distribution. ## Prerequisites -- **Minecraft: Education Edition** requires Windows 10. +- For a complete list of Operating Systems supported by **Minecraft: Education Edition**, see [here](https://educommunity.minecraft.net/hc/articles/360047556591-System-Requirements). - Trials or subscriptions of **Minecraft: Education Edition** are offered to education tenants that are managed by Azure Active Directory (Azure AD). - If your school doesn't have an Azure AD tenant, the [IT administrator can set one up](school-get-minecraft.md) as part of the process of getting **Minecraft: Education Edition**. - Office 365 Education, which includes online versions of Office apps plus 1 TB online storage. [Sign up your school for Office 365 Education.](https://www.microsoft.com/education/products/office) - If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](/windows/client-management/mdm/register-your-free-azure-active-directory-subscription) - -[Learn how teachers can get and distribute **Minecraft: Education Edition**](teacher-get-minecraft.md) - -[Learn how IT administrators can get and distribute **Minecraft: Education Edition**](school-get-minecraft.md), and how to manage permissions for Minecraft. \ No newline at end of file +[Learn how IT administrators can get and distribute **Minecraft: Education Edition**](school-get-minecraft.md), and how to manage permissions for Minecraft. diff --git a/education/windows/images/windows-11-se.png b/education/windows/images/windows-11-se.png new file mode 100644 index 0000000000..48446caa20 Binary files /dev/null and b/education/windows/images/windows-11-se.png differ diff --git a/education/windows/index.yml b/education/windows/index.yml new file mode 100644 index 0000000000..510c5c520f --- /dev/null +++ b/education/windows/index.yml @@ -0,0 +1,85 @@ +### YamlMime:Landing + +title: Windows for Education documentation +summary: Evaluate, plan, deploy, and manage Windows devices in an education environment + +metadata: + title: Windows for Education documentation + description: Learn about how to plan, deploy and manage Windows devices in an education environment with Microsoft Intune + ms.topic: landing-page + ms.prod: windows + ms.collection: education + author: paolomatarazzo + ms.author: paoloma + ms.date: 08/10/2022 + ms.reviewer: + manager: aaroncz + ms.localizationpriority: medium + +# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + +landingContent: + + - title: Get started + linkLists: + - linkListType: tutorial + links: + - text: Deploy and manage Windows devices in a school + url: tutorial-school-deployment/index.md + - text: Prepare your tenant + url: tutorial-school-deployment/set-up-azure-ad.md + - text: Configure settings and applications with Microsoft Intune + url: tutorial-school-deployment/configure-devices-overview.md + - text: Manage devices with Microsoft Intune + url: tutorial-school-deployment/manage-overview.md + - text: Management functionalities for Surface devices + url: tutorial-school-deployment/manage-surface-devices.md + + + - title: Learn about Windows 11 SE + linkLists: + - linkListType: concept + links: + - text: What is Windows 11 SE? + url: windows-11-se-overview.md + - text: Windows 11 SE settings + url: windows-11-se-settings-list.md + - linkListType: video + links: + - text: Deploy Windows 11 SE using Set up School PCs + url: https://www.youtube.com/watch?v=Ql2fbiOop7c + + + - title: Deploy devices with Set up School PCs + linkLists: + - linkListType: concept + links: + - text: What is Set up School PCs? + url: set-up-school-pcs-technical.md + - linkListType: how-to-guide + links: + - text: Use the Set up School PCs app + url: use-set-up-school-pcs-app.md + - linkListType: reference + links: + - text: Provisioning package settings + url: set-up-school-pcs-provisioning-package.md + - linkListType: video + links: + - text: Use the Set up School PCs App + url: https://www.youtube.com/watch?v=2ZLup_-PhkA + + + - title: Configure devices + linkLists: + - linkListType: concept + links: + - text: Take tests and assessments + url: take-tests-in-windows-10.md + - text: Change Windows editions + url: change-home-to-edu.md + - text: "Deploy Minecraft: Education Edition" + url: get-minecraft-for-education.md \ No newline at end of file diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md index d209181213..8ed1fbf9e7 100644 --- a/education/windows/school-get-minecraft.md +++ b/education/windows/school-get-minecraft.md @@ -53,16 +53,16 @@ If you’ve been approved and are part of the Enrollment for Education Solutions 1. Go to [https://education.minecraft.net/](https://education.minecraft.net/) and select **How to Buy** in the top navigation bar. 2. Scroll down and select **Buy Now** under Direct Purchase. - -3. This will route you to the purchase page in the Microsoft Admin center. You will need to log in to your Administrator account. -4. If necessary, fill in any requested organization or payment information +3. This will route you to the purchase page in the Microsoft Admin center. You will need to log in to your Administrator account. -5. Select the quantity of licenses you would like to purchase and select **Place Order**. +4. If necessary, fill in any requested organization or payment information. -6. After you’ve purchased licenses, you’ll need to [assign them to users in the Admin Center](https://docs.microsoft.com/microsoft-365/admin/manage/assign-licenses-to-users) +5. Select the quantity of licenses you would like to purchase and select **Place Order**. -If you need additional licenses for **Minecraft: Education Edition**, see [Buy or remove subscription licenses](https://docs.microsoft.com/microsoft-365/commerce/licenses/buy-licenses). +6. After you’ve purchased licenses, you’ll need to [assign them to users in the Admin Center](/microsoft-365/admin/manage/assign-licenses-to-users). + +If you need additional licenses for **Minecraft: Education Edition**, see [Buy or remove subscription licenses](/microsoft-365/commerce/licenses/buy-licenses). ### Minecraft: Education Edition - volume licensing @@ -96,14 +96,16 @@ Invoices are now a supported payment method for Minecraft: Education Edition. Th ![Invoice Details page showing items that need to be completed for an invoice. PO number is highlighted.](images/mcee-invoice-info.png) -For more info on invoices and how to pay by invoice, see [How to pay for your subscription](https://docs.microsoft.com/microsoft-365/commerce/billing-and-payments/pay-for-your-subscription?). +For more info on invoices and how to pay by invoice, see [How to pay for your subscription](/microsoft-365/commerce/billing-and-payments/pay-for-your-subscription?). ## Distribute Minecraft -After Minecraft: Education Edition is added to your Microsoft Admin Center inventory, you can [assign these licenses to your users](https://docs.microsoft.com/microsoft-365/admin/manage/assign-licenses-to-users) or [download the app](https://aka.ms/downloadmee). +After Minecraft: Education Edition is added to your Microsoft Admin Center inventory, you can [assign these licenses to your users](/microsoft-365/admin/manage/assign-licenses-to-users) or [download the app](https://aka.ms/downloadmee). ## Learn more -[About Intune Admin roles in the Microsoft 365 admin center](https://docs.microsoft.com/microsoft-365/business-premium/m365bp-intune-admin-roles-in-the-mac) + +[About Intune Admin roles in the Microsoft 365 admin center](/microsoft-365/business-premium/m365bp-intune-admin-roles-in-the-mac) ## Related topics + [Get Minecraft: Education Edition](get-minecraft-for-education.md) diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md index e6daee3daa..e2858efc79 100644 --- a/education/windows/take-a-test-multiple-pcs.md +++ b/education/windows/take-a-test-multiple-pcs.md @@ -15,6 +15,8 @@ ms.reviewer: manager: aaroncz appliesto: - ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE --- # Set up Take a Test on multiple PCs @@ -114,8 +116,6 @@ You can configure a dedicated testing account through MDM or Configuration Manag - **Custom OMA-DM URI** = ./Vendor/MSFT/SecureAssessment/LaunchURI - **String value** = *assessment URL* - See [Assessment URLs](#assessment-urls) for more information. - 4. Create a policy that associates the assessment URL to the account using the following values: - **Custom OMA-DM URI** = ./Vendor/MSFT/SecureAssessment/TesterAccount @@ -263,16 +263,10 @@ You can also distribute the test link by creating a shortcut. To create the shor Once the shortcut is created, you can copy it and distribute it to students. - -## Assessment URLs -This assessment URL uses our lockdown API: -- SBAC/AIR: [https://mobile.tds.airast.org/launchpad/](https://mobile.tds.airast.org/launchpad/). - - ## Related topics -[Take tests in Windows 10](take-tests-in-windows-10.md) +[Take tests in Windows](take-tests-in-windows-10.md) [Set up Take a Test on a single PC](take-a-test-single-pc.md) -[Take a Test app technical reference](take-a-test-app-technical.md) \ No newline at end of file +[Take a Test app technical reference](take-a-test-app-technical.md) diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md index 2dcc9c525c..2cf14b3079 100644 --- a/education/windows/take-a-test-single-pc.md +++ b/education/windows/take-a-test-single-pc.md @@ -15,6 +15,8 @@ ms.reviewer: manager: aaroncz appliesto: - ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE --- # Set up Take a Test on a single PC @@ -23,7 +25,7 @@ To configure [Take a Test](take-tests-in-windows-10.md) on a single PC, follow t ## Set up a dedicated test account To configure the assessment URL and a dedicated testing account on a single PC, follow these steps. -1. Sign into the Windows 10 device with an administrator account. +1. Sign into the Windows device with an administrator account. 2. Open the **Settings** app and go to **Accounts > Access work or school**. 3. Click **Set up an account for taking tests**. @@ -127,7 +129,7 @@ Once the shortcut is created, you can copy it and distribute it to students. ## Related topics -[Take tests in Windows 10](take-tests-in-windows-10.md) +[Take tests in Windows](take-tests-in-windows-10.md) [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md) diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md index e0e44e51c8..64dc362a33 100644 --- a/education/windows/take-tests-in-windows-10.md +++ b/education/windows/take-tests-in-windows-10.md @@ -1,5 +1,5 @@ --- -title: Take tests in Windows 10 +title: Take tests in Windows description: Learn how to set up and use the Take a Test app. keywords: take a test, test taking, school, how to, use Take a Test ms.prod: windows @@ -15,11 +15,13 @@ ms.reviewer: manager: aaroncz appliesto: - ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE --- -# Take tests in Windows 10 +# Take tests in Windows -Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10 creates the right environment for taking a test: +Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows creates the right environment for taking a test: - Take a Test shows just the test and nothing else. - Take a Test clears the clipboard. @@ -46,7 +48,7 @@ There are several ways to configure devices for assessments, depending on your u - **For a single PC** - You can use the Windows 10 **Settings** application. For more info, see [Set up Take a Test on a single PC](take-a-test-single-pc.md). + You can use the Windows **Settings** application. For more info, see [Set up Take a Test on a single PC](take-a-test-single-pc.md). - **For multiple PCs** @@ -55,7 +57,7 @@ There are several ways to configure devices for assessments, depending on your u - A provisioning package created in Windows Configuration Designer - Group Policy to deploy a scheduled task that runs a Powershell script - Beginning with Windows 10 Creators Update (version 1703), you can also configure Take a Test using these options: + You can also configure Take a Test using these options: - Set up School PCs app - Intune for Education diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md index 9436f4e605..47f90a01c2 100644 --- a/education/windows/teacher-get-minecraft.md +++ b/education/windows/teacher-get-minecraft.md @@ -16,160 +16,34 @@ ms.reviewer: manager: aaroncz appliesto: - ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE --- # For teachers - get Minecraft: Education Edition -The following article describes how teachers can get and distribute Minecraft: Education Edition. -Minecraft: Education Edition is available for anyone to trial, and subscriptions can be purchased by qualified educational institutions directly in the Microsoft Store for Education, via volume licensing agreements and through partner resellers. +The following article describes how teachers can get and distribute Minecraft: Education Edition at their school. Minecraft: Education Edition is available for anyone to trial, and subscriptions can be purchased by qualified educational institutions directly in the [Microsoft Admin Center by IT Admins](/education/windows/school-get-minecraft), via volume licensing agreements and through partner resellers. -To get started, go to https://education.minecraft.net/ and select **GET STARTED**. ## Try Minecraft: Education Edition for Free Minecraft: Education Edition is available for anyone to try for free! The free trial is fully functional but limited by the number of logins (25 for teachers and 10 for students) before a paid license will be required to continue playing. -To learn more and get started, go to https://education.minecraft.net/ and select **GET STARTED**. +To learn more and get started, [download the Minecraft: Education Edition app here.](https://aka.ms/download) ## Purchase Minecraft: Education Edition for Teachers and Students -Minecraft: Education Edition is licensed via yearly subscriptions that are purchased through the Microsoft Store for Education, via volume licensing agreements and through partner resellers. +As a teacher, you will need to have your IT Admin purchase licenses for you and your students directly through the Microsoft Admin Center, or you may already have access to licenses at your school (through a volume license agreement) if you have an Office 365 subscription. ->[!Note] ->M:EE is available on many platforms, but all license purchases can only be done through one of the three methods listed above. +M:EE is included in many volume license agreements, however, only the administrators at your school will be able to assign and manage those licenses. If you have an Office 365 account, check with your school administration or IT administrator prior to purchasing M:EE directly. -As a teacher, you may purchase subscription licenses for you and your students directly through the Microsoft Store for Education, or you may already have access to licenses at your school (through a volume license agreement) if you have an Office 365 account. - ->[!Note] ->If you already have Office 365, you may already have Minecraft: Education Edition licenses for your school! M:EE is included in many volume license agreements, however, only the administrators at your school will be able to assign and manage those licenses. If you have an Office 365 account, check with your school administration or IT administrator prior to purchasing M:EE directly. - -You can purchase individual Minecraft: Education Edition subscriptions for you and other teachers and students directly in the Microsoft Store for Education. - -To purchase individual Minecraft: Education Edition subscriptions (that is, direct purchase): - -1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your Office 365 account. -2. Click on [Minecraft: Education Edition](https://educationstore.microsoft.com/en-us/store/details/minecraft-education-edition/9nblggh4r2r6) (or use Search the Store to find it) -3. Click **Buy** - ->[!Note] ->Administrators can restrict the ability for teachers to purchase applications in the Microsoft Store for Education. If you do not have the ability to Buy, contact your school administration or IT administrator. - - -## Distribute Minecraft - -After Minecraft: Education Edition licenses have been purchased, either directly, through a volume license agreement or through a partner reseller, those licenses will be added to your Microsoft Store for Education. From there you have three options: - -- You can install the app on your PC. -- You can assign the app to others. -- You can download the app to distribute. - - - -### Install for me -You can install the app on your PC. This gives you a chance to work with the app before using it with your students. - -1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). -2. Click **Manage**, and then click **Install**. - - - -3. Click **Install**. - -### Assign to others -Enter email addresses for your students, and each student will get an email with a link to install the app. This option is best for older, more tech-savvy students who will always use the same PC at school. - -**To assign to others** -1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). -2. Click **Manage**. - - - -3. Click **Invite people**. - -4. Type the name, or email address of the student or group you want to assign the app to, and then click **Assign**. - - ![Assign to people showing student name.](images/minecraft-assign-to-people-name.png) - - You can assign the app to students with work or school accounts.
    - If you don't find the student, you can still assign the app to them if self-service sign up is supported for your domain. Students will receive an email with a link to Microsoft 365 admin center where they can create an account, and then install **Minecraft: Education Edition**. Questions about self-service sign up? Check with your admin. - - -**To finish Minecraft install (for students)** - -Students will receive an email with a link that will install the app on their PC. - -![Email with Get the app link.](images/minecraft-student-install-email.png) - -1. Click **Get the app** to start the app install in Microsoft Store app. -2. In Microsoft Store app, click **Install**. - - ![Microsoft Store app with Minecraft page.](images/minecraft-in-windows-store-app.png) - - After installing the app, students can find Minecraft: Education Edition in Microsoft Store app under **My Library**. - - ![Microsoft Store app directing the navigation to My Library.](images/minecraft-private-store.png) - - When students click **My Library** they'll find apps assigned to them. - - ![My Library for example student.](images/minecraft-my-library.png) - -### Download for others -Download for others allows teachers or IT admins to download packages that they can install on student PCs. This option will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for students, and for shared computers. Choose this option when: -- You have administrative permissions to install apps on the PC. -- You want to install this app on each of your student's Windows 10 (at least version 1511) PCs. -- Your students share Windows 10 computers, but sign in with their own Windows account. - -#### Requirements -- Administrative permissions are required on the PC. If you don't have the correct permissions, you won't be able to install the app. -- Windows 10 (at least version 1511) is required for PCs running Minecraft: Education Edition. - -#### Check for updates -Minecraft: Education Edition won't install if there are updates pending for other apps on the PC. Before installing Minecraft, check to see if there are pending updates for Microsoft Store apps. - -**To check for app updates** -1. Start Microsoft Store app on the PC (click **Start**, and type **Store**). -2. Click the account button, and then click **Downloads and updates**. - - ![Microsoft Store app displaying the navigation to the My Library option.](images/minecraft-private-store.png) - -3. Click **Check for updates**, and install all available updates. - - ![Microsoft Store app directing the navigation to the My Library submenu item.](images/mc-check-for-updates.png) - -4. Restart the computer before installing Minecraft: Education Edition. - -#### To download for others -You'll download a .zip file, extract the files, and then use one of the files to install Minecraft: Education Edition on each PC. - -1. **Download Minecraft Education Edition.zip**. From the **Minecraft: Education Edition** page, click **Download for others** tab, and then click **Download**. - - ![Microsoft Store app depicting the navigation path to the My Library option.](images/mc-dnld-others-teacher.png) - -2. **Extract files**. Find the .zip file that you downloaded and extract the files. This downloaded location is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**. -3. **Save to USB drive**. After you've extracted the files, save the Minecraft: Education Edition folder to a USB drive, or to a network location that you can access from each PC. -4. **Install app**. Use the USB drive to copy the Minecraft folder to each Windows 10 PC where you want to install Minecraft: Education Edition. Open Minecraft: Education Edition folder, right-click **InstallMinecraftEducationEdition.bat** and click **Run as administrator**. -5. **Quick check**. The install program checks the PC to make sure it can run Minecraft: Education Edition. If your PC passes this test, the app will automatically install. -6. **Restart**. Once installation is complete, restart each PC. Minecraft: Education Edition app is now ready for any student to use. #### Troubleshoot -If you ran **InstallMinecraftEducationEdition.bat** and Minecraft: Education Edition isn't available, there are a few things that might have happened. - -| Problem | Possible cause | Solution | -|---------|----------------|----------| -| Script ran, but it doesn't look like the app installed. | There might be pending app updates. | Check for app updates (see steps earlier in this topic).
    Install updates.
    Restart PC.
    Run **InstallMinecraftEducationEdition.bat** again. | -| App won't install. | AppLocker is configured and preventing app installs. | Contact IT Admin. | -| App won't install. | Policy prevents users from installing apps on the PC. | Contact IT Admin. | -| Script starts, but stops quickly. | Policy prevents scripts from running on the PC. | Contact IT Admin. | -| App isn't available for other users. | No restart after install. If you don't restart the PC, and just switch users the app won't be available.| Restart PC.
    Run **InstallMinecraftEducationEdition.bat** again.
    If a restart doesn't work, contact your IT Admin. | - - -If you're still having trouble installing the app, you can get more help on our [Support page](https://go.microsoft.com/fwlink/?LinkID=799757). +If you're having trouble installing the app, you can get more help on our [Support page](https://aka.ms/minecraftedusupport). ## Related topics -[Working with Microsoft Store for Education](education-scenarios-store-for-business.md)
    -Learn about overall Microsoft Store for Business management: manage settings, shop for apps, distribute apps, manage inventory, and manage order history. [Get Minecraft: Education Edition](get-minecraft-for-education.md) [For IT admins: get Minecraft: Education Edition](school-get-minecraft.md) diff --git a/education/windows/tutorial-school-deployment/configure-device-apps.md b/education/windows/tutorial-school-deployment/configure-device-apps.md new file mode 100644 index 0000000000..ab88e770c4 --- /dev/null +++ b/education/windows/tutorial-school-deployment/configure-device-apps.md @@ -0,0 +1,99 @@ +--- +title: Configure applications with Microsoft Intune +description: Configure applications with Microsoft Intune in preparation to device deployment +ms.date: 08/31/2022 +ms.prod: windows +ms.technology: windows +ms.topic: tutorial +ms.localizationpriority: medium +author: paolomatarazzo +ms.author: paoloma +#ms.reviewer: +manager: aaroncz +ms.collection: education +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE +--- + +# Configure applications with Microsoft Intune + +With Intune for Education, school IT administrators have access to diverse applications to help students unlock their learning potential. This section discusses tools and resources for adding apps to Intune for Education. + +Applications can be assigned to groups: + +- If you target apps to a **group of users**, the apps will be installed on any managed devices that the users sign into +- If you target apps to a **group of devices**, the apps will be installed on those devices and available to any user who signs in + +In this section you will: +> [!div class="checklist"] +> * Add apps to Intune for Education +> * Assign apps to groups +> * Review some considerations for Windows 11 SE devices + +## Add apps to Intune for Education + +Intune for Education supports the deployment of two types of Windows applications: **web apps** and **desktop apps**. + +:::image type="content" source="./images/intune-education-apps.png" alt-text="Intune for Education - Apps" lightbox="./images/intune-education-apps.png" border="true"::: + +### Desktop apps + +The addition of desktop applications to Intune should be carried out by repackaging the apps, and defining the commands to silently install them. The process is described in the article [Add, assign, and monitor a Win32 app in Microsoft Intune][MEM-1]. + +### Web apps + +To create web applications in Intune for Education: + +1. Sign in to the Intune for Education portal +1. Select **Apps** +1. Select **New app** > **New web app** +1. Provide a URL for the web app, a name and, optionally, an icon and description +1. Select **Save** + +For more information, see [Add web apps][INT-2]. + +## Assign apps to groups + +To assign applications to a group of users or devices: + +1. Sign in to the Intune for Education portal +1. Select **Groups** > Pick a group to manage +1. Select **Apps** +1. Select either **Web apps** or **Windows apps** +1. Select the apps you want to assign to the group > Save + +## Considerations for Windows 11 SE + +Windows 11 SE supports all web applications and a *curated list* of desktop applications. +You can prepare and add a desktop app to Microsoft Intune as a Win32 app from the [approved app list][EDU-1]. + +The process to add Win32 applications to Intune is described in the article [Add, assign, and monitor a Win32 app in Microsoft Intune][MEM-1]. + +> [!NOTE] +> If the applications you need aren't included in the list, anyone in your school district can submit an application request at Microsoft Education Support. + +> [!CAUTION] +> If you assign an app to a device running **Windows 11 SE** and receive the **0x87D300D9** error code with a **Failed** state: +> - Be sure the app is on the [approved app list][EDU-1] +> - If you submitted a request to add your own app and it was approved, check that the app meets package requirements +> - If the app is not approved, it will not run on Windows 11 SE. In this case, you will have to verify if the app can run in a web browser, such as a web app or PWA + +________________________________________________________ + +## Next steps + +With the applications configured, you can now deploy students' and teachers' devices. + +> [!div class="nextstepaction"] +> [Next: Deploy devices >](enroll-overview.md) + + + +[EDU-1]: /education/windows/windows-11-se-overview + +[MEM-1]: /mem/intune/apps/apps-win32-add + +[INT-1]: /intune-education/express-configuration-intune-edu +[INT-2]: /intune-education/add-web-apps-edu \ No newline at end of file diff --git a/education/windows/tutorial-school-deployment/configure-device-settings.md b/education/windows/tutorial-school-deployment/configure-device-settings.md new file mode 100644 index 0000000000..333618e34c --- /dev/null +++ b/education/windows/tutorial-school-deployment/configure-device-settings.md @@ -0,0 +1,142 @@ +--- +title: Configure and secure devices with Microsoft Intune +description: Configure policies with Microsoft Intune in preparation to device deployment +ms.date: 08/31/2022 +ms.prod: windows +ms.technology: windows +ms.topic: tutorial +ms.localizationpriority: medium +author: paolomatarazzo +ms.author: paoloma +#ms.reviewer: +manager: aaroncz +ms.collection: education +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE +--- + +# Configure and secure devices with Microsoft Intune + +With Intune for Education, you can configure settings for devices in the school, to ensure that they comply with specific policies. +For example, you may need to secure your devices, ensuring that they are kept up to date. Or you may need to configure all the devices with the same look and feel. + +Settings can be assigned to groups: + +- If you target settings to a **group of users**, those settings will apply, regardless of what managed devices the targeted users sign in to +- If you target settings to a **group of devices**, those settings will apply regardless of who is using the devices + +There are two ways to manage settings in Intune for Education: + +- **Express Configuration.** This option is used to configure a selection of settings that are commonly used in school environments +- **Group settings.** This option is used to configure all settings that are offered by Intune for Education + +> [!NOTE] +> Express Configuration is ideal when you are getting started. Settings are pre-configured to Microsoft-recommended values, but can be changed to fit your school's needs. It is recommended to use Express Configuration to initially set up your Windows devices. + +In this section you will: +> [!div class="checklist"] +> * Configure settings with Express Configuration +> * Configure group settings +> * Create Windows Update policies +> * Configure security policies + +## Configure settings with Express Configuration + +With Express Configuration, you can get Intune for Education up and running in just a few steps. You can select a group of devices or users, select applications to distribute, and choose settings from the most commonly used in schools. + +> [!TIP] +> To learn more, and practice step-by-step Express Configuration in Intune for Education, try this interactive demo. + +## Configure group settings + +Groups are used to manage users and devices with similar management needs, allowing you to apply changes to many devices or users at once. To review the available group settings: + +1. Sign in to the Intune for Education portal +1. Select **Groups** > Pick a group to manage +1. Select **Windows device settings** +1. Expand the different categories and review information about individual settings + +Settings that are commonly configured for student devices include: + +- Wallpaper and lock screen background. See: [Lock screen and desktop][INT-7] +- Wi-Fi connections. See: [Add Wi-Fi profiles][INT-8] +- Enablement of the integrated testing and assessment solution *Take a test*. See: [Add Take a Test profile][INT-9] + +For more information, see [Windows device settings in Intune for Education][INT-3]. + +## Create Windows Update policies + +It is important to keep Windows devices up to date with the latest security updates. You can create Windows Update policies using Intune for Education. + +To create a Windows Update policy: + +1. Select **Groups** > Pick a group to manage +1. Select **Windows device settings** +1. Expand the category **Update and upgrade** +1. Configure the required settings as needed + +For more information, see [Updates and upgrade][INT-6]. + +> [!NOTE] +> If you require a more complex Windows Update policy, you can create it in Microsoft Endpoint Manager. For more information: +> - [What is Windows Update for Business?][WIN-1] +> - [Manage Windows software updates in Intune][MEM-1] + +## Configure security policies + +It is critical to ensure that the devices you manage are secured using the different security technologies available in Windows. +Intune for Education provides different settings to secure devices. + +To create a security policy: + +1. Select **Groups** > Pick a group to manage +1. Select **Windows device settings** +1. Expand the category **Security** +1. Configure the required settings as needed, including + - Windows Defender + - Windows Encryption + - Windows SmartScreen + +For more information, see [Security][INT-4]. + +> [!NOTE] +> If you require more sophisticated security policies, you can create them in Microsoft Endpoint Manager. For more information: +> - [Antivirus][MEM-2] +> - [Disk encryption][MEM-3] +> - [Firewall][MEM-4] +> - [Endpoint detection and response][MEM-5] +> - [Attack surface reduction][MEM-6] +> - [Account protection][MEM-7] + +________________________________________________________ + +## Next steps + +With the Intune service configured, you can configure policies and applications to deploy to your students' and teachers' devices. + +> [!div class="nextstepaction"] +> [Next: Configure applications >](configure-device-apps.md) + + + +[EDU-1]: /education/windows/windows-11-se-overview + +[INT-2]: /intune-education/express-configuration-intune-edu +[INT-3]: /intune-education/all-edu-settings-windows +[INT-4]: /intune-education/all-edu-settings-windows#security +[INT-6]: /intune-education/all-edu-settings-windows#updates-and-upgrade +[INT-7]: /intune-education/all-edu-settings-windows#lock-screen-and-desktop +[INT-8]: /intune-education/add-wi-fi-profile +[INT-9]: /intune-education/take-a-test-profiles + +[WIN-1]: /windows/deployment/update/waas-manage-updates-wufb + +[MEM-1]: /mem/intune/protect/windows-update-for-business-configure +[MEM-2]: /mem/intune/protect/endpoint-security-antivirus-policy +[MEM-3]: /mem/intune/protect/encrypt-devices +[MEM-4]: /mem/intune/protect/endpoint-security-firewall-policy +[MEM-5]: /mem/intune/protect/endpoint-security-edr-policy +[MEM-6]: /mem/intune/protect/endpoint-security-asr-policy +[MEM-7]: /mem/intune/protect/endpoint-security-account-protection-policy \ No newline at end of file diff --git a/education/windows/tutorial-school-deployment/configure-devices-overview.md b/education/windows/tutorial-school-deployment/configure-devices-overview.md new file mode 100644 index 0000000000..bea37bf92b --- /dev/null +++ b/education/windows/tutorial-school-deployment/configure-devices-overview.md @@ -0,0 +1,70 @@ +--- +title: Configure devices with Microsoft Intune +description: Configure policies and applications in preparation to device deployment +ms.date: 08/31/2022 +ms.prod: windows +ms.technology: windows +ms.topic: tutorial +ms.localizationpriority: medium +author: paolomatarazzo +ms.author: paoloma +#ms.reviewer: +manager: aaroncz +ms.collection: education +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE +--- + +# Configure settings and applications with Microsoft Intune + +Before distributing devices to your users, you must ensure that the devices will be configured with the required policies, settings, and applications as they get enrolled in Intune. +Microsoft Intune uses Azure AD groups to assign policies and applications to devices. +With Microsoft Intune for Education, you can conveniently create groups and assign policies and applications to them. + +In this section you will: +> [!div class="checklist"] +> * Create groups +> * Create and assign policies to groups +> * Create and assign applications to groups + +## Create groups + +By organizing devices, students, classrooms, or learning curricula into groups, you can provide students with the resources and configurations they need. + +By default, Intune for Education creates two default groups: *All devices* and *All users*. +Two additional groups are pre-created if you use **Microsoft School Data Sync (SDS)**: *All teachers* and *All students*. SDS can also be configured to automatically create and maintain groups of students and teachers for each school. + +:::image type="content" source="./images/intune-education-groups.png" alt-text="Intune for Education - Groups blade" border="true"::: + +Beyond the defaults, groups can be customized to suit various needs. For example, if you have both *Windows 10* and *Windows 11 SE* devices in your school, you can create groups, such as *Windows 10 devices* and *Windows 11 SE devices*, to assign different policies and applications to. + +Two group types can be created: + +- **Assigned groups** are used when you want to manually add users or devices to a group +- **Dynamic groups** reference rules that you create to assign students or devices to groups, which automate the membership's maintenance of those groups + +> [!TIP] +> If you target applications and policies to a *device dynamic group*, they will be applied to the devices as soon as they are enrolled in Intune, before users signs in. This can be useful in bulk enrollment scenarios, where devices are enrolled without requiring users to sign in. Devices can be configured and prepared in advance, before distribution. + +For more information, see: + +- [Create groups in Intune for Education][EDU-1] +- [Manually add or remove users and devices to an existing assigned group][EDU-2] +- [Edit dynamic group rules to accommodate for new devices, locations, or school years][EDU-3] + +________________________________________________________ + +## Next steps + +With the groups created, you can configure policies and applications to deploy to your groups. + +> [!div class="nextstepaction"] +> [Next: Configure policies >](configure-device-settings.md) + + + +[EDU-1]: /intune-education/create-groups +[EDU-2]: /intune-education/edit-groups-intune-for-edu +[EDU-3]: /intune-education/edit-groups-intune-for-edu#edit-dynamic-group-rules \ No newline at end of file diff --git a/education/windows/tutorial-school-deployment/enroll-aadj.md b/education/windows/tutorial-school-deployment/enroll-aadj.md new file mode 100644 index 0000000000..5747c986a4 --- /dev/null +++ b/education/windows/tutorial-school-deployment/enroll-aadj.md @@ -0,0 +1,42 @@ +--- +title: Enrollment in Intune with standard out-of-box experience (OOBE) +description: how to join Azure AD for OOBE and automatically get the device enrolled in Intune +ms.date: 08/31/2022 +ms.prod: windows +ms.technology: windows +ms.topic: tutorial +ms.localizationpriority: medium +author: paolomatarazzo +ms.author: paoloma +#ms.reviewer: +manager: aaroncz +ms.collection: education +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE +--- +# Automatic Intune enrollment via Azure AD join + +If you're setting up a Windows device individually, you can use the out-of-box experience to join it to your school's Azure Active Directory tenant, and automatically enroll it in Intune. +With this process, no advance preparation is needed: + +1. Follow the on-screen prompts for region selection, keyboard selection, and network connection +1. Wait for updates. If any updates are available, they'll be installed at this time + :::image type="content" source="./images/win11-oobe-updates.png" alt-text="Windows 11 OOBE - updates page" border="true"::: +1. When prompted, select **Set up for work or school** and authenticate using your school's Azure Active Directory account + :::image type="content" source="./images/win11-oobe-auth.png" alt-text="Windows 11 OOBE - authentication page" border="true"::: +1. The device will join Azure AD and automatically enroll in Intune. All settings defined in Intune will be applied to the device + +> [!IMPORTANT] +> If you configured enrollment restrictions in Intune blocking personal Windows devices, this process will not complete. You will need to use a different enrollment method, or ensure that the devices are registered in Autopilot. + +:::image type="content" source="./images/win11-login-screen.png" alt-text="Windows 11 login screen" border="false"::: + +________________________________________________________ +## Next steps + +With the devices joined to Azure AD tenant and managed by Intune, you can use Intune to maintain them and report on their status. + +> [!div class="nextstepaction"] +> [Next: Manage devices >](manage-overview.md) \ No newline at end of file diff --git a/education/windows/tutorial-school-deployment/enroll-autopilot.md b/education/windows/tutorial-school-deployment/enroll-autopilot.md new file mode 100644 index 0000000000..a64a7590e3 --- /dev/null +++ b/education/windows/tutorial-school-deployment/enroll-autopilot.md @@ -0,0 +1,160 @@ +--- +title: Enrollment in Intune with Windows Autopilot +description: how to join Azure AD and enroll in Intune using Windows Autopilot +ms.date: 08/31/2022 +ms.prod: windows +ms.technology: windows +ms.topic: tutorial +ms.localizationpriority: medium +author: paolomatarazzo +ms.author: paoloma +#ms.reviewer: +manager: aaroncz +ms.collection: education +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE +--- + +# Windows Autopilot + +Windows Autopilot is designed to simplify all parts of Windows devices lifecycle, from initial deployment through end of life. Using cloud-based services, Windows Autopilot can reduce the overall costs for deploying, managing, and retiring devices. + +Traditionally, IT pros spend a significant amount of time building and customizing images that will later be deployed to devices. Windows Autopilot introduces a new, simplified approach. Devices don't need to be reimaged, rather they can be deployed with the OEM image, and customized using cloud-based services. + +From the user's perspective, it only takes a few simple operations to make their device ready to use. The only interaction required from the end user is to set their language and regional settings, connect to a network, and verify their credentials. Everything beyond that is automated. + +## Prerequisites + +Before setting up Windows Autopilot, consider these prerequisites: + +- **Software requirements.** Ensure your school and devices meet the [software, networking, licensing, and configuration requirements][WIN-1] for Windows Autopilot +- **Devices ordered and registered.** Ensure your school IT administrator or Microsoft partner has ordered the devices from an original equipment manufacturer (OEM) and registered them for the Autopilot deployment service. To connect with a partner, you can use the [Microsoft Partner Center][MSFT-1] and work with them to register your devices +- **Networking requirements.** Ensure students know to connect to the school network during OOBE setup. For more information on managing devices behind firewalls and proxy servers, see [Network endpoints for Microsoft Intune][MEM-1] + +> [!NOTE] +> Where not explicitly specified, both HTTPS (443) and HTTP (80) must be accessible. If you are auto-enrolling your devices into Microsoft Intune or deploying Microsoft Office, follow the networking guidelines for [Microsoft Intune][INT-1] and [Microsoft 365][M365-1]. + +## Register devices to Windows Autopilot + +Before deployment, devices must be registered in the Windows Autopilot service. Each device's unique hardware identity (known as a *hardware hash*) must be uploaded to the Autopilot service. In this way, the Autopilot service can recognize which tenant devices belong to, and which OOBE experience it should present. There are three main ways to register devices to Autopilot: + +- **OEM registration process.** When you purchase devices from an OEM or Reseller, that company can automatically register devices to Windows Autopilot and associate them to your tenant. Before this registration can happen, a *Global Administrator* must grant the OEM/Reseller permissions to register devices. For more information, see [OEM registration][MEM-2] + > [!NOTE] + > For **Microsoft Surface registration**, collect the details shown in this [documentation table][SURF-1] and follow the instruction to submit the request form to Microsoft Support. +- **Cloud Solution Provider (CSP) registration process.** As with OEMs, CSP partners must be granted permission to register devices for a school. For more information, see [Partner registration][MEM-5] + > [!TIP] + > Try the Microsoft Partner Center clickable demo, which provides detailed steps to establish a partner relationship and register devices. +- **Manual registration.** To manually register a device, you must first capture its hardware hash. Once this process has been completed, the hardware hash can be uploaded to the Windows Autopilot service using [Microsoft Intune][MEM-6] + > [!IMPORTANT] + > **Windows 11 SE** devices do not support the use of Windows PowerShell or Microsoft Configuration Manager to capture hardware hashes. Hardware hashes can only be captured manually. We recommend working with an OEM, partner, or device reseller to register devices. + +## Create groups for Autopilot devices + +**Windows Autopilot deployment profiles** determine the Autopilot *deployment mode* and define the out-of-box experience of your devices. A device group is required to assign a Windows Autopilot deployment profile to the devices. +For this task, it's recommended to create dynamic device groups using Autopilot attributes. + +Here are the steps for creating a dynamic group for the devices that have an assigned Autopilot group tag: + +1. Sign in to the Intune for Education portal +1. Select **Groups** > **Create group** +1. Specify a **Group name** and select **Dynamic** +1. Under **Rules**, select **I want to manage: Devices** and use the clause **Where: Device group tag starts with**, specifying the required tag value +1. Select **Create group** + :::image type="content" source="./images/intune-education-autopilot-group.png" alt-text="Intune for Education - creation of a dynamic group for Autopilot devices" border="true"::: + +More advanced dynamic membership rules can be created from Microsoft Endpoint Manager admin center. For more information, see [Create an Autopilot device group using Intune][MEM-3]. + +> [!TIP] +> You can use these dynamic groups not only to assign Autopilot profiles, but also to target applications and settings. + +## Create Autopilot deployment profiles + +For Autopilot devices to offer a customized OOBE experience, you must create **Windows Autopilot deployment profiles** and assign them to a group containing the devices. +A deployment profile is a collection of settings that determine the behavior of the device during OOBE. Among other settings, a deployment profile specifies a **deployment mode**, which can either be: +1. **User-driven:** devices with this profile are associated with the user enrolling the device. User credentials are required to complete the Azure AD join process during OOBE +1. **Self-deploying:** devices with this profile aren't associated with the user enrolling the device. User credentials aren't required to complete the Azure AD join process. Rather, the device is joined automatically and, for this reason, specific hardware requirements must be met to use this mode. + +To create an Autopilot deployment profile: + +1. Sign in to the Intune for Education portal +1. Select **Groups** > Select a group from the list +1. Select **Windows device settings** +1. Expand the **Enrolment** category +1. From **Configure Autopilot deployment profile for device** select **User-driven** +1. Ensure that **User account type** is configured as **Standard** +1. Select **Save** + +While Intune for Education offers simple options for Autopilot configurations, more advanced deployment profiles can be created from Microsoft Endpoint Manager admin center. For more information, see [Windows Autopilot deployment profiles][MEM-4]. + +### Configure an Enrollment Status Page + +An Enrollment Status Page (ESP) is a greeting page displayed to users while enrolling or signing in for the first time to Windows devices. The ESP displays provisioning progress, showing applications and profiles installation status. + +:::image type="content" source="./images/win11-oobe-esp.gif" alt-text="Windows OOBE - enrollment status page animation." border="false"::: + +> [!NOTE] +> Some Windows Autopilot deployment profiles **require** the ESP to be configured. + +To deploy the ESP to devices, you need to create an ESP profile in Microsoft Endpoint Manager. + +> [!TIP] +> While testing the deployment process, you can configure the ESP to: +> - allow the reset of the devices in case the installation fails +> - allow the use of the device if installation error occurs +> +> This enables you to troubleshoot the installation process in case any issues arise and to easily reset the OS. You can turn these settings off once you are done testing. + +For more information, see [Set up the Enrollment Status Page][MEM-3]. + +> [!CAUTION] +> When targeting an ESP to **Windows 11 SE** devices, only applications included in the [approved app list][EDU-1] should part of the ESP configuration. + +### Autopilot end-user experience + +Once configuration is complete and devices are distributed, students and teachers are able to complete the out-of-box experience with Autopilot. They can set up their devices at home, at school, or wherever there's a reliable Internet connection. +When a Windows device is turned on for the first time, the end-user experience with Windows Autopilot is as follows: + +1. Identify the language and region +1. Select the keyboard layout and decide on the option for a second keyboard layout +1. Connect to the internet: if connecting through Wi-Fi, the user will be prompted to connect to a wireless network. If the device is connected through an ethernet cable, Windows will skip this step +1. Apply updates: the device will look for and apply required updates +1. Windows will detect if the device has an Autopilot profile assigned to it. If so, it will proceed with the customized OOBE experience. If the Autopilot profile specifies a naming convention for the device, the device will be renamed, and a reboot will occur +1. The user authenticates to Azure AD, using the school account +1. The device joins Azure AD, enrolls in Intune and all the settings and applications are configured + +> [!NOTE] +> Some of these steps may be skipped, depending on the Autopilot profile configuration and if the device is using a wired connection. + +:::image type="content" source="./images/win11-login-screen.png" alt-text="Windows 11 login screen" border="false"::: + +________________________________________________________ +## Next steps + +With the devices joined to Azure AD tenant and managed by Intune, you can use Intune to maintain them and report on their status. + +> [!div class="nextstepaction"] +> [Next: Manage devices >](manage-overview.md) + + + +[MEM-1]: /mem/intune/fundamentals/intune-endpoints +[MEM-2]: /mem/autopilot/oem-registration +[MEM-3]: /mem/autopilot/enrollment-autopilot#create-an-autopilot-device-group-using-intune +[MEM-4]: /mem/autopilot/profiles +[MEM-5]: /mem/autopilot/partner-registration +[MEM-6]: /mem/autopilot/add-devices + +[WIN-1]: /windows/deployment/windows-autopilot/windows-autopilot-requirements + +[MSFT-1]: https://partner.microsoft.com/ + +[INT-1]: /intune/network-bandwidth-use + +[M365-1]: https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2 + +[EDU-1]: /education/windows/windows-11-se-overview +[EDU-2]: /intune-education/windows-11-se-overview#windows-autopilot + +[SURF-1]: /surface/surface-autopilot-registration-support \ No newline at end of file diff --git a/education/windows/tutorial-school-deployment/enroll-overview.md b/education/windows/tutorial-school-deployment/enroll-overview.md new file mode 100644 index 0000000000..1a0048e8b2 --- /dev/null +++ b/education/windows/tutorial-school-deployment/enroll-overview.md @@ -0,0 +1,48 @@ +--- +title: Device enrollment overview +description: Options to enroll Windows devices in Microsoft Intune +ms.date: 08/31/2022 +ms.prod: windows +ms.technology: windows +ms.topic: overview +ms.localizationpriority: medium +author: paolomatarazzo +ms.author: paoloma +#ms.reviewer: +manager: aaroncz +ms.collection: education +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE +--- + +# Device enrollment overview + +There are three main methods for joining Windows devices to Azure AD and getting them enrolled and managed by Intune: + +- **Automatic Intune enrollment via Azure AD join** happens when a user first turns on a device that is in out-of-box experience (OOBE), and selects the option to join Azure AD. In this scenario, the user can customize certain Windows functionalities before reaching the desktop, and becomes a local administrator of the device. This option isn't an ideal enrollment method for education devices +- **Bulk enrollment with provisioning packages.** Provisioning packages are files that can be used to set up Windows devices, and can include information to connect to Wi-Fi networks and to join an Azure AD tenant. Provisioning packages can be created using either **Set Up School PCs** or **Windows Configuration Designer** applications. These files can be applied during or after the out-of-box experience +- **Enrollment via Windows Autopilot.** Windows Autopilot is a collection of cloud services to configure the out-of-box experience, enabling light-touch or zero-touch deployment scenarios. Windows Autopilot simplifies the Windows device lifecycle, from initial deployment to end of life, for OEMs, resellers, IT administrators and end users + +## Choose the enrollment method + +**Windows Autopilot** and the **Set up School PCs** app are usually the most efficient options for school environments. +This [table][INT-1] describes the ideal scenarios for using either option. It's recommended to review the table when planning your enrollment and deployment strategies. + +:::image type="content" source="./images/enroll.png" alt-text="The device lifecycle for Intune-managed devices - enrollment" border="false"::: + +Select one of the following options to learn the next steps about the enrollment method you chose: + +> [!div class="nextstepaction"] +> [Next: Automatic Intune enrollment via Azure AD join >](enroll-aadj.md) + +> [!div class="nextstepaction"] +> [Next: Bulk enrollment with provisioning packages >](enroll-package.md) + +> [!div class="nextstepaction"] +> [Next: Enroll devices with Windows Autopilot >](enroll-autopilot.md) + + + +[INT-1]: /intune-education/add-devices-windows#when-to-use-set-up-school-pcs-vs-windows-autopilot diff --git a/education/windows/tutorial-school-deployment/enroll-package.md b/education/windows/tutorial-school-deployment/enroll-package.md new file mode 100644 index 0000000000..35f640ae75 --- /dev/null +++ b/education/windows/tutorial-school-deployment/enroll-package.md @@ -0,0 +1,76 @@ +--- +title: Enrollment of Windows devices with provisioning packages +description: options how to enroll Windows devices with provisioning packages using SUSPCs and Windows Configuration Designer +ms.date: 08/31/2022 +ms.prod: windows +ms.technology: windows +ms.topic: tutorial +ms.localizationpriority: medium +author: paolomatarazzo +ms.author: paoloma +#ms.reviewer: +manager: aaroncz +ms.collection: education +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE +--- + +# Enrollment with provisioning packages + +Enrolling devices with provisioning packages is an efficient way to deploy a large number of Windows devices. Some of the benefits of provisioning packages are: + +- There are no particular hardware dependencies on the devices to complete the enrollment process +- Devices don't need to be registered in advance +- Enrollment is a simple task: just open a provisioning package and the process is automated + +You can create provisioning packages using either **Set Up School PCs** or **Windows Configuration Designer** applications, which are described in the following sections. + +## Set up School PCs + +With Set up School PCs, you can create a package containing the most common device configurations that students need, and enroll devices in Intune. The package is saved on a USB stick, which can then be plugged into devices during OOBE. Applications and settings will be automatically applied to the devices, including the Azure AD join and Intune enrollment process. + +### Create a provisioning package + +The Set Up School PCs app guides you through configuration choices for school-owned devices. + +:::image type="content" source="./images/supcs-win11se.png" alt-text="Configure device settings in Set Up School PCs app" border="false"::: + +> [!CAUTION] +> If you are creating a provisioning package for **Windows 11 SE** devices, ensure to select the correct *OS version* in the *Configure device settings* page. + +Set Up School PCs will configure many settings, allowing you to optimize devices for shared use and other scenarios. + +For more information on prerequisites, configuration, and recommendations, see [Use the Set Up School PCs app][EDU-1]. + +> [!TIP] +> To learn more and practice with Set up School PCs, try the Set Up School PCs demo, which provides detailed steps to create a provisioning package and deploy a device. +## Windows Configuration Designer + +Windows Configuration Designer is especially useful in scenarios where a school needs to provision packages for both bring-you-own devices and school-owned devices. Differently from Set Up School PCs, Windows Configuration Designer doesn't offer a guided experience, and allows granular customizations, including the possibility to embed scripts in the package. + +:::image type="content" source="./images/wcd.png" alt-text="Set up device page in Windows Configuration Designer" border="false"::: + +For more information, see [Install Windows Configuration Designer][WIN-1], which provides details about the app, its provisioning process, and considerations for its use. + +## Enroll devices with the provisioning package + +To provision Windows devices with provisioning packages, insert the USB stick containing the package during the out-of-box experience. The devices will read the content of the package, join Azure AD and automatically enroll in Intune. +All settings defined in the package and in Intune will be applied to the device, and the device will be ready to use. + +:::image type="content" source="./images/win11-oobe-ppkg.gif" alt-text="Windows 11 OOBE - enrollment with provisioning package animation." border="false"::: + +________________________________________________________ +## Next steps + +With the devices joined to Azure AD tenant and managed by Intune, you can use Intune to maintain them and report on their status. + +> [!div class="nextstepaction"] +> [Next: Manage devices >](manage-overview.md) + + + +[EDU-1]: /education/windows/use-set-up-school-pcs-app + +[WIN-1]: /windows/configuration/provisioning-packages/provisioning-install-icd \ No newline at end of file diff --git a/education/windows/tutorial-school-deployment/images/advanced-support.png b/education/windows/tutorial-school-deployment/images/advanced-support.png new file mode 100644 index 0000000000..d7655d1616 Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/advanced-support.png differ diff --git a/education/windows/tutorial-school-deployment/images/configure.png b/education/windows/tutorial-school-deployment/images/configure.png new file mode 100644 index 0000000000..6e3219a7cb Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/configure.png differ diff --git a/education/windows/tutorial-school-deployment/images/device-lifecycle.png b/education/windows/tutorial-school-deployment/images/device-lifecycle.png new file mode 100644 index 0000000000..ab14cdb9f0 Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/device-lifecycle.png differ diff --git a/education/windows/tutorial-school-deployment/images/dfci-profile-expanded.png b/education/windows/tutorial-school-deployment/images/dfci-profile-expanded.png new file mode 100644 index 0000000000..3386f7673a Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/dfci-profile-expanded.png differ diff --git a/education/windows/tutorial-school-deployment/images/dfci-profile.png b/education/windows/tutorial-school-deployment/images/dfci-profile.png new file mode 100644 index 0000000000..d77dc06f3d Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/dfci-profile.png differ diff --git a/education/windows/tutorial-school-deployment/images/enroll.png b/education/windows/tutorial-school-deployment/images/enroll.png new file mode 100644 index 0000000000..352cda9509 Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/enroll.png differ diff --git a/education/windows/tutorial-school-deployment/images/enrollment-restrictions.png b/education/windows/tutorial-school-deployment/images/enrollment-restrictions.png new file mode 100644 index 0000000000..69b22745a6 Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/enrollment-restrictions.png differ diff --git a/education/windows/tutorial-school-deployment/images/entra-assign-licenses.png b/education/windows/tutorial-school-deployment/images/entra-assign-licenses.png new file mode 100644 index 0000000000..3f031053d5 Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/entra-assign-licenses.png differ diff --git a/education/windows/tutorial-school-deployment/images/entra-branding.png b/education/windows/tutorial-school-deployment/images/entra-branding.png new file mode 100644 index 0000000000..7201c7386d Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/entra-branding.png differ diff --git a/education/windows/tutorial-school-deployment/images/entra-device-settings.png b/education/windows/tutorial-school-deployment/images/entra-device-settings.png new file mode 100644 index 0000000000..ef18b7391f Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/entra-device-settings.png differ diff --git a/education/windows/tutorial-school-deployment/images/entra-tenant-name.png b/education/windows/tutorial-school-deployment/images/entra-tenant-name.png new file mode 100644 index 0000000000..4cf21148d1 Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/entra-tenant-name.png differ diff --git a/education/windows/tutorial-school-deployment/images/i4e-autopilot-reset.png b/education/windows/tutorial-school-deployment/images/i4e-autopilot-reset.png new file mode 100644 index 0000000000..69f9fb188a Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/i4e-autopilot-reset.png differ diff --git a/education/windows/tutorial-school-deployment/images/i4e-factory-reset.png b/education/windows/tutorial-school-deployment/images/i4e-factory-reset.png new file mode 100644 index 0000000000..5c1215f6d8 Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/i4e-factory-reset.png differ diff --git a/education/windows/tutorial-school-deployment/images/intune-diagnostics.png b/education/windows/tutorial-school-deployment/images/intune-diagnostics.png new file mode 100644 index 0000000000..20b05ad9d7 Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/intune-diagnostics.png differ diff --git a/education/windows/tutorial-school-deployment/images/intune-education-apps.png b/education/windows/tutorial-school-deployment/images/intune-education-apps.png new file mode 100644 index 0000000000..ca344cf5cf Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/intune-education-apps.png differ diff --git a/education/windows/tutorial-school-deployment/images/intune-education-autopilot-group.png b/education/windows/tutorial-school-deployment/images/intune-education-autopilot-group.png new file mode 100644 index 0000000000..75543684ca Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/intune-education-autopilot-group.png differ diff --git a/education/windows/tutorial-school-deployment/images/intune-education-groups.png b/education/windows/tutorial-school-deployment/images/intune-education-groups.png new file mode 100644 index 0000000000..87f4546e88 Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/intune-education-groups.png differ diff --git a/education/windows/tutorial-school-deployment/images/intune-education-portal.png b/education/windows/tutorial-school-deployment/images/intune-education-portal.png new file mode 100644 index 0000000000..6bcc9f9375 Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/intune-education-portal.png differ diff --git a/education/windows/tutorial-school-deployment/images/inventory-reporting.png b/education/windows/tutorial-school-deployment/images/inventory-reporting.png new file mode 100644 index 0000000000..39c904e205 Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/inventory-reporting.png differ diff --git a/education/windows/tutorial-school-deployment/images/m365-admin-center.png b/education/windows/tutorial-school-deployment/images/m365-admin-center.png new file mode 100644 index 0000000000..d471b441dd Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/m365-admin-center.png differ diff --git a/education/windows/tutorial-school-deployment/images/protect-manage.png b/education/windows/tutorial-school-deployment/images/protect-manage.png new file mode 100644 index 0000000000..7ee7040a46 Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/protect-manage.png differ diff --git a/education/windows/tutorial-school-deployment/images/remote-actions.png b/education/windows/tutorial-school-deployment/images/remote-actions.png new file mode 100644 index 0000000000..cfbd12f2da Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/remote-actions.png differ diff --git a/education/windows/tutorial-school-deployment/images/retire.png b/education/windows/tutorial-school-deployment/images/retire.png new file mode 100644 index 0000000000..c079cfeaac Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/retire.png differ diff --git a/education/windows/tutorial-school-deployment/images/supcs-win11se.png b/education/windows/tutorial-school-deployment/images/supcs-win11se.png new file mode 100644 index 0000000000..700ff6d87f Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/supcs-win11se.png differ diff --git a/education/windows/tutorial-school-deployment/images/surface-management-portal-expanded.png b/education/windows/tutorial-school-deployment/images/surface-management-portal-expanded.png new file mode 100644 index 0000000000..339bd90904 Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/surface-management-portal-expanded.png differ diff --git a/education/windows/tutorial-school-deployment/images/surface-management-portal.png b/education/windows/tutorial-school-deployment/images/surface-management-portal.png new file mode 100644 index 0000000000..a1b7dd37ab Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/surface-management-portal.png differ diff --git a/education/windows/tutorial-school-deployment/images/wcd.png b/education/windows/tutorial-school-deployment/images/wcd.png new file mode 100644 index 0000000000..fba5be741f Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/wcd.png differ diff --git a/education/windows/tutorial-school-deployment/images/whfb-disable.png b/education/windows/tutorial-school-deployment/images/whfb-disable.png new file mode 100644 index 0000000000..97177965e3 Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/whfb-disable.png differ diff --git a/education/windows/tutorial-school-deployment/images/win11-autopilot-reset.png b/education/windows/tutorial-school-deployment/images/win11-autopilot-reset.png new file mode 100644 index 0000000000..0ec380619e Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/win11-autopilot-reset.png differ diff --git a/education/windows/tutorial-school-deployment/images/win11-login-screen.png b/education/windows/tutorial-school-deployment/images/win11-login-screen.png new file mode 100644 index 0000000000..438dda11bc Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/win11-login-screen.png differ diff --git a/education/windows/tutorial-school-deployment/images/win11-oobe-auth.png b/education/windows/tutorial-school-deployment/images/win11-oobe-auth.png new file mode 100644 index 0000000000..5ebb6a9f14 Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/win11-oobe-auth.png differ diff --git a/education/windows/tutorial-school-deployment/images/win11-oobe-esp.gif b/education/windows/tutorial-school-deployment/images/win11-oobe-esp.gif new file mode 100644 index 0000000000..fa2e4c3aeb Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/win11-oobe-esp.gif differ diff --git a/education/windows/tutorial-school-deployment/images/win11-oobe-ppkg.gif b/education/windows/tutorial-school-deployment/images/win11-oobe-ppkg.gif new file mode 100644 index 0000000000..2defd5c1ce Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/win11-oobe-ppkg.gif differ diff --git a/education/windows/tutorial-school-deployment/images/win11-oobe-updates.png b/education/windows/tutorial-school-deployment/images/win11-oobe-updates.png new file mode 100644 index 0000000000..51bbc39c9f Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/win11-oobe-updates.png differ diff --git a/education/windows/tutorial-school-deployment/images/win11-wipe.png b/education/windows/tutorial-school-deployment/images/win11-wipe.png new file mode 100644 index 0000000000..027afae172 Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/win11-wipe.png differ diff --git a/education/windows/tutorial-school-deployment/index.md b/education/windows/tutorial-school-deployment/index.md new file mode 100644 index 0000000000..d68fd2fd82 --- /dev/null +++ b/education/windows/tutorial-school-deployment/index.md @@ -0,0 +1,87 @@ +--- +title: Introduction +description: Introduction to deployment and management of Windows devices in education environments +ms.date: 08/31/2022 +ms.prod: windows +ms.technology: windows +ms.topic: conceptual +ms.localizationpriority: medium +author: paolomatarazzo +ms.author: paoloma +#ms.reviewer: +manager: aaroncz +ms.collection: education +--- + +# Tutorial: deploy and manage Windows devices in a school + +This guide introduces the tools and services available from Microsoft to deploy, configure and manage Windows devices in an education environment. + +## Audience and user requirements + +This tutorial is intended for education professionals responsible for deploying and managing Windows devices, including: + +- School leaders +- IT administrators +- Teachers +- Microsoft partners + +This content provides a comprehensive path for schools to deploy and manage new Windows devices with Microsoft Intune. It includes step-by-step information how to manage devices throughout their lifecycle, and specific guidance for **Windows 11 SE** and **Surface devices**. + +> [!NOTE] +> Depending on your school setup scenario, you may not need to implement all steps. + +## Device lifecycle management + +Historically, school IT administrators and educators have struggled to find an easy-to-use, flexible, and secure way to manage the lifecycle of the devices in their schools. In response, Microsoft has developed integrated suites of products for streamlined, cost-effective device lifecycle management. + +Microsoft 365 Education provides tools and services that enable simplified management of all devices through Microsoft Endpoint Manager (MEM). With Microsoft's solutions, IT administrators have the flexibility to support diverse scenarios, including school-owned devices and bring-your-own devices. +Microsoft Endpoint Manager services include: + +- [Microsoft Intune][MEM-1] +- [Microsoft Intune for Education][INT-1] +- [Configuration Manager][MEM-2] +- [Desktop Analytics][MEM-3] +- [Windows Autopilot][MEM-4] +- [Surface Management Portal][MEM-5] + +These services are part of the Microsoft 365 stack to help secure access, protect data, and manage risk. + +## Why Intune for Education? + +Windows devices can be managed with Intune for Education, enabling simplified management of multiple devices from a single point. +From enrollment, through configuration and protection, to resetting, Intune for Education helps school IT administrators manage and optimize the devices throughout their lifecycle: + +:::image type="content" source="./images/device-lifecycle.png" alt-text="The device lifecycle for Intune-managed devices" border="false"::: + +- **Enroll:** to enable remote device management, devices must be enrolled in Intune with an account in your Azure AD tenant. Some enrollment methods require an IT administrator to initiate enrollment, while others require students to complete the initial device setup process. This document discusses the facets of various device enrollment methodologies +- **Configure:** once the devices are enrolled in Intune, applications and settings will be applied, as defined by the IT administrator +- **Protect and manage:** in addition to its configuration capabilities, Intune for Education helps protect devices from unauthorized access or malicious attacks. For example, adding an extra layer of authentication with Windows Hello can make devices more secure. Policies are available that let you control settings for Windows Firewall, Endpoint Protection, and software updates +- **Retire:** when it's time to repurpose a device, Intune for Education offers several options, including resetting the device, removing it from management, or wiping school data. In this document, we cover different device return and exchange scenarios + +## Four pillars of modern device management + +In the remainder of this document, we'll discuss the key concepts and benefits of modern device management with Microsoft 365 solutions for education. The guidance is organized around the four main pillars of modern device management: + +- **Identity management:** setting up and configuring the identity system, with Microsoft 365 Education and Azure Active Directory, as the foundation for user identity and authentication +- **Initial setup:** setting up the Intune for Education environment for managing devices, including configuring settings, deploying applications, and defining updates cadence +- **Device enrollment:** Setting up Windows devices for deployment and enrolling them in Intune for Education +- **Device reset:** Resetting managed devices with Intune for Education + +________________________________________________________ +## Next steps + +Let's begin with the creation and configuration of your Azure AD tenant and Intune environment. + +> [!div class="nextstepaction"] +> [Next: Set up Azure Active Directory >](set-up-azure-ad.md) + + + +[MEM-1]: /mem/intune/fundamentals/what-is-intune +[MEM-2]: /mem/configmgr/core/understand/introduction +[MEM-3]: /mem/configmgr/desktop-analytics/overview +[MEM-4]: /mem/autopilot/windows-autopilot +[MEM-5]: /mem/autopilot/dfci-management + +[INT-1]: /intune-education/what-is-intune-for-education \ No newline at end of file diff --git a/education/windows/tutorial-school-deployment/manage-overview.md b/education/windows/tutorial-school-deployment/manage-overview.md new file mode 100644 index 0000000000..6be402a17d --- /dev/null +++ b/education/windows/tutorial-school-deployment/manage-overview.md @@ -0,0 +1,71 @@ +--- +title: Manage devices with Microsoft Intune +description: Overview of device management capabilities in Intune for Education, including remote actions, remote assistance and inventory/reporting. +ms.date: 08/31/2022 +ms.prod: windows +ms.technology: windows +ms.topic: tutorial +ms.localizationpriority: medium +author: paolomatarazzo +ms.author: paoloma +#ms.reviewer: +manager: aaroncz +ms.collection: education +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE +--- + +# Manage devices with Microsoft Intune + +Microsoft Intune offers a streamlined remote device management experience throughout the school year. IT administrators can optimize device settings, deploy new applications, updates, ensuring that security and privacy are maintained. + +:::image type="content" source="./images/protect-manage.png" alt-text="The device lifecycle for Intune-managed devices - protect and manage devices" border="false"::: + +## Remote device management + +With Intune for Education, there are several ways to manage students' devices. Groups can be created to organize devices and students, to facilitate remote management. You can determine which applications students have access to, and fine tune device settings and restrictions. You can also monitor which devices students sign in to, and troubleshoot devices remotely. + +### Remote actions + +Intune fo Education allows you to perform actions on devices without having to sign in to the devices. For example, you can send a command to a device to restart or to turn off, or you can locate a device. + +:::image type="content" source="./images/remote-actions.png" alt-text="Remote actions available in Intune for Education when selecting a Windows device" lightbox="./images/remote-actions.png" border="true"::: + +With bulk actions, remote actions can be performed on multiple devices at once. + +To learn more about remote actions in Intune for Education, see [Remote actions][EDU-1]. + +## Remote assistance + +With devices managed by Intune for Education, you can remotely assist students and teachers that are having issues with their devices. + +For more information, see [Remote assistance for managed devices - Intune for Education][EDU-2]. + +## Device inventory and reporting + +With Intune for Education, it's possible view and report on current devices, applications, settings, and overall health. You can also download reports to review or share offline. + +Here are the steps for generating reports in Intune for Education: + +1. Sign in to the Intune for Education portal +1. Select **Reports** +1. Select between one of the report types: + - Device inventory + - Device actions + - Application inventory + - Settings errors + - Windows Defender + - Autopilot deployment +1. If needed, use the search box to find specific devices, applications, and settings +1. To download a report, select **Download**. The report will download as a comma-separated value (CSV) file, which you can view and modify in a spreadsheet app like Microsoft Excel. + :::image type="content" source="./images/inventory-reporting.png" alt-text="Reporting options available in Intune for Education when selecting the reports blade" border="true"::: + +To learn more about reports in Intune for Education, see [Reports in Intune for Education][EDU-3]. + + + +[EDU-1]: /intune-education/edu-device-remote-actions +[EDU-2]: /intune-education/remote-assist-mobile-devices +[EDU-3]: /intune-education/what-are-reports diff --git a/education/windows/tutorial-school-deployment/manage-surface-devices.md b/education/windows/tutorial-school-deployment/manage-surface-devices.md new file mode 100644 index 0000000000..c8d8f1a1c3 --- /dev/null +++ b/education/windows/tutorial-school-deployment/manage-surface-devices.md @@ -0,0 +1,54 @@ +--- +title: Management functionalities for Surface devices +description: Management capabilities offered to Surface devices, including firmware management and the Surface Management Portal +ms.date: 08/31/2022 +ms.prod: windows +ms.technology: windows +ms.topic: tutorial +ms.localizationpriority: medium +author: paolomatarazzo +ms.author: paoloma +#ms.reviewer: +manager: aaroncz +ms.collection: education +appliesto: +- ✅ Surface devices +--- + +# Management functionalities for Surface devices + +Microsoft Surface devices offer many advanced management functionalities, including the possibility to manage firmware settings and a web portal designed for them. + +## Manage device firmware for Surface devices + +Surface devices use a Unified Extensible Firmware Interface (UEFI) setting that allows you to enable or disable built-in hardware components, protect UEFI settings from being changed, and adjust device boot configuration. With [Device Firmware Configuration Interface profiles built into Intune][INT-1], Surface UEFI management extends the modern management capabilities to the hardware level. Windows can pass management commands from Intune to UEFI for Autopilot-deployed devices. + +DFCI supports zero-touch provisioning, eliminates BIOS passwords, and provides control of security settings for boot options, cameras and microphones, built-in peripherals, and more. For more information, see [Manage DFCI on Surface devices][SURF-1] and [Manage DFCI with Windows Autopilot][MEM-1], which includes a list of requirements to use DFCI. + +:::image type="content" source="./images/dfci-profile.png" alt-text="Creation of a DFCI profile from Microsoft Endpoint Manager" lightbox="./images/dfci-profile-expanded.png" border="true"::: + +## Microsoft Surface Management Portal + +Located in the Microsoft Endpoint Manager admin center, the Microsoft Surface Management Portal enables you to self-serve, manage, and monitor your school's Intune-managed Surface devices at scale. Get insights into device compliance, support activity, warranty coverage, and more. + +When Surface devices are enrolled in cloud management and users sign in for the first time, information automatically flows into the Surface Management Portal, giving you a single pane of glass for Surface-specific administration activities. + +To access and use the Surface Management Portal: + +1. Sign in to Microsoft Endpoint Manager admin center +1. Select **All services** > **Surface Management Portal** + :::image type="content" source="./images/surface-management-portal.png" alt-text="Surface Management Portal within Microsoft Endpoint Manager" lightbox="./images/surface-management-portal-expanded.png" border="true"::: +1. To obtain insights for all your Surface devices, select **Monitor** + - Devices that are out of compliance or not registered, have critically low storage, require updates, or are currently inactive, are listed here +1. To obtain details on each insights category, select **View report** + - This dashboard displays diagnostic information that you can customize and export +1. To obtain the device's warranty information, select **Device warranty and coverage** +1. To review a list of support requests and their status, select **Support requests** + + + +[INT-1]: /intune/configuration/device-firmware-configuration-interface-windows + +[MEM-1]: /mem/autopilot/dfci-management + +[SURF-1]: /surface/surface-manage-dfci-guide diff --git a/education/windows/tutorial-school-deployment/reset-wipe.md b/education/windows/tutorial-school-deployment/reset-wipe.md new file mode 100644 index 0000000000..ca8bac240d --- /dev/null +++ b/education/windows/tutorial-school-deployment/reset-wipe.md @@ -0,0 +1,122 @@ +--- +title: Reset and wipe Windows devices +description: Reset and wipe options for Windows devices using Intune for Education, including scenarios when to delete devices +ms.date: 08/31/2022 +ms.prod: windows +ms.technology: windows +ms.topic: tutorial +ms.localizationpriority: medium +author: paolomatarazzo +ms.author: paoloma +#ms.reviewer: +manager: aaroncz +ms.collection: education +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE +--- + +# Device reset options + +There are different scenarios that require a device to be reset, for example: + +- The device isn't responding to commands +- The device is lost or stolen +- It's the end of the life of the device +- It's the end of the school year and you want to prepare the device for a new school year +- The device has hardware problems and you want to send it to the service center + +:::image type="content" source="./images/retire.png" alt-text="The device lifecycle for Intune-managed devices - retirement" border="false"::: + +Intune for Education provides two device reset functionalities that enable IT administrators to remotely execute them: + +- **Factory reset** (also known as **wipe**) is used to wipe all data and settings from the device, returning it to the default factory settings +- **Autopilot reset** is used to return the device to a fully configured or known IT-approved state + +## Factory reset (wipe) + +A factory reset, or a wipe, reverts a device to the original settings when it was purchased. All settings, applications and data installed on the device after purchase are removed. The device is also removed from Intune management. + +Once the wipe is completed, the device will be in out-of-box experience. + +Here are the steps to perform a factory reset from Intune for Education: + +1. Sign in to the Intune for Education portal +1. Select **Devices** +1. Select the device you want to reset > **Factory reset** +1. Select **Factory reset** to confirm the action + +:::image type="content" source="./images/win11-wipe.png" alt-text="Three screenshots showing the device being wiped, ending up in OOBE" lightbox="./images/win11-wipe.png" border="false"::: + +Consider using factory reset in the following example scenarios: + +- The device isn't working properly, and you want to reset it without reimaging it +- It's the end of school year and you want to prepare the device for a new school year +- You need to reassign the device to a different student, and you want to reset the device to its original settings +- You're returning a device to the service center, and you want to remove all data and settings from the device + +> [!TIP] +> Consider that once the device is wiped, the new user will go through OOBE. This option may be ideal if the device is also registered in Autopilot to make the OOBE experience seamless, or if you plan to use a provisioning package to re-enroll the device. + +## Autopilot Reset + +Autopilot Reset is ideal when all data on a device needs to be wiped, but the device remains enrolled in your tenant. + +Once the Autopilot reset action is completed, the device will ask to chose region and keyboard layout, then it will display the sign-in screen. + +Here are the steps to perform an Autopilot reset from Intune for Education: + +1. Sign in to the Intune for Education portal +1. Select **Devices** +1. Select the device you want to reset > **Autopilot reset** +1. Select **Autopilot reset** to confirm the action + +:::image type="content" source="./images/win11-autopilot-reset.png" alt-text="Three screenshots showing the device being wiped, ending up in the login screen" border="false"::: + +Consider using Autopilot reset in the following example scenarios: + +- The device isn't working properly, and you want to reset it without reimaging it +- It's the end of school year and you want to prepare the device for a new school year +- You need to reassign the device to a different student, and you want to reset the device to without requiring the student to go through OOBE + +> [!TIP] +> Consider that the end user will **not** go through OOBE, and the association of the user to the device in Intune doesn't change. For this reason, this option may be ideal for devices that have been enrolled in Intune as *shared devices* (for example, a device that was enrolled with a provisioning package or using Autopilot self-deploying mode). + +## Wiping and deleting a device + +There are scenarios that require a device to be deleted from your tenant, for example: + +- The device is lost or stolen +- It's the end of the life of the device +- The device has been replaced with a new device or has its motherboard replaced + +> [!IMPORTANT] +> The following actions should only be performed for devices that are no longer going to be used in your tenant. + + To completely remove a device, you need to perform the following actions: + +1. If possible, perform a **factory reset (wipe)** of the device. If the device can't be wiped, delete the device from Intune using [these steps][MEM-1] +1. If the device is registered in Autopilot, delete the Autopilot object using [these steps][MEM-2] +1. Delete the device from Azure Active Directory using [these steps][MEM-3] + +## Autopilot considerations for a motherboard replacement scenario + +Repairing Autopilot-enrolled devices can be complex, as OEM requirements must be balanced with Autopilot requirements. If a motherboard replacement is needed on an Autopilot device, it's suggested the following process: + +1. Deregister the device from Autopilot +1. Replace the motherboard +1. Capture a new device ID (4K HH) +1. Re-register the device with Autopilot + > [!IMPORTANT] + > For DFCI management, the device must be re-registered by a partner or OEM. Self-registration of devices is not supported with DFCI management. +1. Reset the device +1. Return the device + +For more information, see [Autopilot motherboard replacement scenario guidance][MEM-4]. + + +[MEM-1]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-intune-portal +[MEM-2]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-intune-portal +[MEM-3]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-azure-active-directory-portal +[MEM-4]: /mem/autopilot/autopilot-mbr diff --git a/education/windows/tutorial-school-deployment/set-up-azure-ad.md b/education/windows/tutorial-school-deployment/set-up-azure-ad.md new file mode 100644 index 0000000000..efe5fa2545 --- /dev/null +++ b/education/windows/tutorial-school-deployment/set-up-azure-ad.md @@ -0,0 +1,179 @@ +--- +title: Set up Azure Active Directory +description: How to create and prepare your Azure AD tenant for an education environment +ms.date: 08/31/2022 +ms.prod: windows +ms.technology: windows +ms.topic: tutorial +ms.localizationpriority: medium +author: paolomatarazzo +ms.author: paoloma +#ms.reviewer: +manager: aaroncz +ms.collection: education +#appliesto: +--- + +# Set up Azure Active Directory + +The Microsoft platform for education simplifies the management of Windows devices with Intune for Education and Microsoft 365 Education. The first, fundamental step, is to configure the identity infrastructure to manage user access and permissions for your school. + +Azure Active Directory (Azure AD), which is included with the Microsoft 365 Education subscription, provides authentication and authorization to any Microsoft cloud services. Identity objects are defined in Azure AD for human identities, like students and teachers, as well as non-human identities, like devices, services, and applications. Once users get Microsoft 365 licenses assigned, they'll be able to consume services and access resources within the tenant. With Microsoft 365 Education, you can manage identities for your teachers and students, assign licenses to devices and users, and create groups for the classrooms. + +In this section you will: +> [!div class="checklist"] +> * Set up a Microsoft 365 Education tenant +> * Add users, create groups, and assign licenses +> * Configure school branding +> * Enable bulk enrollment + +## Create a Microsoft 365 tenant + +If you don't already have a Microsoft 365 tenant, you'll need to create one. + +For more information, see [Create your Office 365 tenant account][M365-1] + +> [!TIP] +> To learn more, and practice how to configure the Microsoft 365 tenant for your school, try this interactive demo. +### Explore the Microsoft 365 admin center + +The **Microsoft 365 admin center** is the hub for all administrative consoles for the Microsoft 365 cloud. To access the Microsoft Entra admin center, sign in with the same global administrator account when you [created the Microsoft 365 tenant](#create-a-microsoft-365-tenant). + +From the Microsoft 365 admin center, you can access different administrative dashboards: Azure Active Directory, Microsoft Endpoint Manager, Intune for Education, and others: + +:::image type="content" source="./images/m365-admin-center.png" alt-text="*All admin centers* page in *Microsoft 365 admin center*" lightbox="./images/m365-admin-center.png" border="true"::: + +For more information, see [Overview of the Microsoft 365 admin center][M365-2]. + +> [!NOTE] +> Setting up your school's basic cloud infrastructure does not require you to complete the rest of the Microsoft 365 setup. For this reason, we will skip directly to adding students and teachers as users in the Microsoft 365 tenant. + +## Add users, create groups, and assign licenses + +With the Microsoft 365 tenant in place, it's time to add users, create groups, and assign licenses. All students and teachers need a user account before they can sign in and access the different Microsoft 365 services. There are multiple ways to do this, including using School Data Sync (SDS), synchronizing an on-premises Active Directory, manually, or a combination of the above. + +> [!NOTE] +> Synchronizing your Student Information System (SIS) with School Data Sync is the preferred way to create students and teachers as users in a Microsoft 365 Education tenant. However, if you want to integrate an on-premises directory and synchronize accounts to the cloud, skip to [Azure Active Directory sync](#azure-active-directory-sync) below. + +### School Data Sync + +School Data Sync (SDS) imports and synchronizes SIS data to create classes in Microsoft 365, such as Microsoft 365 groups and class teams in Microsoft Teams. SDS can be used to create new, cloud-only, identities or to evolve existing identities. Users evolve into *students* or *teachers* and are associated with a *grade*, *school*, and other education-specific attributes. + +For more information, see [Overview of School Data Sync][SDS-1]. + +> [!TIP] +> To learn more and practice with School Data Sync, follow the Microsoft School Data Sync demo, which provides detailed steps to access, configure, and deploy School Data Sync in your Microsoft 365 Education tenant. + +> [!NOTE] +> You can perform a test deployment by cloning or downloading sample SDS CSV school data from the [O365-EDU-Tools GitHub site](https://github.com/OfficeDev/O365-EDU-Tools). +> +> Remember that you should typically deploy test SDS data (users, groups, and so on) in a separate test tenant, not your school production environment. + +### Azure Active Directory sync + +To integrate an on-premises directory with Azure Active Directory, you can use **Microsoft Azure Active Directory Connect** to synchronize users, groups, and other objects. Azure AD Connect lets you configure the authentication method appropriate for your school, including: + +- [Password hash synchronization][AAD-1] +- [Pass-through authentication][AAD-2] +- [Federated authentication][AAD-3] + +For more information, see [Set up directory synchronization for Microsoft 365][O365-1]. + +### Create users manually + +In addition to the above methods, you can manually add users and groups, and assign licenses through the Microsoft 365 admin center. + +There are two options for adding users manually, either individually or in bulk: + +1. To add students and teachers as users in Microsoft 365 Education *individually*: + - Sign in to the Microsoft Entra admin center + - Select **Azure Active Directory** > **Users** > **All users** > **New user** > **Create new user** + For more information, see [Add users and assign licenses at the same time][M365-3]. +1. To add *multiple* users to Microsoft 365 Education: + - Sign in to the Microsoft Entra admin center + - Select **Azure Active Directory** > **Users** > **All users** > **Bulk operations** > **Bulk create** + +For more information, see [Add multiple users in the Microsoft 365 admin center][M365-4]. +### Create groups + +Creating groups is important to simplify multiple tasks, like assigning licenses, delegating administration, deploy settings, applications or to distribute assignments to students. To create groups: + +1. Sign in to the Microsoft Entra admin center +1. Select **Azure Active Directory** > **Groups** > **All groups** > **New group** +1. On the **New group** page, select **Group type** > **Security** +1. Provide a group name and add members, as needed +1. Select **Next** + +For more information, see [Create a group in the Microsoft 365 admin center][M365-5]. + +### Assign licenses + +The recommended way to assign licenses is through group-based licensing. With this method, Azure AD ensures that licenses are assigned to all members of the group. Any new members who join the group are assigned the appropriate licenses, and when members leave, their licenses are removed. + +To assign a license to a group: + +1. Sign in to the Microsoft Entra admin center +1. Select **Azure Active Directory** > **Show More** > **Billing** > **Licenses** +1. Select the required products that you want to assign licenses for > **Assign** +1. Add the groups to which the licenses should be assigned + + :::image type="content" source="images/entra-assign-licenses.png" alt-text="Assign licenses from Microsoft Entra admin center." lightbox="images/entra-assign-licenses.png"::: + +For more information, see [Group-based licensing using Azure AD admin center][AAD-4]. + +## Configure school branding + +Configuring your school branding enables a more familiar Autopilot experience to students and teachers. With a custom school branding, you can define a custom logo and a welcome message, which will appear during the Windows out-of-box experience. + +To configure your school's branding: + +1. Sign in to the Microsoft Entra admin center +1. Select **Azure Active Directory** > **Show More** > **User experiences** > **Company branding** +1. You can specify brand settings like background image, logo, username hint and a sign-in page text + :::image type="content" source="images/entra-branding.png" alt-text="Configure Azure AD branding from Microsoft Entra admin center." lightbox="images/entra-branding.png"::: +1. To adjust the school tenant's name displayed during OOBE, select **Azure Active Directory** > **Overview** > **Properties** +1. In the **Name** field, enter the school district or organization's name > **Save** + :::image type="content" alt-text="Configure Azure AD tenant name from Microsoft Entra admin center." source="images/entra-tenant-name.png" lightbox="images/entra-tenant-name.png"::: + +For more information, see [Add branding to your directory][AAD-5]. + +## Enable bulk enrollment + +If you decide to enroll Windows devices using provisioning packages instead of Windows Autopilot, you must ensure that the provisioning packages can join Windows devices to the Azure AD tenant. + +To allow provisioning packages to complete the Azure AD Join process: + +1. Sign in to the Microsoft Entra admin center +1. Select **Azure Active Directory** > **Devices** > **Device Settings** +1. Under **Users may join devices to Azure AD**, select **All** + > [!NOTE] + > If it is required that only specific users can join devices to Azure AD, select **Selected**. Ensure that the user account that will create provisioning packages is included in the list of users. +1. Select Save + :::image type="content" source="images/entra-device-settings.png" alt-text="Configure device settings from Microsoft Entra admin center." lightbox="images/entra-device-settings.png"::: + +________________________________________________________ + +## Next steps + +With users and groups created, and licensed for Microsoft 365 Education, you can now configure Microsoft Intune. + +> [!div class="nextstepaction"] +> [Next: Set up Microsoft Intune >](set-up-microsoft-intune.md) + + + +[AAD-1]: /azure/active-directory/hybrid/whatis-phs +[AAD-2]: /azure/active-directory/hybrid/how-to-connect-pta +[AAD-3]: /azure/active-directory/hybrid/how-to-connect-fed-whatis +[AAD-4]: /azure/active-directory/enterprise-users/licensing-groups-assign +[AAD-5]: /azure/active-directory/fundamentals/customize-branding + +[M365-1]: /microsoft-365/education/deploy/create-your-office-365-tenant +[M365-2]: /microsoft-365/admin/admin-overview/admin-center-overview +[M365-3]: /microsoft-365/admin/add-users/add-users +[M365-4]: /microsoft-365/enterprise/add-several-users-at-the-same-time +[M365-5]: /microsoft-365/admin/create-groups/create-groups + +[O365-1]: /office365/enterprise/set-up-directory-synchronization + +[SDS-1]: /schooldatasync/overview-of-school-data-sync diff --git a/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md b/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md new file mode 100644 index 0000000000..a75509b502 --- /dev/null +++ b/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md @@ -0,0 +1,104 @@ +--- +title: Set up device management +description: How to configure the Intune service and set up the environment for education. +ms.date: 08/31/2022 +ms.prod: windows +ms.technology: windows +ms.topic: tutorial +ms.localizationpriority: medium +author: paolomatarazzo +ms.author: paoloma +#ms.reviewer: +manager: aaroncz +ms.collection: education +#appliesto: +--- + +# Set up Microsoft Intune + +Without the proper tools and resources, managing hundreds or thousands of devices in a school environment can be a complex and time-consuming task. Microsoft Endpoint Manager provides a collection of services that simplifies the management of devices at scale. + +Microsoft Intune is one of the services provided by Microsoft Endpoint Manager. The Microsoft Intune service can be managed in different ways, and one of them is **Intune for Education**, a web portal designed for education environments. + +:::image type="content" source="./images/intune-education-portal.png" alt-text="Intune for Education dashboard" lightbox="./images/intune-education-portal.png" border="true"::: + +**Intune for Education** supports the entire device lifecycle, from the enrollment phase through retirement. IT administrators can start managing classroom devices with bulk enrollment options and a streamlined deployment. At the end of the school year, IT admins can reset devices, ensuring they're ready for the next year. + +For more information, see [Intune for Education documentation][INT-1]. + +In this section you will: +> [!div class="checklist"] +> * Review Intune's licensing prerequisites +> * Configure the Intune service for education devices + +## Prerequisites + +Before configuring settings with Intune for Education, consider the following prerequisites: + +- **Intune subscription.** Microsoft Intune is licensed in three ways: + - As a standalone service + - As part of [Enterprise Mobility + Security][MSFT-1] + - As part of a [Microsoft 365 Education subscription][MSFT-2] +- **Device platform.** Intune for Education can manage devices running a supported version of Windows 10, Windows 11, Windows 11 SE, iOS, and iPad OS + +For more information, see [Intune licensing][MEM-1] and [this comparison sheet][MSFT-3], which includes a table detailing the *Microsoft Modern Work Plan for Education*. + +## Configure the Intune service for education devices + +The Intune service can be configured in different ways, depending on the needs of your school. In this section, you'll configure the Intune service using settings commonly implemented by K-12 school districts. + +### Configure enrollment restrictions + +With enrollment restrictions, you can prevent certain types of devices from being enrolled and therefore managed by Intune. For example, you can prevent the enrollment of devices that are not owned by the school. + +To block personally owned Windows devices from enrolling: + +1. Sign in to the Microsoft Endpoint Manager admin center +1. Select **Devices** > **Enroll devices** > **Enrollment device platform restrictions** +1. Select the **Windows restrictions** tab +1. Select **Create restriction** +1. On the **Basics** page, provide a name for the restriction and, optionally, a description > **Next** +1. On the **Platform settings** page, in the **Personally owned devices** field, select **Block** > **Next** + :::image type="content" source="./images/enrollment-restrictions.png" alt-text="Device enrollment restriction page in Microsoft Endpoint Manager admin center" lightbox="./images/enrollment-restrictions.png" border="true"::: +1. Optionally, on the **Scope tags** page, add scope tags > **Next** +1. On the **Assignments** page, select **Add groups**, and then use the search box to find and choose groups to which you want to apply the restriction > **Next** +1. On the **Review + create** page, select **Create** to save the restriction + +For more information, see [Create a device platform restriction][MEM-2]. + +### Disable Windows Hello for Business + +Windows Hello for Business is a biometric authentication feature that allows users to sign in to their devices using a PIN, password, or fingerprint. Windows Hello for Business is enabled by default on Windows devices, and to set it up, users must perform for multi-factor authentication (MFA). As a result, this feature may not be ideal for students, who may not have MFA enabled. +It's suggested to disable Windows Hello for Business on Windows devices at the tenant level, and enabling it only for devices that need it, for example for teachers and staff devices. +To disable Windows Hello for Business at the tenant level: + +1. Sign in to the Microsoft Endpoint Manager admin center +1. Select **Devices** > **Windows** > **Windows Enrollment** +1. Select **Windows Hello for Business** +1. Ensure that **Configure Windows Hello for Business** is set to **disabled** +1. Select **Save** + +:::image type="content" source="./images/whfb-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Endpoint Manager admin center." border="true" lightbox="./images/whfb-disable.png"::: + +For more information how to enable Windows Hello for Business on specific devices, see [Create a Windows Hello for Business policy][MEM-4]. + +________________________________________________________ + +## Next steps + +With the Intune service configured, you can configure policies and applications in preparation to the deployment of students' and teachers' devices. + +> [!div class="nextstepaction"] +> [Next: Configure devices >](configure-devices-overview.md) + + + +[MEM-1]: /mem/intune/fundamentals/licenses +[MEM-2]: /mem/intune/enrollment/enrollment-restrictions-set +[MEM-4]: /mem/intune/protect/windows-hello#create-a-windows-hello-for-business-policy + +[INT-1]: /intune-education/what-is-intune-for-education + +[MSFT-1]: https://www.microsoft.com/microsoft-365/enterprise-mobility-security +[MSFT-2]: https://www.microsoft.com/licensing/product-licensing/microsoft-365-education +[MSFT-3]: https://edudownloads.azureedge.net/msdownloads/Microsoft-Modern-Work-Plan-Comparison-Education_11-2021.pdf \ No newline at end of file diff --git a/education/windows/tutorial-school-deployment/toc.yml b/education/windows/tutorial-school-deployment/toc.yml new file mode 100644 index 0000000000..294e70dc20 --- /dev/null +++ b/education/windows/tutorial-school-deployment/toc.yml @@ -0,0 +1,38 @@ +items: + - name: Introduction + href: index.md + - name: 1. Prepare your tenant + items: + - name: Set up Azure Active Directory + href: set-up-azure-ad.md + - name: Set up Microsoft Intune + href: set-up-microsoft-intune.md + - name: 2. Configure settings and applications + items: + - name: Overview + href: configure-devices-overview.md + - name: Configure policies + href: configure-device-settings.md + - name: Configure applications + href: configure-device-apps.md + - name: 3. Deploy devices + items: + - name: Overview + href: enroll-overview.md + - name: Enroll devices via Azure AD join + href: enroll-aadj.md + - name: Enroll devices with provisioning packages + href: enroll-package.md + - name: Enroll devices with Windows Autopilot + href: enroll-autopilot.md + - name: 4. Manage devices + items: + - name: Overview + href: manage-overview.md + - name: Management functionalities for Surface devices + href: manage-surface-devices.md + - name: Reset and wipe devices + href: reset-wipe.md + - name: 5. Troubleshoot and get help + href: troubleshoot-overview.md + diff --git a/education/windows/tutorial-school-deployment/troubleshoot-overview.md b/education/windows/tutorial-school-deployment/troubleshoot-overview.md new file mode 100644 index 0000000000..9b4a442ee2 --- /dev/null +++ b/education/windows/tutorial-school-deployment/troubleshoot-overview.md @@ -0,0 +1,68 @@ +--- +title: Troubleshoot Windows devices +description: How to troubleshoot Windows devices from Intune and contact Microsoft Support for issues related to Intune and other Endpoint Manager services +ms.date: 08/31/2022 +ms.prod: windows +ms.technology: windows +ms.topic: conceptual #reference troubleshooting how-to end-user-help overview (more in contrib guide) +ms.localizationpriority: medium +author: paolomatarazzo +ms.author: paoloma +#ms.reviewer: +manager: aaroncz +ms.collection: education +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE +--- + +# Troubleshoot Windows devices + +Microsoft Endpoint Manager provides many tools that can help you troubleshoot Windows devices. +Here's a collection of resources to help you troubleshoot Windows devices managed by Intune: + +- [Troubleshooting device enrollment in Intune][MEM-2] +- [Troubleshooting Windows Autopilot][MEM-9] +- [Troubleshoot Windows Wi-Fi profiles][MEM-6] +- [Troubleshooting policies and profiles in Microsoft Intune][MEM-5] +- [Troubleshooting BitLocker with the Intune encryption report][MEM-4] +- [Troubleshooting CSP custom settings][MEM-8] +- [Troubleshooting Win32 app installations with Intune][MEM-7] +- [Troubleshooting device actions in Intune][MEM-3] +- [**Collect diagnostics**][MEM-10] is a remote action that lets you collect and download Windows device logs without interrupting the user + :::image type="content" source="./images/intune-diagnostics.png" alt-text="Intune for Education dashboard" lightbox="./images/intune-diagnostics.png" border="true"::: + +## How to contact Microsoft Support + +Microsoft provides global technical, pre-sales, billing, and subscription support for cloud-based device management services. This support includes Microsoft Intune, Configuration Manager, Windows 365, and Microsoft Managed Desktop. + +Follow these steps to obtain support in Microsoft Endpoint Manager: + +- Sign in to the Microsoft Endpoint Manager admin center +- Select **Troubleshooting + support** > **Help and support** + :::image type="content" source="images/advanced-support.png" alt-text="Screenshot that shows how to obtain support from Microsoft Endpoint Manager." lightbox="images/advanced-support.png"::: +- Select the required support scenario: Configuration Manager, Intune, Co-management, or Windows 365 +- Above **How can we help?**, select one of three icons to open different panes: *Find solutions*, *Contact support*, or *Service requests* +- In the **Find solutions** pane, use the text box to specify a few details about your issue. The console may offer suggestions based on what you've entered. Depending on the presence of specific keywords, the console provides help like: + - Run diagnostics: start automated tests and investigations of your tenant from the console to reveal known issues. When you run a diagnostic, you may receive mitigation steps to help with resolution + - View insights: find links to documentation that provides context and background specific to the product area or actions you've described + - Recommended articles: browse suggested troubleshooting topics and other content related to your issue +- If needed, use the *Contact support* pane to file an online support ticket + > [!IMPORTANT] + > When opening a case, be sure to include as many details as possible in the *Description* field. Such information includes: timestamp and date, device ID, device model, serial number, OS version, and any other details relevant to the issue. +- To review your case history, select the **Service requests** pane. Active cases are at the top of the list, with closed issues also available for review + +For more information, see [Microsoft Endpoint Manager support page][MEM-1] + + +[MEM-1]: /mem/get-support +[MEM-2]: /troubleshoot/mem/intune/troubleshoot-device-enrollment-in-intune +[MEM-3]: /troubleshoot/mem/intune/troubleshoot-device-actions +[MEM-4]: /troubleshoot/mem/intune/troubleshoot-bitlocker-admin-center +[MEM-5]: /troubleshoot/mem/intune/troubleshoot-policies-in-microsoft-intune +[MEM-6]: /troubleshoot/mem/intune/troubleshoot-wi-fi-profiles#troubleshoot-windows-wi-fi-profiles +[MEM-7]: /troubleshoot/mem/intune/troubleshoot-win32-app-install +[MEM-8]: /troubleshoot/mem/intune/troubleshoot-csp-custom-settings +[MEM-9]: /mem/autopilot/troubleshooting +[MEM-10]: /mem/intune/remote-actions/collect-diagnostics diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index 32691a8669..117059af5e 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -1,5 +1,5 @@ --- -title: What is Windows 11 SE +title: Windows 11 SE Overview description: Learn more about Windows 11 SE, and the apps that are included with the operating system. Read about the features IT professionals and administrators should know about Windows 11 SE. Add and deploy your apps using Microsoft Intune for Education. ms.prod: windows ms.mktglfcycl: deploy @@ -8,130 +8,179 @@ ms.pagetype: mobile ms.collection: education author: paolomatarazzo ms.author: paoloma -ms.date: 08/10/2022 +ms.date: 09/12/2022 ms.reviewer: manager: aaroncz appliesto: - ✅ Windows 11 SE --- -# Windows 11 SE for Education +# Windows 11 SE Overview -Windows 11 SE is a new edition of Windows that's designed for education. It runs on web-first devices that use essential education apps. Microsoft Office 365 is preinstalled (subscription sold separately). +Windows 11 SE is an edition of Windows that's designed for education. Windows SE runs on web-first devices that use essential education apps, and it comes with Microsoft Office 365 preinstalled (subscription sold separately). For education customers seeking cost-effective devices, Microsoft Windows 11 SE is a great choice. Windows 11 SE includes the following benefits: -- A simplified and secure experience for students. Student privacy is prioritized. -- Admins remotely manage Windows 11 SE devices using [Microsoft Intune for Education](/intune-education/what-is-intune-for-education). -- It's built for low-cost devices. -- It has a curated app experience, and is designed to only run essential education apps. +- A simplified and secure experience for students, where student privacy is prioritized. With a curated allowlist of applications maintained by Microsoft, Windows SE is designed to only run essential education apps +- IT admin can remotely manage Windows 11 SE devices using [Microsoft Intune for Education][INT-1] +- It's built for low-cost devices + +:::image type="content" source="./images/windows-11-se.png" alt-text="Screenshot of Windows 11 SE showing Start menu and taskbar with default layout" border="false"::: ## Get Windows 11 SE -Windows 11 SE is only available preinstalled on devices from OEMs. The OEM installs Windows 11 SE, and makes the devices available for you to purchase. For example, you'll be able to purchase Microsoft Surface devices with Windows 11 SE already installed. +Windows 11 SE is only available preinstalled on devices from OEMs. OEMs install Windows 11 SE, and make the devices available for you to purchase. For example, you can purchase Microsoft Surface SE devices with Windows 11 SE already installed. -## Available apps +## Application types -Windows 11 SE comes with some preinstalled apps. The following apps can also run on Windows 11 SE, and are deployed using the [Intune for Education portal](https://intuneeducation.portal.azure.com). For more information, see [Manage devices running Windows 11 SE](/intune-education/windows-11-se-overview). +The following table lists the different application types available in Windows operating systems, detailing which application types are enabled in Windows 11 SE. +| App type | Description | Enabled | Note| +| --- | --- | :---: | ---| +|Progressive Web Apps (PWAs) | PWAs are web-based applications that can run in a browser and that can be installed as standalone apps. |✅|PWAs are enabled by default in Windows 11 SE.| +| Web apps | Web apps are web-based applications that run in a browser. | ✅ | Web apps are enabled by default in Windows 11 SE. | +|Win32| Win32 applications are Windows classic applications that may require installation |⛔| If users try to install or execute Win32 applications that haven't been allowed to run, they'll fail.| +|Universal Windows Platform (UWP)/Store apps |UWP apps are commonly obtained from the Microsoft Store and may require installation |⛔|If users try to install or execute UWP applications that haven't been allowed to run, they'll fail.| -| Application | Supported version | App Type | Vendor | -| --- | --- | --- | --- | -|AirSecure |8.0.0 |Win32 |AIR| -|Brave Browser |1.34.80|Win32 |Brave| -|Bulb Digital Portfolio |0.0.7.0|Store|Bulb| -|Cisco Umbrella |3.0.110.0 |Win32 |Cisco| -|CKAuthenticator |3.6 |Win32 |Content Keeper| -|Class Policy |114.0.0 |Win32 |Class Policy| -|Classroom.cloud |1.40.0004 |Win32 |NetSupport| -|CoGat Secure Browser |11.0.0.19 |Win32 |Riverside Insights| -|Dragon Professional Individual |15.00.100 |Win32 |Nuance Communications| -|DRC INSIGHT Online Assessments |12.0.0.0 |Store |Data recognition Corporation| -|Duo from Cisco |2.25.0 |Win32 |Cisco| -|e-Speaking Voice and Speech recognition |4.4.0.8 |Win32 |e-speaking| -|eTests |4.0.25 |Win32 |CASAS| -|FortiClient |7.0.1.0083 |Win32 |Fortinet| -|Free NaturalReader |16.1.2 |Win32 |Natural Soft| -|GoGuardian |1.4.4 |Win32 |GoGuardian| -|Google Chrome |102.0.5005.115|Win32 |Google| -|Illuminate Lockdown Browser |2.0.5 |Win32 |Illuminate Education| -|Immunet |7.5.0.20795 |Win32 |Immunet| -|JAWS for Windows |2022.2112.24 |Win32 |Freedom Scientific| -|Kite Student Portal |8.0.3.0 |Win32 |Dynamic Learning Maps| -|Kortext |2.3.433.0 |Store |Kortext| -|Kurzweil 3000 Assistive Learning |20.13.0000 |Win32 |Kurzweil Educational Systems| -|LanSchool |9.1.0.46 |Win32 |Stoneware| -|Lightspeed Smart Agent |2.6.2 |Win32 |Lightspeed Systems| -|Microsoft Connect |10.0.22000.1 |Store |Microsoft| -|Mozilla Firefox |99.0.1 |Win32 |Mozilla| -|NAPLAN |2.5.0 |Win32 |NAP| -|NetSupport Manager |12.01.0011 |Win32 |NetSupport| -|NetSupport Notify |5.10.1.215 |Win32 |NetSupport| -|NetSupport School |14.00.0011 |Win32 |NetSupport| -|NextUp Talker |1.0.49 |Win32 |NextUp Technologies| -|NonVisual Desktop Access |2021.3.1 |Win32 |NV Access| -|NWEA Secure Testing Browser |5.4.300.0 |Win32 |NWEA| -|Pearson TestNav |1.10.2.0 |Store |Pearson| -|Questar Secure Browser |4.8.3.376 |Win32 |Questar, Inc| -|ReadAndWriteForWindows |12.0.60.0 |Win32 |Texthelp Ltd.| -|Remote Desktop client (MSRDC) |1.2.3213.0 |Win32 |Microsoft| -|Remote Help |3.8.0.12 |Win32 |Microsoft| -|Respondus Lockdown Browser |2.0.8.05 |Win32 |Respondus| -|Safe Exam Browser |3.3.2.413 |Win32 |Safe Exam Browser| -|Secure Browser |14.0.0 |Win32 |Cambium Development| -|Senso.Cloud |2021.11.15.0 |Win32|Senso.Cloud| -|SuperNova Magnifier & Screen Reader |21.02 |Win32 |Dolphin Computer Access| -|Zoom |5.9.1 (2581)|Win32 |Zoom| -|ZoomText Fusion |2022.2109.10|Win32 |Freedom Scientific| -|ZoomText Magnifier/Reader |2022.2109.25|Win32 |Freedom Scientific| +> [!IMPORTANT] +> If there are specific Win32 or UWP applications that you want to allow, work with Microsoft to get them enabled. For more information, see [Add your own applications](#add-your-own-applications). -### Enabled apps +## Applications included in Windows 11 SE -| App type | Enabled | -| --- | --- | -| Apps that run in a browser | ✔️ Apps that run in a browser, like Progressive Web Apps (PWA) and Web apps, can run on Windows 11 SE without any changes or limitations. | -| Apps that require installation | ❌ Apps that require an installation, including Microsoft Store apps and Win32 apps can't be installed. If students try to install these apps, the installation fails.

    ✔️ If there are specific installation-type apps you want to enable, then work with Microsoft to get them enabled. For more information, see [Add your own apps](#add-your-own-apps) (in this article). | +The following table lists all the applications included in Windows 11 SE and the pinning to either the Start menu or to the taskbar. -### Add your own apps +| App name | App type | Pinned to Start? | Pinned to taskbar? | +|:-----------------------------|:--------:|:----------------:|:------------------:| +| Alarm & Clock | UWP | | | +| Calculator | UWP | ✅ | | +| Camera | UWP | ✅ | | +| Microsoft Edge | Win32 | ✅ | ✅ | +| Excel | Win32 | ✅ | | +| Feedback Hub | UWP | | | +| File Explorer | Win32 | | ✅ | +| FlipGrid | PWA | | | +| Get Help | UWP | | | +| Groove Music | UWP | ✅ | | +| Maps | UWP | | | +| Minecraft: Education Edition | UWP | | | +| Movies & TV | UWP | | | +| News | UWP | | | +| Notepad | Win32 | | | +| OneDrive | Win32 | | | +| OneNote | Win32 | ✅ | | +| Outlook | PWA | ✅ | | +| Paint | Win32 | ✅ | | +| Photos | UWP | | | +| PowerPoint | Win32 | ✅ | | +| Settings | UWP | ✅ | | +| Snip & Sketch | UWP | | | +| Sticky Notes | UWP | | | +| Teams | Win32 | ✅ | | +| To Do | UWP | | | +| Whiteboard | UWP | ✅ | | +| Word | Win32 | ✅ | | -If the apps you need aren't shown in the [available apps list](#available-apps) (in this article), then you can submit an application request at [aka.ms/eduapprequest](https://aka.ms/eduapprequest). Anyone from a school district can submit the request. In the form, sign in with your school account, such as `user@contoso.edu`. We'll update you using this email account. +## Available applications + +The following applications can also run on Windows 11 SE, and can be deployed using Intune for Education. For more information, see [Configure applications with Microsoft Intune][EDUWIN-1] + +| Application | Supported version | App Type | Vendor | +|-----------------------------------------|-------------------|----------|------------------------------| +| AirSecure | 8.0.0 | Win32 | AIR | +| Alertus Desktop | 5.4.44.0 | Win32 | Alertus technologies | +| Brave Browser | 1.34.80 | Win32 | Brave | +| Bulb Digital Portfolio | 0.0.7.0 | Store | Bulb | +| Cisco Umbrella | 3.0.110.0 | Win32 | Cisco | +| CKAuthenticator | 3.6 | Win32 | Content Keeper | +| Class Policy | 114.0.0 | Win32 | Class Policy | +| Classroom.cloud | 1.40.0004 | Win32 | NetSupport | +| CoGat Secure Browser | 11.0.0.19 | Win32 | Riverside Insights | +| Dragon Professional Individual | 15.00.100 | Win32 | Nuance Communications | +| DRC INSIGHT Online Assessments | 12.0.0.0 | Store | Data recognition Corporation | +| Duo from Cisco | 2.25.0 | Win32 | Cisco | +| e-Speaking Voice and Speech recognition | 4.4.0.8 | Win32 | e-speaking | +| eTests | 4.0.25 | Win32 | CASAS | +| FortiClient | 7.0.1.0083 | Win32 | Fortinet | +| Free NaturalReader | 16.1.2 | Win32 | Natural Soft | +| Ghotit Real Writer & Reader | 10.14.2.3 | Win32 | Ghotit Ltd | +| GoGuardian | 1.4.4 | Win32 | GoGuardian | +| Google Chrome | 102.0.5005.115 | Win32 | Google | +| Illuminate Lockdown Browser | 2.0.5 | Win32 | Illuminate Education | +| Immunet | 7.5.0.20795 | Win32 | Immunet | +| Impero Backdrop Client | 4.4.86 | Win32 | Impero Software | +| JAWS for Windows | 2022.2112.24 | Win32 | Freedom Scientific | +| Kite Student Portal | 8.0.3.0 | Win32 | Dynamic Learning Maps | +| Kortext | 2.3.433.0 | Store | Kortext | +| Kurzweil 3000 Assistive Learning | 20.13.0000 | Win32 | Kurzweil Educational Systems | +| LanSchool | 9.1.0.46 | Win32 | Stoneware | +| Lightspeed Smart Agent | 1.9.1 | Win32 | Lightspeed Systems | +| MetaMoJi ClassRoom | 3.12.4.0 | Store | MetaMoJi Corporation | +| Microsoft Connect | 10.0.22000.1 | Store | Microsoft | +| Mozilla Firefox | 99.0.1 | Win32 | Mozilla | +| NAPLAN | 2.5.0 | Win32 | NAP | +| Netref Student | 22.2.0 | Win32 | NetRef | +| NetSupport Manager | 12.01.0011 | Win32 | NetSupport | +| NetSupport Notify | 5.10.1.215 | Win32 | NetSupport | +| NetSupport School | 14.00.0011 | Win32 | NetSupport | +| NextUp Talker | 1.0.49 | Win32 | NextUp Technologies | +| NonVisual Desktop Access | 2021.3.1 | Win32 | NV Access | +| NWEA Secure Testing Browser | 5.4.356.0 | Win32 | NWEA | +| Pearson TestNav | 1.10.2.0 | Store | Pearson | +| Questar Secure Browser | 4.8.3.376 | Win32 | Questar, Inc | +| ReadAndWriteForWindows | 12.0.60.0 | Win32 | Texthelp Ltd. | +| Remote Desktop client (MSRDC) | 1.2.3213.0 | Win32 | Microsoft | +| Remote Help | 3.8.0.12 | Win32 | Microsoft | +| Respondus Lockdown Browser | 2.0.9.00 | Win32 | Respondus | +| Safe Exam Browser | 3.3.2.413 | Win32 | Safe Exam Browser | +| Secure Browser | 14.0.0 | Win32 | Cambium Development | +| Senso.Cloud | 2021.11.15.0 | Win32 | Senso.Cloud | +| SuperNova Magnifier & Screen Reader | 21.02 | Win32 | Dolphin Computer Access | +| Zoom | 5.9.1 (2581) | Win32 | Zoom | +| ZoomText Fusion | 2022.2109.10 | Win32 | Freedom Scientific | +| ZoomText Magnifier/Reader | 2022.2109.25 | Win32 | Freedom Scientific | + +## Add your own applications + +If the applications you need aren't in the [available applications list](#available-applications), then you can submit an application request at [aka.ms/eduapprequest](https://aka.ms/eduapprequest). Anyone from a school district can submit the request. In the form, sign in with your school account, such as `user@contoso.edu`. We'll update you using this email account. Microsoft reviews every app request to make sure each app meets the following requirements: -- Apps can be any native Windows app type, such as a Microsoft Store app, Win32 app, `.MSIX`, `.APPX`, and more. - -- Apps must be in one of the following app categories:​ - - Content Filtering apps​ - - Test Taking solutions​ +- Apps can be any native Windows app type, such as a Microsoft Store app, Win32 app, `.MSIX`, `.APPX`, and more +- Apps must be in one of the following app categories: + - Content Filtering apps + - Test Taking solutions - Assistive technologies - - Classroom communication apps​ + - Classroom communication apps - Essential diagnostics, management, and supportability apps - -- Apps must meet the performance [requirements of Windows 11](/windows/whats-new/windows-11-requirements). - +- Apps must meet the performance [requirements of Windows 11][WIN-1] - Apps must meet the following security requirements: - - All app binaries are code-signed​. - - All files include the `OriginalFileName` in the resource file header​. - - All kernel drivers are WHQL-signed. - -- Apps don't have an equivalent web application​. - -- Apps can't invoke any processes that can be used to jailbreak a device, automate jailbreaks, or present a security risk. For example, processes such as Reg.exe, CBE.exe, CMD.exe, and KD.exe are blocked on Windows 11 SE. + - All app binaries are code-signed + - All files include the `OriginalFileName` in the resource file header + - All kernel drivers are WHQL-signed +- Apps don't have an equivalent web application +- Apps can't invoke any processes that can be used to jailbreak a device, automate jailbreaks, or present a security risk. For example, processes such as Reg.exe, CBE.exe, CMD.exe, and KD.exe are blocked on Windows 11 SE If the app meets the requirements, Microsoft works with the Independent Software Vendor (ISV) to test the app, and make sure the app works as expected on Windows 11 SE. -When the app is ready, Microsoft will update you. Then, you add the app to the [Intune for Education portal](https://intuneeducation.portal.azure.com), and [assign](/intune-education/assign-apps) it to your Windows 11 SE devices. +When the app is ready, Microsoft will update you. Then, you add the app to the Intune for Education portal, and assign it to your Windows 11 SE devices. -For more information on Intune requirements for adding education apps, see [Manage devices running Windows 11 SE](/intune-education/windows-11-se-overview). +For more information on Intune requirements for adding education apps, see [Configure applications with Microsoft Intune][EDUWIN-1]. ### 0x87D300D9 error with an app When you deploy an app using Intune for Education, you may get a `0x87D300D9` error code with a `Failed` state in the [Intune for Education portal](https://intuneeducation.portal.azure.com). If you have an app that fails with this error, then: -- Make sure the app is on the [available apps list](#available-apps) (in this article). Or, make sure your app is [approved for Windows 11 SE](#add-your-own-apps) (in this article). -- If the app is approved, then it's possible the app is packaged wrong. For more information, see [Add your own apps](#add-your-own-apps) (in this article) and [Manage devices running Windows 11 SE](/intune-education/windows-11-se-overview). -- If the app isn't approved, then it won't run on Windows 11 SE. To get apps approved, see [Add your own apps](#add-your-own-apps) (in this article). Or, use an app that runs in a web browser, such as a web app or PWA. +- Make sure the app is on the [available applications list](#available-applications). Or, make sure your app is [approved for Windows 11 SE](#add-your-own-applications) +- If the app is approved, then it's possible the app is packaged wrong. For more information, see [Add your own apps](#add-your-own-applications) and [Configure applications with Microsoft Intune][EDUWIN-1] +- If the app isn't approved, then it won't run on Windows 11 SE. To get apps approved, see [Add your own apps](#add-your-own-applications). Or, use an app that runs in a web browser, such as a web app or PWA ## Related articles -- [Use Intune for Education to manage devices running Windows 11 SE](/intune-education/windows-11-se-overview) +- [Tutorial: deploy and manage Windows devices in a school][EDUWIN-2] + +[INT-1]: /intune-education/what-is-intune-for-education + +[EDUWIN-1]: /education/windows/tutorial-school-deployment/configure-device-apps +[EDUWIN-2]: /education/windows/tutorial-school-deployment/ + +[WIN-1]: /windows/whats-new/windows-11-requirements diff --git a/education/windows/windows-11-se-settings-list.md b/education/windows/windows-11-se-settings-list.md index e654aff272..0dda7bbc35 100644 --- a/education/windows/windows-11-se-settings-list.md +++ b/education/windows/windows-11-se-settings-list.md @@ -8,7 +8,7 @@ ms.pagetype: mobile ms.collection: education author: paolomatarazzo ms.author: paoloma -ms.date: 08/10/2022 +ms.date: 09/12/2022 ms.reviewer: manager: aaroncz appliesto: @@ -25,26 +25,26 @@ This article lists the settings automatically configured. For more information o The following table lists and describes the settings that can be changed by administrators. -| Setting | Description | -| --- | --- | -| Block manual unenrollment | Default: Blocked

    Users can't unenroll their devices from device management services.

    [Experience/AllowManualMDMUnenrollment CSP](/windows/client-management/mdm/policy-csp-experience#experience-allowmanualmdmunenrollment) | -| Allow option to Show Network | Default: Allowed

    Gives users the option to see the **Show Network** folder in File Explorer. | -| Allow option to Show This PC | Default: Allowed

    Gives user the option to see the **Show This PC** folder in File Explorer. | -| Set Allowed Folder location | Default folders: Documents, Desktop, Pictures, and Downloads

    Gives user access to these folders. | -| Set Allowed Storage Locations | Default: Blocks local drives and network drives

    Blocks user access to these storage locations. | -| Allow News and Interests | Default: Hide

    Hides widgets. | -| Disable advertising ID | Default: Disabled

    Blocks apps from using usage data to tailor advertisements.

    [Privacy/DisableAdvertisingId CSP](/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) | -| Visible settings pages | Default:

    | -| Enable App Install Control | Default: Turned On

    Users can't download apps from the internet.

    [SmartScreen/EnableAppInstallControl CSP](/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol)| -| Configure Storage Sense Cloud Content Dehydration Threshold | Default: 30 days

    If a file hasn't been opened in 30 days, it becomes an online-only file. Online-only files can be opened when there's an internet connection. When an online-only file is opened on a device, it downloads and becomes locally available on that device. The file is available until it's unopened for the specified number of days, and becomes online-only again.

    [Storage/ConfigStorageSenseCloudContentDehydrationThreshold CSP](/windows/client-management/mdm/policy-csp-storage#storage-configstoragesensecloudcontentdehydrationthreshold) | -| Allow Telemetry | Default: Required Telemetry Only

    Sends only basic device info, including quality-related data, app compatibility, and similar data to keep the device secure and up-to-date.

    [System/AllowTelemetry CSP](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | -| Allow Experimentation | Default: Disabled

    Microsoft can't experiment with the product to study user preferences or device behavior.

    [System/AllowExperimentation CSP](/windows/client-management/mdm/policy-csp-system#system-allowexperimentation) | -| Block external extensions | Default: Blocked

    In Microsoft Edge, users can't install external extensions.

    [BlockExternalExtensions](/DeployEdge/microsoft-edge-policies#blockexternalextensions) | -| Configure new tab page | Default: `Office.com`

    In Microsoft Edge, the new tab page defaults to `Office.com`.

    [Configure the new tab page URL](/DeployEdge/microsoft-edge-policies#configure-the-new-tab-page-url) | -| Configure homepage | Default: `Office.com`

    In Microsoft Edge, the homepage defaults to `Office.com`.

    [HomepageIsNewTabPage](/DeployEdge/microsoft-edge-policies#homepageisnewtabpage) | -| Prevent SmartScreen prompt override | Default: Enabled

    In Microsoft Edge, users can't override Windows Defender SmartScreen warnings.

    [PreventSmartScreenPromptOverride](/DeployEdge/microsoft-edge-policies#preventsmartscreenpromptoverride) | -| Wallpaper Image Customization | Default:

    Specify a jpg, jpeg, or png image to be used as the desktop image. This setting can take an http or https URL to a remote image to be downloaded, a file URL to a local image.

    [DesktopImageUrl](/windows/client-management/mdm/personalization-csp) | -| Lock Screen Image Customization | Default:

    Specify a jpg, jpeg, or png image to be used as lock screen image. This setting can take an http or https URL to a remote image to be downloaded, a file URL to a local image.

    [LockScreenImageUrl](/windows/client-management/mdm/personalization-csp) | +| Setting | Description | Default Value | +| --- | --- | --- | +| Block manual unenrollment | When blocked, users can't unenroll their devices from device management services.

    [Experience/AllowManualMDMUnenrollment CSP](/windows/client-management/mdm/policy-csp-experience#experience-allowmanualmdmunenrollment) | Blocked | +| Allow option to Show Network | When allowed, it gives users the option to see the **Show Network** folder in File Explorer. | Allowed | +| Allow option to Show This PC | When allowed, it gives users the option to see the **Show This PC** folder in File Explorer. | Allowed | +| Set Allowed Folder location | Gives user access to these folders. | Default folders: Documents, Desktop, Pictures, and Downloads | +| Set Allowed Storage Locations | Blocks user access to these storage locations. | Blocks local drives and network drives | +| Allow News and Interests | Hides widgets. | Hide | +| Disable advertising ID | Blocks apps from using usage data to tailor advertisements.

    [Privacy/DisableAdvertisingId CSP](/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) | Disabled | +| Visible settings pages | Default:

    || +| Enable App Install Control | When enabled, users can't download apps from the internet.

    [SmartScreen/EnableAppInstallControl CSP](/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol)| Enabled | +| Configure Storage Sense Cloud Content Dehydration Threshold | If a file hasn't been opened in 30 days, it becomes an online-only file. Online-only files can be opened when there's an internet connection. When an online-only file is opened on a device, it downloads and becomes locally available on that device. The file is available until it's unopened for the specified number of days, and becomes online-only again.

    [Storage/ConfigStorageSenseCloudContentDehydrationThreshold CSP](/windows/client-management/mdm/policy-csp-storage#storage-configstoragesensecloudcontentdehydrationthreshold) | 30 days | +| Allow Telemetry | With *Required Telemetry Only*, it sends only basic device info, including quality-related data, app compatibility, and similar data to keep the device secure and up-to-date.

    [System/AllowTelemetry CSP](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | Required Telemetry Only | +| Allow Experimentation | When disabled, Microsoft can't experiment with the product to study user preferences or device behavior.

    [System/AllowExperimentation CSP](/windows/client-management/mdm/policy-csp-system#system-allowexperimentation) | Disabled | +| Block external extensions | When blocked, in Microsoft Edge users can't install external extensions.

    [BlockExternalExtensions](/DeployEdge/microsoft-edge-policies#blockexternalextensions) | Blocked | +| Configure new tab page | Set the new tab page defaults to a specific url.

    [Configure the new tab page URL](/DeployEdge/microsoft-edge-policies#configure-the-new-tab-page-url) | `Office.com` | +| Configure homepage | Set the Microsoft Edge's homepage default.

    [HomepageIsNewTabPage](/DeployEdge/microsoft-edge-policies#homepageisnewtabpage) | `Office.com` | +| Prevent SmartScreen prompt override | When enabled, in Microsoft Edge, users can't override Windows Defender SmartScreen warnings.

    [PreventSmartScreenPromptOverride](/DeployEdge/microsoft-edge-policies#preventsmartscreenpromptoverride) | Enabled | +| Wallpaper Image Customization | Specify a jpg, jpeg, or png image to be used as the desktop image. This setting can take an http or https URL to a remote image to be downloaded, a file URL to a local image.

    [DesktopImageUrl](/windows/client-management/mdm/personalization-csp) | Not configured | +| Lock Screen Image Customization | Specify a jpg, jpeg, or png image to be used as lock screen image. This setting can take an http or https URL to a remote image to be downloaded, a file URL to a local image.

    [LockScreenImageUrl](/windows/client-management/mdm/personalization-csp) | Not configured | ## Settings that can't be changed diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md index b53f4a28bc..172f1e3c6c 100644 --- a/education/windows/windows-editions-for-education-customers.md +++ b/education/windows/windows-editions-for-education-customers.md @@ -63,7 +63,7 @@ For any other questions, contact [Microsoft Customer Service and Support](https: ## Related topics - [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) -- [Windows deployment for education](./index.md) +- [Windows deployment for education](./index.yml) - [Windows 10 upgrade paths](/windows/deployment/upgrade/windows-10-upgrade-paths) - [Volume Activation for Windows 10](/windows/deployment/volume-activation/volume-activation-windows-10) - [Plan for volume activation](/windows/deployment/volume-activation/plan-for-volume-activation-client) diff --git a/store-for-business/acquire-apps-microsoft-store-for-business.md b/store-for-business/acquire-apps-microsoft-store-for-business.md index 882b7e57ba..9922255c06 100644 --- a/store-for-business/acquire-apps-microsoft-store-for-business.md +++ b/store-for-business/acquire-apps-microsoft-store-for-business.md @@ -17,7 +17,7 @@ ms.date: 07/21/2021 # Acquire apps in Microsoft Store for Business and Education > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). > [!IMPORTANT] > Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md). @@ -38,7 +38,7 @@ Some apps are free, and some have a price. Apps can be purchased in the Microsof - Japan Commercial Bureau (JCB) ## Organization info -There are a couple of things we need to know when you pay for apps. You can add this info to the **Account information** or **Payments & billing** page before you buy apps. If you haven’t provided it, we’ll ask when you make a purchase. Either way works. Here’s the info you’ll need to provide: +There are a couple of things we need to know when you pay for apps. You can add this info to the **Account information** or **Payments & billing** page before you buy apps. If you haven't provided it, we'll ask when you make a purchase. Either way works. Here's the info you'll need to provide: - Legal business address - Payment option (credit card) @@ -73,10 +73,10 @@ People in your org can request license for apps that they need, or that others n 3. Select the app you want to purchase. 4. On the product description page, choose your license type - either online or offline. 5. Free apps will be added to **Products & services**. For apps with a price, you can set the quantity you want to buy. Type the quantity and select **Next**. -6. If you don’t have a payment method saved in **Billing & payments**, we will prompt you for one. +6. If you don't have a payment method saved in **Billing & payments**, we will prompt you for one. 7. Add your credit card or debit card info, and select **Next**. Your card info is saved as a payment option on **Billing & payments - Payment methods**. -You’ll also need to have your business address saved on **My organization - Profile**. The address is used to generate tax rates. For more information on taxes for apps, see [organization tax information](./update-microsoft-store-for-business-account-settings.md#organization-tax-information). +You'll also need to have your business address saved on **My organization - Profile**. The address is used to generate tax rates. For more information on taxes for apps, see [organization tax information](./update-microsoft-store-for-business-account-settings.md#organization-tax-information). Microsoft Store adds the app to your inventory. From **Products & services**, you can: - Distribute the app: add to private store, or assign licenses diff --git a/store-for-business/add-profile-to-devices.md b/store-for-business/add-profile-to-devices.md index 2ee659bb6b..01fcc41871 100644 --- a/store-for-business/add-profile-to-devices.md +++ b/store-for-business/add-profile-to-devices.md @@ -20,7 +20,7 @@ ms.localizationpriority: medium - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Windows Autopilot simplifies device set up for IT Admins. For an overview of benefits, scenarios, and prerequisites, see [Overview of Windows Autopilot](/windows/deployment/windows-autopilot/windows-10-autopilot). @@ -136,11 +136,11 @@ Here's info on some of the errors you might see while working with Autopilot dep | ---------- | ------------------- | | wadp001 | Check your file, or ask your device partner for a complete .csv file. This file is missing Serial Number and Product Id info. | | wadp002 | Check your file, or ask your device partner for updated hardware hash info in the .csv file. Hardware hash info is invalid in the current .csv file. | -| wadp003 | Looks like you need more than one .csv file for your devices. The maximum allowed is 1,000 items. You’re over the limit! Divide this device data into multiple .csv files. | +| wadp003 | Looks like you need more than one .csv file for your devices. The maximum allowed is 1,000 items. You're over the limit! Divide this device data into multiple .csv files. | | wadp004 | Try that again. Something happened on our end. Waiting a bit might help. | | wadp005 | Check your .csv file with your device provider. One of the devices on your list has been claimed by another organization. | | wadp006 | Try that again. Something happened on our end. Waiting a bit might help. | | wadp007 | Check the info for this device in your .csv file. The device is already registered in your organization. | | wadp008 | The device does not meet Autopilot Deployment requirements. | -| wadp009 | Check with your device provider for an update .csv file. The current file doesn’t work | +| wadp009 | Check with your device provider for an update .csv file. The current file doesn't work | | wadp010 | Try that again. Something happened on our end. Waiting a bit might help. | \ No newline at end of file diff --git a/store-for-business/add-unsigned-app-to-code-integrity-policy.md b/store-for-business/add-unsigned-app-to-code-integrity-policy.md index d96d350d9d..58ca7bff3e 100644 --- a/store-for-business/add-unsigned-app-to-code-integrity-policy.md +++ b/store-for-business/add-unsigned-app-to-code-integrity-policy.md @@ -18,72 +18,70 @@ ms.date: 07/21/2021 # Add unsigned app to code integrity policy > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). > [!IMPORTANT] > We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until June 9, 2021 to transition to DGSS v2. On June 9, 2021, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by June 9, 2021. > -> Following are the major changes we are making to the service: +> Following are the major changes we are making to the service: +> > - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download at [https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/](https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/). -> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). -> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files. +> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). +> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files. > > The following functionality will be available via these PowerShell cmdlets: +> > - Get a CI policy > - Sign a CI policy -> - Sign a catalog +> - Sign a catalog > - Download root cert -> - Download history of your signing operations +> - Download history of your signing operations > -> For any questions, please contact us at DGSSMigration@microsoft.com. - +> For any questions, please contact us at DGSSMigration@microsoft.com. **Applies to** -- Windows 10 +- Windows 10 When you want to add an unsigned app to a code integrity policy, you need to start with a code integrity policy created from a reference device. Then, create the catalog files for your unsigned app, sign the catalog files, and then merge the default policy that includes your signing certificate with existing code integrity policies. -## In this section -- [Create a code integrity policy based on a reference device](#create-ci-policy) -- [Create catalog files for your unsigned app](#create-catalog-files) -- [Catalog signing with Device Guard signing portal](#catalog-signing-device-guard-portal) +## Create a code integrity policy based on a reference device -## Create a code integrity policy based on a reference device To add an unsigned app to a code integrity policy, your code integrity policy must be created from golden image machine. For more information, see [Create a Device Guard code integrity policy based on a reference device](/windows/device-security/device-guard/device-guard-deployment-guide). -## Create catalog files for your unsigned app +## Create catalog files for your unsigned app + Creating catalog files starts the process for adding an unsigned app to a code integrity policy. Before you get started, be sure to review these best practices and requirements: -**Requirements** +### Requirements - You'll use Package Inspector during this process. - Only perform this process with a code integrity policy running in audit mode. You should not perform this process on a system running an enforced Device Guard policy. -**Best practices** +### Best practices - **Naming convention** -- Using a naming convention makes it easier to find deployed catalog files. We'll use \*-Contoso.cat as the naming convention in this topic. For more information, see the section Inventorying catalog files by using Microsoft Endpoint Manager in the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide). -- **Where to deploy code integrity policy** -- The [code integrity policy that you created](#create-ci-policy) should be deployed to the system on which you are running Package Inspector. This will ensure that the code integrity policy binaries are trusted. +- **Where to deploy code integrity policy** -- The [code integrity policy that you created](#create-a-code-integrity-policy-based-on-a-reference-device) should be deployed to the system on which you are running Package Inspector. This will ensure that the code integrity policy binaries are trusted. Copy the commands for each step into an elevated Windows PowerShell session. You'll use Package Inspector to find and trust all binaries in the app. -**To create catalog files for your unsigned app** +### To create catalog files for your unsigned app -1. Start Package Inspector to scan the C drive. +1. Start Package Inspector to scan the C drive. `PackageInspector.exe Start C:` -2. Copy the installation media to the C drive. +2. Copy the installation media to the C drive. Copying the installation media to the C drive ensures that Package Inspector finds and catalogs the installer. If you skip this step, the code integrity policy may trust the application to run, but not trust it to be installed. -3. Install and start the app. +3. Install and start the app. All binaries that are used while Package Inspector is running will be part of the catalog files. After the installation, start the app and make sure that any product updates are installed and any downloadable content was found during the scan. Then, close and restart the app to make sure that the scan found all binaries. -4. Stop the scan and create definition and catalog files. +4. Stop the scan and create definition and catalog files. After app install is complete, stop the Package Inspector scan and create catalog and definition files on your desktop. @@ -99,17 +97,17 @@ The Package Inspector scan catalogs the hash values for each binary file that is After you're done, the files are saved to your desktop. You still need to sign the catalog file so that it will be trusted within the code integrity policy. -## Catalog signing with Device Guard signing portal +## Catalog signing with Device Guard signing portal To sign catalog files with the Device Guard signing portal, you need to be signed up with the Microsoft Store for Business. Catalog signing is a vital step to adding your unsigned apps to your code integrity policy. -**To sign a catalog file with Device Guard signing portal** +### To sign a catalog file with Device Guard signing portal 1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com). 2. Click **Settings**, click **Store settings**, and then click **Device Guard**. -3. Click **Upload** to upload your unsigned catalog files. These are the catalog files you created earlier in [Create catalog files for your unsigned app](#create-catalog-files). +3. Click **Upload** to upload your unsigned catalog files. These are the catalog files you created earlier in [Create catalog files for your unsigned app](#create-catalog-files-for-your-unsigned-app). 4. After the files are uploaded, click **Sign** to sign the catalog files. 5. Click Download to download each item: - signed catalog file diff --git a/store-for-business/app-inventory-management-microsoft-store-for-business.md b/store-for-business/app-inventory-management-microsoft-store-for-business.md index 3eb99b3802..c3dd51ee67 100644 --- a/store-for-business/app-inventory-management-microsoft-store-for-business.md +++ b/store-for-business/app-inventory-management-microsoft-store-for-business.md @@ -21,7 +21,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). You can manage all apps that you've acquired on your **Apps & software** page. This page shows all of the content you've acquired, including apps that from Microsoft Store, and line-of-business (LOB) apps that you've accepted into your inventory. After LOB apps are submitted to your organization, you'll see a notification on your **Apps & software** page. On the **New LOB apps** tab, you can accept, or reject the LOB apps. For more information on LOB apps, see [Working with line-of-business apps](working-with-line-of-business-apps.md). The inventory page includes apps acquired by all people in your organization with the Store for Business Admin role. diff --git a/store-for-business/apps-in-microsoft-store-for-business.md b/store-for-business/apps-in-microsoft-store-for-business.md index 4e4499a673..c721a02787 100644 --- a/store-for-business/apps-in-microsoft-store-for-business.md +++ b/store-for-business/apps-in-microsoft-store-for-business.md @@ -23,7 +23,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Microsoft Store for Business and Education has thousands of apps from many different categories. @@ -55,14 +55,14 @@ Line-of-business (LOB) apps are also supported using Microsoft Store. Admins can Some apps offer you the option to make in-app purchases. In-app purchases are not currently supported for apps that are acquired through Microsoft Store and distributed to employees. -If an employee makes an in-app purchase, they'll make it with their personal Microsoft account and pay for it with a personal payment method. The employee will own the item purchased, and it cannot be transferred to your organization’s inventory. +If an employee makes an in-app purchase, they'll make it with their personal Microsoft account and pay for it with a personal payment method. The employee will own the item purchased, and it cannot be transferred to your organization's inventory. ## Licensing model: online and offline licenses Microsoft Store supports two options to license apps: online and offline. ### Online licensing -Online licensing is the default licensing model and is similar to the model used by Microsoft Store. Online licensed apps require customers and devices to connect to Microsoft Store service to acquire an app and its license. License management is enforced based on the user’s Azure AD identity and maintained by Microsoft Store as well as the management tool. By default app updates are handled by Windows Update. +Online licensing is the default licensing model and is similar to the model used by Microsoft Store. Online licensed apps require customers and devices to connect to Microsoft Store service to acquire an app and its license. License management is enforced based on the user's Azure AD identity and maintained by Microsoft Store as well as the management tool. By default app updates are handled by Windows Update. Distribution options for online-licensed apps include the ability to: diff --git a/store-for-business/assign-apps-to-employees.md b/store-for-business/assign-apps-to-employees.md index a718684e7e..b17921f3b5 100644 --- a/store-for-business/assign-apps-to-employees.md +++ b/store-for-business/assign-apps-to-employees.md @@ -23,7 +23,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Admins, Purchasers, and Basic Purchasers can assign online-licensed apps to employees or students in their organization. diff --git a/store-for-business/billing-payments-overview.md b/store-for-business/billing-payments-overview.md index add114e633..64489e2d0d 100644 --- a/store-for-business/billing-payments-overview.md +++ b/store-for-business/billing-payments-overview.md @@ -18,7 +18,7 @@ manager: dansimp # Billing and payments > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Access invoices and managed your payment methods. diff --git a/store-for-business/billing-profile.md b/store-for-business/billing-profile.md index 284e5f8a87..866fc5fa17 100644 --- a/store-for-business/billing-profile.md +++ b/store-for-business/billing-profile.md @@ -18,7 +18,7 @@ manager: dansimp # Understand billing profiles > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). For commercial customers purchasing software or hardware products from Microsoft using a Microsoft customer agreement, billing profiles let you customize what products are included on your invoice, and how you pay your invoices. diff --git a/store-for-business/billing-understand-your-invoice-msfb.md b/store-for-business/billing-understand-your-invoice-msfb.md index 725ba3bd9f..70f8c3d15d 100644 --- a/store-for-business/billing-understand-your-invoice-msfb.md +++ b/store-for-business/billing-understand-your-invoice-msfb.md @@ -17,15 +17,15 @@ manager: dansimp # Understand your Microsoft Customer Agreement invoice > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). -The invoice provides a summary of your charges and provides instructions for payment. It’s available for +The invoice provides a summary of your charges and provides instructions for payment. It's available for download in the Portable Document Format (.pdf) for commercial customers from Microsoft Store for Business [Microsoft Store for Business - Invoice](https://businessstore.microsoft.com/manage/payments-billing/invoices) or can be sent via email. This article applies to invoices generated for a Microsoft Customer Agreement billing account. Check if you have a [Microsoft Customer Agreement](https://businessstore.microsoft.com/manage/organization/agreements). ## General invoice information Invoices are your bill from Microsoft. A few things to note: -- **Invoice schedule** - You’re invoiced on a monthly basis. You can find out which day of the month you receive invoices by checking invoice date under billing profile overview in [Microsoft Store for Business](https://businessstore.microsoft.com/manage/payments-billing/billing-profiles). Charges that occur between the end of the billing period and the invoice date are included in the next month's invoice, since they are in the next billing period. The billing period start and end dates for each invoice are listed in the invoice PDF above **Billing Summary**. +- **Invoice schedule** - You're invoiced on a monthly basis. You can find out which day of the month you receive invoices by checking invoice date under billing profile overview in [Microsoft Store for Business](https://businessstore.microsoft.com/manage/payments-billing/billing-profiles). Charges that occur between the end of the billing period and the invoice date are included in the next month's invoice, since they are in the next billing period. The billing period start and end dates for each invoice are listed in the invoice PDF above **Billing Summary**. - **Billing profile** - Billing profiles are created during your purchase. Invoices are created for each billing profile. Billing profiles let you customize what products are purchased, how you pay for them, and who can make purchases. For more information, see [Understand billing profiles](billing-profile.md) - **Items included** - Your invoice includes total charges for all first and third-party software and hardware products purchased under a Microsoft Customer Agreement. That includes items purchased from Microsoft Store for Business and Azure Marketplace. - **Charges** - Your invoice provides information about products purchased and their related charges and taxes. Purchases are aggregated to provide a concise view of your bill. diff --git a/store-for-business/configure-mdm-provider-microsoft-store-for-business.md b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md index 0249a8b606..151722f51a 100644 --- a/store-for-business/configure-mdm-provider-microsoft-store-for-business.md +++ b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md @@ -22,7 +22,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Microsoft Store for Business inventory to manage apps with offline licenses. Store for Business management tool services work with your third-party management tool to manage content. diff --git a/store-for-business/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md index dbccbf3bae..4c49b31308 100644 --- a/store-for-business/device-guard-signing-portal.md +++ b/store-for-business/device-guard-signing-portal.md @@ -22,7 +22,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). > [!IMPORTANT] > We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until June 9, 2021 to transition to DGSS v2. On June 9, 2021, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by June 9, 2021. @@ -30,7 +30,7 @@ ms.date: 07/21/2021 > Following are the major changes we are making to the service: > - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/. > - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). -> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files. +> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files. > > The following functionality will be available via these PowerShell cmdlets: > - Get a CI policy diff --git a/store-for-business/distribute-apps-from-your-private-store.md b/store-for-business/distribute-apps-from-your-private-store.md index c0ccce55a6..343c57ed38 100644 --- a/store-for-business/distribute-apps-from-your-private-store.md +++ b/store-for-business/distribute-apps-from-your-private-store.md @@ -22,7 +22,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). The private store is a feature in Microsoft Store for Business and Education that organizations receive during the signup process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in Microsoft Store app, and is usually named for your company or organization. Only apps with online licenses can be added to the private store. diff --git a/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md b/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md index 723648db24..de94448f75 100644 --- a/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md +++ b/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md @@ -23,7 +23,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Distribute apps to your employees from Microsoft Store for Business and Microsoft Store for Education. You can assign apps to employees, or let employees install them from your private store. diff --git a/store-for-business/distribute-apps-with-management-tool.md b/store-for-business/distribute-apps-with-management-tool.md index 38c26e9d99..0e41f26d57 100644 --- a/store-for-business/distribute-apps-with-management-tool.md +++ b/store-for-business/distribute-apps-with-management-tool.md @@ -23,7 +23,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). You can configure a mobile device management (MDM) tool to synchronize your Microsoft Store for Business or Microsoft Store for Education inventory. Microsoft Store management tool services work with MDM tools to manage content. @@ -46,7 +46,7 @@ MDM tool requirements: ## Distribute offline-licensed apps -If your vendor doesn’t support the ability to synchronize applications from the management tool services, or can't connect to the management tool services, your vendor may support the ability to deploy offline licensed applications by downloading the application and license from the store and then deploying the app through your MDM. For more information on online and offline licensing with Store for Business, see [Apps in the Microsoft Store for Business](./apps-in-microsoft-store-for-business.md#licensing-model). +If your vendor doesn't support the ability to synchronize applications from the management tool services, or can't connect to the management tool services, your vendor may support the ability to deploy offline licensed applications by downloading the application and license from the store and then deploying the app through your MDM. For more information on online and offline licensing with Store for Business, see [Apps in the Microsoft Store for Business](./apps-in-microsoft-store-for-business.md#licensing-model). This diagram shows how you can use a management tool to distribute offline-licensed app to employees in your organization. Once synchronized from Store for Business, management tools can use the Windows Management framework to distribute applications to devices. diff --git a/store-for-business/distribute-offline-apps.md b/store-for-business/distribute-offline-apps.md index 5ee0219d23..e431ad264f 100644 --- a/store-for-business/distribute-offline-apps.md +++ b/store-for-business/distribute-offline-apps.md @@ -23,8 +23,8 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). - +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> Offline licensing is a new licensing option for Windows 10 with Microsoft Store for Business and Microsoft Store for Education. With offline licenses, organizations can download apps and their licenses to deploy within their network, or on devices that are not connected to the Internet. ISVs or devs can opt-in their apps for offline licensing when they submit them to the Windows Dev Center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Microsoft Store for Business and Microsoft Store for Education. This model allows organizations to deploy apps when users or devices do not have connectivity to the Store. ## Why offline-licensed apps? diff --git a/store-for-business/find-and-acquire-apps-overview.md b/store-for-business/find-and-acquire-apps-overview.md index 9a624bd3c0..1ae93064e6 100644 --- a/store-for-business/find-and-acquire-apps-overview.md +++ b/store-for-business/find-and-acquire-apps-overview.md @@ -23,7 +23,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Use the Microsoft Store for Business and Education to find apps for your organization. You can also work with developers to create line-of-business apps that are only available to your organization. diff --git a/store-for-business/index.md b/store-for-business/index.md index 83186f8f8b..03852f5eee 100644 --- a/store-for-business/index.md +++ b/store-for-business/index.md @@ -21,12 +21,12 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Welcome to the Microsoft Store for Business and Education! You can use Microsoft Store to find, acquire, distribute, and manage apps for your organization or school. > [!IMPORTANT] -> Starting April 14, 2021, all apps that charge a base price above free will no longer be available to buy in the Microsoft Store for Business and Education. If you’ve already bought a paid app, you can still use it, but no new purchases will be possible from businessstore.microsoft.com or educationstore.microsoft.com. Also, you won’t be able to buy additional licenses for apps you already bought. You can still assign and reassign licenses for apps that you already own and use the private store. Apps with a base price of “free” will still be available. This change doesn’t impact apps in the Microsoft Store on Windows 10. +> Starting April 14, 2021, all apps that charge a base price above free will no longer be available to buy in the Microsoft Store for Business and Education. If you've already bought a paid app, you can still use it, but no new purchases will be possible from businessstore.microsoft.com or educationstore.microsoft.com. Also, you won't be able to buy additional licenses for apps you already bought. You can still assign and reassign licenses for apps that you already own and use the private store. Apps with a base price of "free" will still be available. This change doesn't impact apps in the Microsoft Store on Windows 10. > > Also starting April 14, 2021, you must sign in with your Azure Active Directory (Azure AD) account before you browse Microsoft Store for Business and Education. diff --git a/store-for-business/manage-access-to-private-store.md b/store-for-business/manage-access-to-private-store.md index 35b33daedd..9983264ab6 100644 --- a/store-for-business/manage-access-to-private-store.md +++ b/store-for-business/manage-access-to-private-store.md @@ -22,7 +22,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). You can manage access to your private store in Microsoft Store for Business and Microsoft Store for Education. diff --git a/store-for-business/manage-apps-microsoft-store-for-business-overview.md b/store-for-business/manage-apps-microsoft-store-for-business-overview.md index bc995342eb..04e2434086 100644 --- a/store-for-business/manage-apps-microsoft-store-for-business-overview.md +++ b/store-for-business/manage-apps-microsoft-store-for-business-overview.md @@ -22,7 +22,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Manage products and services in Microsoft Store for Business and Microsoft Store for Education. This includes apps, software, products, devices, and services available under **Products & services**. diff --git a/store-for-business/manage-orders-microsoft-store-for-business.md b/store-for-business/manage-orders-microsoft-store-for-business.md index 14825fb5b5..4988dab4d4 100644 --- a/store-for-business/manage-orders-microsoft-store-for-business.md +++ b/store-for-business/manage-orders-microsoft-store-for-business.md @@ -17,7 +17,7 @@ manager: dansimp # Manage app orders in Microsoft Store for Business and Education > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). After you've acquired apps, you can review order information and invoices on **Order history**. On this page, you can view invoices, and request refunds. diff --git a/store-for-business/manage-private-store-settings.md b/store-for-business/manage-private-store-settings.md index c6c6e4564c..87d79fbe9d 100644 --- a/store-for-business/manage-private-store-settings.md +++ b/store-for-business/manage-private-store-settings.md @@ -22,7 +22,7 @@ ms.localizationpriority: medium - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). The private store is a feature in Microsoft Store for Business and Education that organizations receive during the sign up process. When admins add apps to the private store, all people in the organization can view and download the apps. Only online-licensed apps can be distributed from your private store. diff --git a/store-for-business/manage-settings-microsoft-store-for-business.md b/store-for-business/manage-settings-microsoft-store-for-business.md index f271481d73..12534f788b 100644 --- a/store-for-business/manage-settings-microsoft-store-for-business.md +++ b/store-for-business/manage-settings-microsoft-store-for-business.md @@ -22,7 +22,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). You can add users and groups, as well as update some of the settings associated with the Azure Active Directory (AD) tenant. diff --git a/store-for-business/manage-users-and-groups-microsoft-store-for-business.md b/store-for-business/manage-users-and-groups-microsoft-store-for-business.md index 5253b14c06..a57e52bfd5 100644 --- a/store-for-business/manage-users-and-groups-microsoft-store-for-business.md +++ b/store-for-business/manage-users-and-groups-microsoft-store-for-business.md @@ -23,7 +23,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Microsoft Store for Business and Education manages permissions with a set of roles. Currently, you can [assign these roles to individuals in your organization](roles-and-permissions-microsoft-store-for-business.md), but not to groups. diff --git a/store-for-business/microsoft-store-for-business-education-powershell-module.md b/store-for-business/microsoft-store-for-business-education-powershell-module.md index fd4d4e8c20..f599c5cc61 100644 --- a/store-for-business/microsoft-store-for-business-education-powershell-module.md +++ b/store-for-business/microsoft-store-for-business-education-powershell-module.md @@ -20,7 +20,7 @@ manager: dansimp - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Microsoft Store for Business and Education PowerShell module (preview) is now available on [PowerShell Gallery](https://go.microsoft.com/fwlink/?linkid=853459). @@ -129,7 +129,7 @@ Remove-MSStoreSeatAssignment -ProductId 9NBLGGH4R2R6 -SkuId 0016 -Username 'user ``` ## Assign or reclaim a product with a .csv file -You can also use the PowerShell module to perform bulk operations on items in **Product and Services**. You'll need a .CSV file with at least one column for “Principal Names” (for example, user@host.com). You can create such a CSV using the AzureAD PowerShell Module. +You can also use the PowerShell module to perform bulk operations on items in **Product and Services**. You'll need a .CSV file with at least one column for "Principal Names" (for example, user@host.com). You can create such a CSV using the AzureAD PowerShell Module. **To assign or reclaim seats in bulk:** diff --git a/store-for-business/microsoft-store-for-business-overview.md b/store-for-business/microsoft-store-for-business-overview.md index a3cab33039..06da85f98c 100644 --- a/store-for-business/microsoft-store-for-business-overview.md +++ b/store-for-business/microsoft-store-for-business-overview.md @@ -19,10 +19,10 @@ ms.date: 07/21/2021 **Applies to** -- Windows 10 +- Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). > [!IMPORTANT] > Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md). @@ -42,7 +42,7 @@ Organizations or schools of any size can benefit from using Microsoft Store for - **Microsoft Store for Education** – Apps acquired from Microsoft Store for Education - **Office 365** – Subscriptions - **Volume licensing** - Apps purchased with volume licensing -- **Private store** - Create a private store for your business that’s easily available from any Windows 10 device. Your private store is available from Microsoft Store on Windows 10, or with a browser on the Web. People in your organization can download apps from your organization's private store on Windows 10 devices. +- **Private store** - Create a private store for your business that's easily available from any Windows 10 device. Your private store is available from Microsoft Store on Windows 10, or with a browser on the Web. People in your organization can download apps from your organization's private store on Windows 10 devices. - **Flexible distribution options** - Flexible options for distributing content and apps to your employee devices: - Distribute through Microsoft Store services. You can assign apps to individual employees, or make apps available to all employees in your private store. - Use a management tool from Microsoft, or a 3rd-party tool for advanced distribution and management functions, or for managing images. @@ -68,7 +68,7 @@ Microsoft Azure Active Directory (AD) accounts for your employees: - Employees need Azure AD account when they access Store for Business content from Windows devices. - If you use a management tool to distribute and manage online-licensed apps, all employees will need an Azure AD account - For offline-licensed apps, Azure AD accounts are not required for employees. -- Admins can add or remove user accounts in the Microsoft 365 admin center, even if you don’t have an Office 365 subscription. You can access the Office 365 admin portal directly from the Store for Business and Education. +- Admins can add or remove user accounts in the Microsoft 365 admin center, even if you don't have an Office 365 subscription. You can access the Office 365 admin portal directly from the Store for Business and Education. For more information on Azure AD, see [About Office 365 and Azure Active Directory](/previous-versions//dn509517(v=technet.10)), and [Intro to Azure: identity and access](https://go.microsoft.com/fwlink/p/?LinkId=708611). @@ -83,7 +83,7 @@ While not required, you can use a management tool to distribute and manage apps. ## Sign up! -The first step for getting your organization started with Store for Business and Education is signing up. Sign up using an existing account (the same one you use for Office 365, Dynamics 365, Intune, Azure, etc.) or we’ll quickly create an account for you. You must be a Global Administrator for your organization. +The first step for getting your organization started with Store for Business and Education is signing up. Sign up using an existing account (the same one you use for Office 365, Dynamics 365, Intune, Azure, etc.) or we'll quickly create an account for you. You must be a Global Administrator for your organization. ## Set up @@ -101,7 +101,7 @@ After your admin signs up for the Store for Business and Education, they can ass In some cases, admins will need to add Azure Active Directory (AD) accounts for their employees. For more information, see [Manage user accounts and groups](manage-users-and-groups-microsoft-store-for-business.md). -Also, if your organization plans to use a management tool, you’ll need to configure your management tool to sync with Store for Business and Education. +Also, if your organization plans to use a management tool, you'll need to configure your management tool to sync with Store for Business and Education. ## Get apps and content @@ -128,7 +128,7 @@ App distribution is handled through two channels, either through the Microsoft S **Distribute with Store for Business and Education**: - Email link – After purchasing an app, Admins can send employees a link in an email message. Employees can click the link to install the app. -- Curate private store for all employees – A private store can include content you’ve purchased from Microsoft Store for Business, and your line-of-business apps that you’ve submitted to Microsoft Store for Business. Apps in your private store are available to all of your employees. They can browse the private store and install apps when needed. +- Curate private store for all employees – A private store can include content you've purchased from Microsoft Store for Business, and your line-of-business apps that you've submitted to Microsoft Store for Business. Apps in your private store are available to all of your employees. They can browse the private store and install apps when needed. - To use the options above users must be signed in with an Azure AD account on a Windows 10 device. Licenses are assigned as individuals install apps. **Using a management tool** – For larger organizations that want a greater level of control over how apps are distributed and managed, a management tools provides other distribution options: diff --git a/store-for-business/notifications-microsoft-store-business.md b/store-for-business/notifications-microsoft-store-business.md index dd8d1a7d29..916cb00349 100644 --- a/store-for-business/notifications-microsoft-store-business.md +++ b/store-for-business/notifications-microsoft-store-business.md @@ -24,7 +24,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Microsoft Store for Business and Microsoft Store for Education use a set of notifications to alert admins if there is an issue or outage with Microsoft Store. @@ -32,9 +32,9 @@ Microsoft Store for Business and Microsoft Store for Education use a set of noti | Store area | Notification message | Customer impact | | ---------- | -------------------- | --------------- | -| General | We’re on it. Something happened on our end with the Store. Waiting a bit might help. | You might be unable to sign in. There might be an intermittent Azure AD outage. | -| Manage | We’re on it. Something happened on our end with management for apps and software. We’re working to fix the problem. | You might be unable to manage inventory, including viewing inventory, distributing apps, assigning licenses, or viewing and managing order history. | -| Shop | We’re on it. Something happened on our end with purchasing. We’re working to fix the problem. | Shop might not be available. You might not be able to purchase new, or additional licenses. | -| Private store | We’re on it. Something happened on our end with your organization’s private store. People in your organization can’t download apps right now. We’re working to fix the problem. | People in your organization might not be able to view the private store, or get apps. | -| Acquisition and licensing | We’re on it. People in your org might not be able to install or use certain apps. We’re working to fix the problem. | People in your org might not be able to claim a license from your private store. | -| Partner | We’re on it. Something happened on our end with Find a Partner. We’re working to fix the problem. | You might not be able to search for a partner. | +| General | We're on it. Something happened on our end with the Store. Waiting a bit might help. | You might be unable to sign in. There might be an intermittent Azure AD outage. | +| Manage | We're on it. Something happened on our end with management for apps and software. We're working to fix the problem. | You might be unable to manage inventory, including viewing inventory, distributing apps, assigning licenses, or viewing and managing order history. | +| Shop | We're on it. Something happened on our end with purchasing. We're working to fix the problem. | Shop might not be available. You might not be able to purchase new, or additional licenses. | +| Private store | We're on it. Something happened on our end with your organization's private store. People in your organization can't download apps right now. We're working to fix the problem. | People in your organization might not be able to view the private store, or get apps. | +| Acquisition and licensing | We're on it. People in your org might not be able to install or use certain apps. We're working to fix the problem. | People in your org might not be able to claim a license from your private store. | +| Partner | We're on it. Something happened on our end with Find a Partner. We're working to fix the problem. | You might not be able to search for a partner. | diff --git a/store-for-business/payment-methods.md b/store-for-business/payment-methods.md index 43f09a403e..1ccc6c81fd 100644 --- a/store-for-business/payment-methods.md +++ b/store-for-business/payment-methods.md @@ -18,7 +18,7 @@ manager: dansimp # Payment methods > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). You can purchase products and services from Microsoft Store for Business using your credit card. You can enter your credit card information on **Payment methods**, or when you purchase an app. We currently accept these credit cards: - VISA @@ -54,4 +54,4 @@ Once you select **Add**, the information you provided will be validated with a t Once you click **Update**, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems. > [!NOTE] -> Certain actions, like updating or adding a payment option, require temporary “test authorization” transactions to validate the payment option. These may appear on your statement as $0.00 authorizations or as small pending transactions. These transactions are temporary and should not impact your account unless you make several changes in a short period of time, or have a low balance. +> Certain actions, like updating or adding a payment option, require temporary "test authorization" transactions to validate the payment option. These may appear on your statement as $0.00 authorizations or as small pending transactions. These transactions are temporary and should not impact your account unless you make several changes in a short period of time, or have a low balance. diff --git a/store-for-business/prerequisites-microsoft-store-for-business.md b/store-for-business/prerequisites-microsoft-store-for-business.md index 2b8ea7784d..99e6061d97 100644 --- a/store-for-business/prerequisites-microsoft-store-for-business.md +++ b/store-for-business/prerequisites-microsoft-store-for-business.md @@ -22,7 +22,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). > [!IMPORTANT] > Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md). diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md index a4f1f93a78..4ced84898d 100644 --- a/store-for-business/release-history-microsoft-store-business-education.md +++ b/store-for-business/release-history-microsoft-store-business-education.md @@ -16,7 +16,7 @@ manager: dansimp # Microsoft Store for Business and Education release history > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Microsoft Store for Business and Education regularly releases new and improved features. Here's a summary of new or updated features in previous releases. @@ -39,13 +39,13 @@ Looking for info on the latest release? Check out [What's new in Microsoft Store - **Immersive Reader app available in Microsoft Store for Education** - This app is a free tool that uses proven techniques to improve reading and writing for people regardless of their age or ability. You can add the app to your private store, so students can easily install and use it. ## April 2018 -- **Assign apps to larger groups** - We're making it easier for admins to assign apps to groups of people. Admins can assign licenses to groups of any size, and include subgroups within those groups. We’ll figure out who’s in those groups, and assign licenses to people in the groups (skipping people who already have licenses). Along the way, we’ll let you know how many licenses are needed, and provide an estimate on the time required to assign licenses. +- **Assign apps to larger groups** - We're making it easier for admins to assign apps to groups of people. Admins can assign licenses to groups of any size, and include subgroups within those groups. We'll figure out who's in those groups, and assign licenses to people in the groups (skipping people who already have licenses). Along the way, we'll let you know how many licenses are needed, and provide an estimate on the time required to assign licenses. - **Change collection order in private store** - Private store collections make it easy for groups of people to find the apps that they need. Now, you can customize the order of your private store collections. - **Office 365 subscription management** - We know that sometimes customers need to cancel a subscription. While we don't want to lose a customer, we want the process for managing subscriptions to be easy. Now, you can delete your Office 365 subscription without calling Support. From Microsoft Store for Business and Education, you can request to delete an Office 365 subscription. We'll wait three days before permanently deleting the subscription. In case of a mistake, customers are welcome to reactivate subscriptions during the three-day period. ## March 2018 - **Performance improvements in private store** - We've made it significantly faster for you to update the private store. Many changes to the private store are available immediately after you make them. [Get more info](./manage-private-store-settings.md#private-store-performance) -- **Private store collection updates** - We’ve made it easier to find apps when creating private store collections – now you can search and filter results. +- **Private store collection updates** - We've made it easier to find apps when creating private store collections – now you can search and filter results. [Get more info](./manage-private-store-settings.md#private-store-collections) - **Manage Skype Communication credits** - Office 365 customers that own Skype Communication Credits can now see and manage them in Microsoft Store for Business. You can view your account, add funds to your account, and manage auto-recharge settings. - **Upgrade Microsoft 365 trial subscription** - Customers with Office 365 can upgrade their subscription and automatically re-assign their user licenses over to a new target subscription. For example, you could upgrade your Office 365 for business subscription to a Microsoft 365 for business subscription. diff --git a/store-for-business/roles-and-permissions-microsoft-store-for-business.md b/store-for-business/roles-and-permissions-microsoft-store-for-business.md index d04d9e5277..83baa7d2d3 100644 --- a/store-for-business/roles-and-permissions-microsoft-store-for-business.md +++ b/store-for-business/roles-and-permissions-microsoft-store-for-business.md @@ -23,7 +23,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). > [!IMPORTANT] > Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md). diff --git a/store-for-business/settings-reference-microsoft-store-for-business.md b/store-for-business/settings-reference-microsoft-store-for-business.md index 442ff303d1..3bbc577f09 100644 --- a/store-for-business/settings-reference-microsoft-store-for-business.md +++ b/store-for-business/settings-reference-microsoft-store-for-business.md @@ -18,7 +18,7 @@ ms.date: 07/21/2021 # Settings reference: Microsoft Store for Business and Education > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). The Microsoft Store for Business and Education has a group of settings that admins use to manage the store. diff --git a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md index d7f05fb986..5de355b03c 100644 --- a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md +++ b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md @@ -18,7 +18,7 @@ ms.date: 07/21/2021 # Sign code integrity policy with Device Guard signing > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). > [!IMPORTANT] @@ -27,7 +27,7 @@ ms.date: 07/21/2021 > Following are the major changes we are making to the service: > - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/. > - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). -> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files. +> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files. > > The following functionality will be available via these PowerShell cmdlets: > - Get a CI policy diff --git a/store-for-business/sign-up-microsoft-store-for-business-overview.md b/store-for-business/sign-up-microsoft-store-for-business-overview.md index c51e8f7899..5303f4a421 100644 --- a/store-for-business/sign-up-microsoft-store-for-business-overview.md +++ b/store-for-business/sign-up-microsoft-store-for-business-overview.md @@ -22,7 +22,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). IT admins can sign up for Microsoft Store for Business and Education, and get started working with apps. diff --git a/store-for-business/troubleshoot-microsoft-store-for-business.md b/store-for-business/troubleshoot-microsoft-store-for-business.md index febe7110b0..48cfe3c2fc 100644 --- a/store-for-business/troubleshoot-microsoft-store-for-business.md +++ b/store-for-business/troubleshoot-microsoft-store-for-business.md @@ -22,7 +22,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Troubleshooting topics for Microsoft Store for Business. diff --git a/store-for-business/update-microsoft-store-for-business-account-settings.md b/store-for-business/update-microsoft-store-for-business-account-settings.md index edc1a362da..55f5f4fc07 100644 --- a/store-for-business/update-microsoft-store-for-business-account-settings.md +++ b/store-for-business/update-microsoft-store-for-business-account-settings.md @@ -18,7 +18,7 @@ manager: dansimp # Update Billing account settings > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). A billing account contains defining information about your organization. @@ -35,9 +35,9 @@ We need your business address, email contact, and tax-exemption certificates tha Before purchasing apps that have a fee, you need to add or update your organization's business address, contact email address, and contact name. -We use the Business address to calculate sales tax. If your organization's address has already been entered for other commercial purchases through Microsoft Store, or through other online purchases such as Office 365 or Azure subscriptions, then we’ll use the same address in Microsoft Store for Business and Microsoft Store for Education. If we don’t have an address, we’ll ask you to enter it during your first purchase. +We use the Business address to calculate sales tax. If your organization's address has already been entered for other commercial purchases through Microsoft Store, or through other online purchases such as Office 365 or Azure subscriptions, then we'll use the same address in Microsoft Store for Business and Microsoft Store for Education. If we don't have an address, we'll ask you to enter it during your first purchase. -We need an email address in case we need to contact you about your Microsoft Store for Business and for Education account. This email account should reach the admin for your organization’s Office 365 or Azure AD tenant that is used with Microsoft Store. +We need an email address in case we need to contact you about your Microsoft Store for Business and for Education account. This email account should reach the admin for your organization's Office 365 or Azure AD tenant that is used with Microsoft Store. **To update billing account information** 1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com) @@ -100,7 +100,7 @@ If you qualify for tax-exempt status in your market, start a service request to 1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com). 2. Select **Manage**, click **Support**, and then under **Store settings & configuration** select **Create technical support ticket**. -You’ll need this documentation: +You'll need this documentation: |Country or locale | Documentation | |------------------|----------------| diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md index 4b0cd1e47d..31965af7f3 100644 --- a/store-for-business/whats-new-microsoft-store-business-education.md +++ b/store-for-business/whats-new-microsoft-store-business-education.md @@ -16,7 +16,7 @@ manager: dansimp # What's new in Microsoft Store for Business and Education > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Microsoft Store for Business and Education regularly releases new and improved features. @@ -35,7 +35,7 @@ Microsoft Store for Business and Education regularly releases new and improved f -This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several other actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days. +This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several other actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 7 days. We don't recommend setting the value to less than 2 days to prevent machines from going out of date. @@ -4797,4 +4797,4 @@ ADMX Info: ## Related topics -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 6c42ebfde5..172eeb0f4f 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -2105,17 +2105,17 @@ If you disable or don't configure this setting, security intelligence will be re ADMX Info: -- GP Friendly name: *Define security intelligence location for VDI clients* +- GP Friendly name: *Specify the signature (Security intelligence) delivery optimization for Defender in Virtual Environments* - GP name: *SecurityIntelligenceLocation* - GP element: *SecurityIntelligenceLocation* -- GP path: *Windows Components/Microsoft Defender Antivirus/Security Intelligence Updates* +- GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender* - GP ADMX file name: *WindowsDefender.admx* - Empty string - no policy is set -- Non-empty string - the policy is set and security intelligence is gathered from the location +- Non-empty string - the policy is set and security intelligence is gathered from the location. diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index a2da6374ab..80986cd431 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -925,10 +925,10 @@ The following list shows the supported values: |Edition|Windows 10|Windows 11| |--- |--- |--- | -|Home|No|Yes| +|Home|No|No| |Pro|No|Yes| |Windows SE|No|Yes| -|Business|No|No| +|Business|No|Yes| |Enterprise|No|Yes| |Education|No|Yes| diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index ef76b0c2fb..c92b313661 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -213,6 +213,12 @@ manager: aaroncz
    InternetExplorer/EnableExtendedIEModeHotkeys
    +
    + InternetExplorer/EnableGlobalWindowListInIEMode +
    +
    + InternetExplorer/HideInternetExplorer11RetirementNotification +
    InternetExplorer/IncludeAllLocalSites
    @@ -612,6 +618,9 @@ manager: aaroncz
    InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls
    +
    + InternetExplorer/ResetZoomForDialogInIEMode +
    InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses
    @@ -4423,6 +4432,115 @@ ADMX Info: +
    + + +**InternetExplorer/EnableGlobalWindowListInIEMode** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
    + + + +This setting allows Internet Explorer mode to use the global window list that enables sharing state with other applications. +The setting will take effect only when Internet Explorer 11 is disabled as a standalone browser. + +- If you enable this policy, Internet Explorer mode will use the global window list. + +- If you disable or don’t configure this policy, Internet Explorer mode will continue to maintain a separate window list. + + + +The following list shows the supported values: + +- 0 (default) - Disabled +- 1 - Enabled + + + +ADMX Info: +- GP Friendly name: *Enable global window list in Internet Explorer mode* +- GP name: *EnableGlobalWindowListInIEMode* +- GP path: *Windows Components/Internet Explorer/Main* +- GP ADMX file name: *inetres.admx* + + + + +
    + + +**InternetExplorer/HideInternetExplorer11RetirementNotification** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|No| +|Windows SE|No|No| +|Business|Yes|No| +|Enterprise|Yes|No| +|Education|Yes|No| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
    + + + +This policy setting allows you to manage whether the notification bar reminder that Internet Explorer is being retired is displayed. By default, the Notification bar is displayed in Internet Explorer 11. + +- If you enable this policy setting, the notification bar will not be displayed in Internet Explorer 11. + +- If you disable, or do not configure, this policy setting, the notification bar will be displayed in Internet Explorer 11. + + + +The following list shows the supported values: + +- 0 (default) - Disabled +- 1 - Enabled + + + +ADMX Info: +- GP Friendly name: *Hide Internet Explorer 11 retirement notification* +- GP name: *DisableIEAppDeprecationNotification* +- GP path: *Windows Components/Internet Explorer/Main* +- GP ADMX file name: *inetres.admx* + + + +
    **InternetExplorer/IncludeAllLocalSites** @@ -11161,6 +11279,60 @@ ADMX Info:
    + +**InternetExplorer/ResetZoomForDialogInIEMode** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
    + + + +This policy setting lets admins reset zoom to default for HTML dialogs in Internet Explorer mode. + +- If you enable this policy, the zoom of an HTML dialog in Internet Explorer mode will not get propagated from its parent page. + +- If you disable, or don't configure this policy, the zoom of an HTML dialog in Internet Explorer mode will be set based on the zoom of it's parent page. + + + +The following list shows the supported values: + +- 0 (default) - Disabled +- 1 - Enabled + + + +ADMX Info: +- GP Friendly name: *Reset zoom to default for HTML dialogs in Internet Explorer mode* +- GP name: *ResetZoomForDialogInIEMode* +- GP path: *Windows Components/Internet Explorer/Main* +- GP ADMX file name: *inetres.admx* + + + + +
    + **InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses** diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index 56f82e6ba2..e49f9c7be8 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -36,6 +36,9 @@ manager: aaroncz
    MixedReality/ConfigureMovingPlatform +
    +
    + MixedReality/ConfigureNtpClient
    MixedReality/DisallowNetworkConnectivityPassivePolling @@ -52,6 +55,9 @@ manager: aaroncz
    MixedReality/MicrophoneDisabled
    +
    + MixedReality/NtpClientEnabled +
    MixedReality/SkipCalibrationDuringSetup
    @@ -307,6 +313,71 @@ Supported value is Integer.
    + +**MixedReality/ConfigureNtpClient** + + + +|Windows Edition|Supported| +|--- |--- | +|HoloLens (first gen) Development Edition|No| +|HoloLens (first gen) Commercial Suite|No| +|HoloLens 2|Yes| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + + +> [!NOTE] +> This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds. + +You may want to configure a different time server for your device fleet. IT admins can use thi policy to configure certain aspects of NTP client with following policies. In the Settings app, the Time/Language page will show the time server after a time sync has occurred. E.g. `time.windows.com` or another if another value is configured via MDM policy. + +This policy setting specifies a set of parameters for controlling the Windows NTP Client. Refer to [Policy CSP - ADMX_W32Time - Windows Client Management](/windows/client-management/mdm/policy-csp-admx-w32time#admx-w32time-policy-configure-ntpclient) for supported configuration parameters. + +> [!NOTE] +> This feature requires enabling[NtpClientEnabled](#mixedreality-ntpclientenabled) as well. + +- OMA-URI: `./Device/Vendor/MSFT/Policy/Config/MixedReality/ConfigureNtpClient` + +> [!NOTE] +> Reboot is required for these policies to take effect. + + + + + + + + +- Data Type: String +- Value: + +``` + +``` + + + +
    + **MixedReality/DisallowNetworkConnectivityPassivePolling** @@ -510,6 +581,48 @@ The following list shows the supported values: - 1 - True + + +**MixedReality/NtpClientEnabled** + + + +|Windows Edition|Supported| +|--- |--- | +|HoloLens (first gen) Development Edition|No| +|HoloLens (first gen) Commercial Suite|No| +|HoloLens 2|Yes| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +> [!NOTE] +> This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds. + +This policy setting specifies whether the Windows NTP Client is enabled. + +- OMA-URI: `./Device/Vendor/MSFT/Policy/Config/MixedReality/NtpClientEnabled` + + + + + + +- Data Type: String +- Value `` + + +
    diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md index 09f3f50725..5d03cb7066 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md +++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md @@ -33,6 +33,9 @@ manager: aaroncz RemoteDesktopServices/DoNotAllowPasswordSaving
    +
    + RemoteDesktopServices/DoNotAllowWebAuthnRedirection +
    RemoteDesktopServices/PromptForPasswordUponConnection
    @@ -130,7 +133,7 @@ ADMX Info: -Specifies whether it require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you're using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) isn't recommended. This policy doesn't apply to SSL encryption. +Specifies whether it requires the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you're using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) isn't recommended. This policy doesn't apply to SSL encryption. If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available: @@ -257,6 +260,56 @@ ADMX Info:
    + +**RemoteDesktopServices/DoNotAllowWebAuthnRedirection** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy setting lets you control the redirection of web authentication (WebAuthn) requests from a Remote Desktop session to the local device. This redirection enables users to authenticate to resources inside the Remote Desktop session using their local authenticator (e.g., Windows Hello for Business, security key, or other). + +By default, Remote Desktop allows redirection of WebAuthn requests. + +If you enable this policy setting, users can’t use their local authenticator inside the Remote Desktop session. + +If you disable or do not configure this policy setting, users can use local authenticators inside the Remote Desktop session. + +If you don't configure this policy setting, users can use local authenticators inside the Remote Desktop session. + + + +ADMX Info: +- GP Friendly name: *Do not allow WebAuthn redirection* +- GP name: *TS_WEBAUTHN* +- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection* +- GP ADMX file name: *terminalserver.admx* + + + + +
    + **RemoteDesktopServices/PromptForPasswordUponConnection** @@ -367,4 +420,4 @@ ADMX Info: ## Related topics -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 384768cd58..e056057f7a 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -138,6 +138,9 @@ ms.collection: highpri
    Update/ManagePreviewBuilds +
    +
    + Update/NoUpdateNotificationDuringActiveHours
    Update/PauseDeferrals @@ -2382,6 +2385,55 @@ The following list shows the supported values:
    + +**Update/NoUpdateNotificationDuringActiveHours** + + +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy can be used in conjunction with Update/ActiveHoursStart and Update/ActiveHoursEnd policies to ensure that the end user sees no update notifications during active hours until deadline is reached. Note - if no active hour period is configured then this will apply to the intelligent active hours window calculated on the device. + +Supported value type is a boolean. + +0 (Default) This configuration will provide the default behavior (notifications may display during active hours) +1: This setting will prevent notifications from displaying during active hours. + + + +ADMX Info: +- GP Friendly name: *Display options for update notifications* +- GP name: *NoUpdateNotificationDuringActiveHours* +- GP element: *NoUpdateNotificationDuringActiveHours* +- GP path: *Windows Components\WindowsUpdate\Manage end user experience* +- GP ADMX file name: *WindowsUpdate.admx* + + + +
    + + **Update/PauseDeferrals** @@ -3524,8 +3576,8 @@ ADMX Info: The following list shows the supported values: -- 0: (Default) Detect, download, and deploy Driver from Windows Update. -- 1: Enabled, Detect, download, and deploy Driver from Windows Server Update Server (WSUS). +- 0: (Default) Detect, download, and deploy Drivers from Windows Update. +- 1: Enabled, Detect, download, and deploy Drivers from Windows Server Update Server (WSUS). @@ -3560,7 +3612,7 @@ The table below shows the applicability of Windows: -Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. +Configure this policy to specify whether to receive Windows Feature Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. If you configure this policy, also configure the scan source policies for other update types: - SetPolicyDrivenUpdateSourceForQualityUpdates @@ -3582,8 +3634,8 @@ ADMX Info: The following list shows the supported values: -- 0: (Default) Detect, download, and deploy Feature from Windows Update. -- 1: Enabled, Detect, download, and deploy Feature from Windows Server Update Server (WSUS). +- 0: (Default) Detect, download, and deploy Feature Updates from Windows Update. +- 1: Enabled, Detect, download, and deploy Feature Updates from Windows Server Update Server (WSUS). @@ -3618,7 +3670,7 @@ The table below shows the applicability of Windows: -Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. +Configure this policy to specify whether to receive Other Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. If you configure this policy, also configure the scan source policies for other update types: - SetPolicyDrivenUpdateSourceForFeatureUpdates @@ -3640,8 +3692,8 @@ ADMX Info: The following list shows the supported values: -- 0: (Default) Detect, download, and deploy Other from Windows Update. -- 1: Enabled, Detect, download, and deploy Other from Windows Server Update Server (WSUS). +- 0: (Default) Detect, download, and deploy Other updates from Windows Update. +- 1: Enabled, Detect, download, and deploy Other updates from Windows Server Update Server (WSUS). @@ -3676,7 +3728,7 @@ The table below shows the applicability of Windows: -Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. +Configure this policy to specify whether to receive Windows Quality Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. If you configure this policy, also configure the scan source policies for other update types: - SetPolicyDrivenUpdateSourceForFeatureUpdates @@ -3698,8 +3750,8 @@ ADMX Info: The following list shows the supported values: -- 0: (Default) Detect, download, and deploy Quality from Windows Update. -- 1: Enabled, Detect, download, and deploy Quality from Windows Server Update Server (WSUS). +- 0: (Default) Detect, download, and deploy Quality Updates from Windows Update. +- 1: Enabled, Detect, download, and deploy Quality Updates from Windows Server Update Server (WSUS). diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md index f3891cb68f..1c50ab927a 100644 --- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md +++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md @@ -128,7 +128,7 @@ This policy setting allows you to turn off discovering the display service adver The following list shows the supported values: -- 0 - Don't allow +- 0 - Doesn't allow - 1 - Allow @@ -166,9 +166,9 @@ The table below shows the applicability of Windows: This policy setting allows you to disable the infrastructure movement detection feature. -If you set it to 0, your PC may stay connected and continue to project if you walk away from a Wireless Display receiver to which you're projecting over infrastructure. +- If you set it to 0, your PC may stay connected and continue to project if you walk away from a Wireless Display receiver to which you are projecting over infrastructure. -If you set it to 1, your PC will detect that you've moved and will automatically disconnect your infrastructure Wireless Display session. +- If you set it to 1, your PC will detect that you have moved and will automatically disconnect your infrastructure Wireless Display session. The default value is 1. @@ -177,7 +177,7 @@ The default value is 1. The following list shows the supported values: -- 0 - Don't allow +- 0 - Doesn't allow - 1 (Default) - Allow diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md index e8c9563d43..15cbeaed69 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md @@ -322,10 +322,8 @@ Supported operation is Get. - Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode. - Bit 1 - Set to 1 when the client machine is Hyper-V capable. - Bit 2 - Set to 1 when the client machine has a valid OS license and SKU. -- Bit 3 - Set to 1 when Application Guard installed on the client machine. +- Bit 3 - Set to 1 when Application Guard is installed on the client machine. - Bit 4 - Set to 1 when required Network Isolation Policies are configured. - > [!IMPORTANT] - > If you are deploying Application Guard via Intune, Network Isolation Policy must be configured to enable Application Guard for Microsoft Edge. - Bit 5 - Set to 1 when the client machine meets minimum hardware requirements. - Bit 6 - Set to 1 when system reboot is required. @@ -381,4 +379,4 @@ ADMX Info: ## Related topics -[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md index b648d8d7c1..0b4918cbd6 100644 --- a/windows/client-management/quick-assist.md +++ b/windows/client-management/quick-assist.md @@ -10,6 +10,7 @@ ms.author: vinpa manager: aaroncz ms.reviewer: pmadrigal ms.collection: highpri +ms.date: 08/26/2022 --- # Use Quick Assist to help users @@ -18,7 +19,7 @@ Quick Assist is a Microsoft Store application that enables a person to share the ## Before you begin -All that's required to use Quick Assist is suitable network and internet connectivity. No particular roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn't have to authenticate. +All that's required to use Quick Assist is suitable network and internet connectivity. No roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn't have to authenticate. > [!NOTE] > In case the helper and sharer use different keyboard layouts or mouse settings, the ones from the sharer are used during the session. @@ -35,24 +36,30 @@ Both the helper and sharer must be able to reach these endpoints over port 443: | Domain/Name | Description | |--|--| -| `*.support.services.microsoft.com` | Primary endpoint used for Quick Assist application | -| `*.login.microsoftonline.com` | Required for logging in to the application (Microsoft account) | -| `*.channelwebsdks.azureedge.net` | Used for chat services within Quick Assist | -| `*.aria.microsoft.com` | Used for accessibility features within the app | | `*.api.support.microsoft.com` | API access for Quick Assist | -| `*.vortex.data.microsoft.com` | Used for diagnostic data | +| `*.aria.microsoft.com` | Used for accessibility features within the app | +| `*.cc.skype.com` | Azure Communication Service for chat and connection between parties | | `*.channelservices.microsoft.com` | Required for chat services within Quick Assist | +| `*.channelwebsdks.azureedge.net` | Used for chat services within Quick Assist | +| `*.edgeassetservice.azureedge.net` | Used for diagnostic data | +| `*.flightproxy.skype.com` | Azure Communication Service for chat and connection between parties | +| `*.login.microsoftonline.com` | Required for logging in to the application (Microsoft account) | +| `*.monitor.azure.com` | Service Performance Monitoring | +| `*.registrar.skype.com` | Azure Communication Service for chat and connection between parties. | | `*.remoteassistanceprodacs.communication.azure.com` | Azure Communication Services (ACS) technology the Quick Assist app uses. | +| `*.support.services.microsoft.com` | Primary endpoint used for Quick Assist application | +| `*.trouter.skype.com` | Azure Communication Service for chat and connection between parties. | | `*.turn.azure.com` | Protocol used to help endpoint. | +| `*.vortex.data.microsoft.com` | Used for diagnostic data | | `browser.pipe.aria.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. | -| `browser.events.data.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. | -| `ic3.events.data.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. | +| `edge.skype.com` | Azure Communication Service for chat and connection between parties. | +| `events.data.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. | ## How it works 1. Both the helper and the sharer start Quick Assist. -2. The helper selects **Assist another person**. Quick Assist on the helper's side contacts the Remote Assistance Service to obtain a session code. An RCC chat session is established and the helper's Quick Assist instance joins it. The helper then provides the code to the sharer. +2. The helper selects **Assist another person**. Quick Assist on the helper's side contacts the Remote Assistance Service to obtain a session code. An RCC chat session is established, and the helper's Quick Assist instance joins it. The helper then provides the code to the sharer. 3. After the sharer enters the code in their Quick Assist app, Quick Assist uses that code to contact the Remote Assistance Service and join that specific session. The sharer's Quick Assist instance joins the RCC chat session. @@ -89,10 +96,11 @@ Either the support staff or a user can start a Quick Assist session. 1. Support staff ("helper") starts Quick Assist in any of a few ways: - Type *Quick Assist* in the search box and press ENTER. - - From the Start menu, select **Windows Accessories**, and then select **Quick Assist**. - - Type CTRL+Windows+Q + - Press **CTRL** + **Windows** + **Q** + - For **Windows 10** users, from the Start menu, select **Windows Accessories**, and then choose **Quick Assist**. + - For **Windows 11** users, from the Start menu, select **All Apps**, **Windows Tools**, and then choose **Quick Assist**. -2. In the **Give assistance** section, helper selects **Assist another person**. The helper might be asked to choose their account or sign in. Quick Assist generates a time-limited security code. +2. In the **Give assistance** section, the helper selects **Assist another person**. The helper might be asked to choose their account or sign in. Quick Assist generates a time-limited security code. 3. Helper shares the security code with the user over the phone or with a messaging system. @@ -102,9 +110,51 @@ Either the support staff or a user can start a Quick Assist session. 6. The sharer receives a dialog asking for permission to show their screen or allow access. The sharer gives permission by selecting the **Allow** button. -## If Quick Assist is missing +## Install Quick Assist -If for some reason a user doesn't have Quick Assist on their system or it's not working properly, try to uninstall and reinstall it. For more information, see [Install Quick Assist](https://support.microsoft.com/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca). +### Install Quick Assist from the Microsoft Store + +1. Download the new version of Quick Assist by visiting the [Microsoft Store](https://apps.microsoft.com/store/detail/quick-assist/9P7BP5VNWKX5). +1. In the Microsoft Store, select **Get in Store app**. Then, give permission to install Quick Assist. When the installation is complete, you'll see **Get** change to **Open**.
    :::image type="content" source="images/quick-assist-get.png" lightbox="images/quick-assist-get.png" alt-text="Microsoft Store window showing the Quick Assist app with a button labeled get in the bottom right corner."::: + +For more information, visit [Install Quick Assist](https://support.microsoft.com/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca). + +### Install Quick Assist with Intune + +Before installing Quick Assist, you'll need to set up synchronization between Intune and Microsoft Store for Business. If you've already set up sync, log into [Microsoft Store for Business](https://businessstore.microsoft.com) and skip to step 5. + +1. Go to [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/) and navigate to **Tenant administration** / **Connectors and tokens** / **Microsoft Store for Business** and verify that **Microsoft Store for Business sync** is set to **Enable**. +1. Using your Global Admin account, log into [Microsoft Store for Business](https://businessstore.microsoft.com). +1. Select **Manage** / **Settings** and turn on **Show offline apps**. +1. Choose the **Distribute** tab and verify that **Microsoft Intune** is **Active**. You may need to use the **+Add management tool** link if it's not. +1. Search for **Quick Assist** and select it from the Search results. +1. Choose the **Offline** license and select **Get the app** +1. From the Intune portal (Endpoint Manager admin center) choose **Sync**. +1. Navigate to **Apps** / **Windows** and you should see **Quick Assist (Offline)** in the list. +1. Select it to view its properties. By default, the app won't be assigned to anyone or any devices, select the **Edit** link. +1. Assign the app to the required group of devices and choose **Review + save** to complete the application install. + +> [!NOTE] +> Assigning the app to a device or group of devices instead of a user is important because it's the only way to install a store app in device context. + +Visit [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps-windows) for more information. + +### Install Quick Assist Offline + +To install Quick Assist offline, you'll need to download your APPXBUNDLE and unencoded XML file from [Microsoft Store for Business](https://businessstore.microsoft.com). Visit [Download an offline-licensed app](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app) for more information. + +1. Start **Windows PowerShell** with Administrative privileges. +1. In PowerShell, change the directory to the location you've saved the file to in step 1. (CD <*location of package file*>) +1. Run the following command to install Quick Assist:
    *Add-appxprovisionedpackage -online -PackagePath "MicrosoftCorporationII.QuickAssist_2022.509.2259.0_neutral___8wekyb3d8bbwe.AppxBundle" -LicensePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe_4bc27046-84c5-8679-dcc7-d44c77a47dd0.xml"* +1. After Quick Assist has installed, run this command:
    _Get-appxpackage \*QuickAssist* -alluser_ + +After running the command, you'll see Quick Assist 2.X is installed for the user. + +## Microsoft Edge WebView2 + +The Microsoft Edge WebView2 is a development control that uses Microsoft Edge as the rendering engine to display web content in native apps. The new Quick Assist app is written using this control and is required. For Windows 11 users, this runtime control is built in. For Windows 10 users, the Quick Assist Store app will detect if WebView2 is present on launch and if necessary, it will be installed automatically. If an error message or prompt is shown indicating WebView2 isn't present, it will need to be installed separately. + +For more information on distributing and installing Microsoft Edge WebView2, visit [Distribute your app and the WebView2 Runtime](/microsoft-edge/webview2/concepts/distribution) ## Next steps diff --git a/windows/client-management/troubleshoot-stop-errors.md b/windows/client-management/troubleshoot-stop-errors.md index 81396fc528..1d213f059d 100644 --- a/windows/client-management/troubleshoot-stop-errors.md +++ b/windows/client-management/troubleshoot-stop-errors.md @@ -14,6 +14,8 @@ ms.collection: highpri # Advanced troubleshooting for stop or blue screen errors +

    Try our Virtual Agent - It can help you quickly identify and fix common Windows boot issues + > [!NOTE] > If you're not a support agent or IT professional, you'll find more helpful information about stop error ("blue screen") messages in [Troubleshoot blue screen errors](https://support.microsoft.com/sbs/windows/troubleshoot-blue-screen-errors-5c62726c-6489-52da-a372-3f73142c14ad). diff --git a/windows/client-management/troubleshoot-windows-startup.md b/windows/client-management/troubleshoot-windows-startup.md index c2ae601920..6747a6a240 100644 --- a/windows/client-management/troubleshoot-windows-startup.md +++ b/windows/client-management/troubleshoot-windows-startup.md @@ -13,6 +13,8 @@ manager: dansimp # Advanced troubleshooting for Windows start-up issues +

    Try our Virtual Agent - It can help you quickly identify and fix common Windows boot issues + In these topics, you will learn how to troubleshoot common problems that are related to Windows startup. ## How it works diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json index b11d07e93f..346cc5e640 100644 --- a/windows/configuration/docfx.json +++ b/windows/configuration/docfx.json @@ -21,6 +21,7 @@ "files": [ "**/*.png", "**/*.jpg", + "**/*.svg", "**/*.gif" ], "exclude": [ diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md index 3e4b126512..933279aeb0 100644 --- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md +++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md @@ -160,12 +160,12 @@ Here is a list of CSPs supported on Windows 10 Enterprise: - [Maps CSP](/windows/client-management/mdm/maps-csp) - [NAP CSP](/windows/client-management/mdm/filesystem-csp) - [NAPDEF CSP](/windows/client-management/mdm/napdef-csp) -- [NodeCache CSP]( https://go.microsoft.com/fwlink/p/?LinkId=723265) +- [NodeCache CSP](https://go.microsoft.com/fwlink/p/?LinkId=723265) - [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp) - [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) -- [PolicyManager CSP]( https://go.microsoft.com/fwlink/p/?LinkId=723418) +- [PolicyManager CSP](https://go.microsoft.com/fwlink/p/?LinkId=723418) - [Provisioning CSP](/windows/client-management/mdm/provisioning-csp) -- [Proxy CSP]( https://go.microsoft.com/fwlink/p/?LinkId=723372) +- [Proxy CSP](https://go.microsoft.com/fwlink/p/?LinkId=723372) - [PXLOGICAL CSP](/windows/client-management/mdm/pxlogical-csp) - [Registry CSP](/windows/client-management/mdm/registry-csp) - [RemoteFind CSP](/windows/client-management/mdm/remotefind-csp) diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 5daa9b74d5..902c4828e2 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -263,7 +263,7 @@ href: update/update-compliance-schema-waasupdatestatus.md - name: WaaSInsiderStatus href: update/update-compliance-schema-waasinsiderstatus.md - - name: WaaSDepoymentStatus + - name: WaaSDeploymentStatus href: update/update-compliance-schema-waasdeploymentstatus.md - name: WUDOStatus href: update/update-compliance-schema-wudostatus.md diff --git a/windows/deployment/deploy-windows-to-go.md b/windows/deployment/deploy-windows-to-go.md index d398777f84..3f3f880cc0 100644 --- a/windows/deployment/deploy-windows-to-go.md +++ b/windows/deployment/deploy-windows-to-go.md @@ -33,7 +33,7 @@ The following is a list of items that you should be aware of before you start th * When running a Windows To Go workspace, always shutdown the workspace before unplugging the drive. -* Configuration Manager SP1 and later includes support for user self-provisioning of Windows To Go drives. You can download Configuration Manager for evaluation from the [Microsoft TechNet Evaluation Center](https://go.microsoft.com/fwlink/p/?LinkId=618746). For more information on this deployment option, see [How to Provision Windows To Go in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/jj651035(v=technet.10)). +* Configuration Manager SP1 and later includes support for user self-provisioning of Windows To Go drives. For more information on this deployment option, see [How to Provision Windows To Go in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/jj651035(v=technet.10)). * If you're planning on using a USB drive duplicator to duplicate Windows To Go drives, don't configure offline domain join or BitLocker on the drive. diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json index 6e2cfcba95..ad1f0f4c84 100644 --- a/windows/deployment/docfx.json +++ b/windows/deployment/docfx.json @@ -21,9 +21,8 @@ "files": [ "**/*.png", "**/*.jpg", - "**/*.gif", - "**/*.pdf", - "**/*.vsdx" + "**/*.svg", + "**/*.gif" ], "exclude": [ "**/obj/**", @@ -37,9 +36,6 @@ "recommendations": true, "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", - "ms.technology": "windows", - "audience": "ITPro", - "ms.topic": "article", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", diff --git a/windows/deployment/media/Windows10AutopilotFlowchart.pdf b/windows/deployment/media/Windows10AutopilotFlowchart.pdf deleted file mode 100644 index 5ab6f1c52e..0000000000 Binary files a/windows/deployment/media/Windows10AutopilotFlowchart.pdf and /dev/null differ diff --git a/windows/deployment/media/Windows10Autopilotflowchart.vsdx b/windows/deployment/media/Windows10Autopilotflowchart.vsdx deleted file mode 100644 index ef702ab66b..0000000000 Binary files a/windows/deployment/media/Windows10Autopilotflowchart.vsdx and /dev/null differ diff --git a/windows/deployment/media/Windows10DeploymentConfigManager.pdf b/windows/deployment/media/Windows10DeploymentConfigManager.pdf deleted file mode 100644 index 3a4c5f022e..0000000000 Binary files a/windows/deployment/media/Windows10DeploymentConfigManager.pdf and /dev/null differ diff --git a/windows/deployment/media/Windows10DeploymentConfigManager.vsdx b/windows/deployment/media/Windows10DeploymentConfigManager.vsdx deleted file mode 100644 index 8b2db358ff..0000000000 Binary files a/windows/deployment/media/Windows10DeploymentConfigManager.vsdx and /dev/null differ diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml index 8aa8e68722..4a695dc7b7 100644 --- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml +++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml @@ -50,10 +50,10 @@ sections: - For some devices, Windows 10 may be unable to install drivers that are required for operation. If your device drivers aren't automatically installed, visit the manufacturer's support website for your device to download and manually install the drivers. If Windows 10 drivers aren't available, the most up-to-date drivers for Windows 8.1 will often work in Windows 10. - For some devices, the manufacturer may provide more up-to-date drivers or drivers that enable more functionality than the drivers installed by Windows 10. Always follow the recommendations of the device manufacturer for optimal performance and stability. - Some computer manufacturers provide packs of drivers for easy implementation in management and deployment solutions like the Microsoft Deployment Toolkit (MDT) or Microsoft Endpoint Configuration Manager. These driver packs contain all of the drivers needed for each device and can greatly simplify the process of deploying Windows to a new make or model of computer. Driver packs for some common manufacturers include: - - [HP driver pack](http://www8.hp.com/us/en/ads/clientmanagement/drivers-pack.html) - - [Dell driver packs for enterprise client OS deployment](http://en.community.dell.com/techcenter/enterprise-client/w/wiki/2065.dell-command-deploy-driver-packs-for-enterprise-client-os-deployment) - - [Lenovo Configuration Manager and MDT package index](https://support.lenovo.com/us/en/documents/ht074984) - - [Panasonic Driver Pack for Enterprise](http://pc-dl.panasonic.co.jp/itn/drivers/driver_packages.html) + - [HP driver pack](https://www.hp.com/us-en/solutions/client-management-solutions/drivers-pack.html) + - [Dell driver packs for enterprise client OS deployment](https://www.dell.com/support/kbdoc/en-us/000124139/dell-command-deploy-driver-packs-for-enterprise-client-os-deployment) + - [Lenovo Configuration Manager and MDT package index](https://support.lenovo.com/us/en/solutions/ht074984) + - [Panasonic Driver Pack for Enterprise](https://pc-dl.panasonic.co.jp/itn/drivers/driver_packages.html) - question: | Where can I find out if an application or device is compatible with Windows 10? @@ -125,7 +125,7 @@ sections: answer: | For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](/windows/whats-new/) and [What's new in Windows 10, version 1703](/windows/whats-new/whats-new-windows-10-version-1703) in the Docs library. - Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://blogs.technet.microsoft.com/windowsitpro/). Here you'll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10. + Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog). Here you'll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10. To find out which version of Windows 10 is right for your organization, you can also [compare Windows editions](https://www.microsoft.com/WindowsForBusiness/Compare). @@ -152,4 +152,3 @@ sections: - If you're an IT professional or if you have a question about administering, managing, or deploying Windows 10 in your organization or business, visit the [Windows 10 IT Professional forums](https://social.technet.microsoft.com/forums/home?category=windows10itpro) on TechNet. - If you're an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](https://answers.microsoft.com/windows/forum). - If you're a developer or if you have a question about making apps for Windows 10, visit the [Windows Desktop Development forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsdesktopdev). - - If you have a question about Internet Explorer, visit the [Internet Explorer forums](https://social.technet.microsoft.com/forums/ie/en-us/home). diff --git a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md index ec78a072db..80aca45d8a 100644 --- a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md +++ b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md @@ -22,7 +22,7 @@ WaaSDeploymentStatus records track a specific update's installation progress on |**DeferralDays** |[int](/azure/kusto/query/scalar-data-types/int) |`0` |The deferral policy for this content type or `UpdateCategory` (Windows `Feature` or `Quality`). | |**DeploymentError** |[string](/azure/kusto/query/scalar-data-types/string) |`Disk Error` |A readable string describing the error, if any. If empty, there's either no string matching the error or there's no error. | |**DeploymentErrorCode** |[int](/azure/kusto/query/scalar-data-types/int) |`8003001E` |Microsoft internal error code for the error, if any. If empty, there's either no error or there's *no error code*, meaning that the issue raised doesn't correspond to an error, but some inferred issue. | -|**DeploymentStatus** |[string](/azure/kusto/query/scalar-data-types/string) |`Failed` |The high-level status of installing this update on this device. Possible values are:

  • **Update completed**: Device has completed the update installation.
  • **In Progress**: Device is in one of the various stages of installing an update, detailed in `DetailedStatus`.
  • **Deferred**: A device's deferral policy is preventing the update from being offered by Windows Update.
  • **Canceled**: The update was canceled.
  • **Blocked**: There's a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update.
  • **Unknown**: Update Compliance generated WaaSDeploymentStatus records for devices as soon as it detects an update newer than the one installed on the device. Devices that haven't sent any deployment data for that update will have the status `Unknown`.
  • **Update paused**: Devices are paused via Windows Update for Business Pause policies, preventing the update from being offered by Windows Update.
  • **Failed**: Device encountered a failure in the update process, preventing it from installing the update. This may result in an automatic retry in the case of Windows Update, unless the `DeploymentError` indicates the issue requires action before the update can continue.| +|**DeploymentStatus** |[string](/azure/kusto/query/scalar-data-types/string) |`Failed` |The high-level status of installing this update on this device. Possible values are:
  • **Update completed**: Device has completed the update installation.
  • **In Progress**: Device is in one of the various stages of installing an update, detailed in `DetailedStatus`.
  • **Deferred**: A device's deferral policy is preventing the update from being offered by Windows Update.
  • **Canceled**: The update was canceled.
  • **Blocked**: There's a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update.
  • **Unknown**: Update Compliance generated WaaSDeploymentStatus records for devices as soon as it detects an update newer than the one installed on the device. Devices that haven't sent any deployment data for that update will have the status `Unknown`.
  • **Update paused**: Devices are paused via Windows Update for Business Pause policies, preventing the update from being offered by Windows Update.
  • **Failed**: Device encountered a failure in the update process, preventing it from installing the update. This may result in an automatic retry in the case of Windows Update, unless the `DeploymentError` indicates the issue requires action before the update can continue.
  • **Progress stalled**: The update is in progress, but has not completed over a period of 7 days.| |**DetailedStatus** |[string](/azure/kusto/query/scalar-data-types/string) |`Reboot required` |A detailed status for the installation of this update on this device. Possible values are:
  • **Not Started**: Update hasn't started because the device isn't targeting the latest 2 builds
  • **Update deferred**: When a device's Windows Update for Business policy dictates the update is deferred.
  • **Update paused**: The device's Windows Update for Business policy dictates the update is paused from being offered.
  • **Update offered**: The device has been offered the update, but hasn't begun downloading it.
  • **Pre-Download tasks passed**: The device has finished all necessary tasks prior to downloading the update.
  • **Compatibility hold**: The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and won't resume the update until the hold has been cleared. For more information, see [Feature Update Status report](update-compliance-feature-update-status.md#safeguard-holds).
  • **Download started**: The update has begun downloading on the device.
  • **Download Succeeded**: The update has successfully completed downloading.
  • **Pre-Install Tasks Passed**: Tasks that must be completed prior to installing the update have been completed.
  • **Install Started**: Installation of the update has begun.
  • **Reboot Required**: The device has finished installing the update, and a reboot is required before the update can be completed.
  • **Reboot Pending**: The device has a scheduled reboot to apply the update.
  • **Reboot Initiated**: The scheduled reboot has been initiated.
  • **Commit**: Changes are being committed post-reboot. This is another step of the installation process.
  • **Update Completed**: The update has successfully installed.| |**ExpectedInstallDate** |[datetime](/azure/kusto/query/scalar-data-types/datetime)|`3/28/2020, 1:00:01.318 PM`|Rather than the expected date this update will be installed, this should be interpreted as the minimum date Windows Update will make the update available for the device. This takes into account Deferrals. | |**LastScan** |[datetime](/azure/kusto/query/scalar-data-types/datetime)|`3/22/2020, 1:00:01.318 PM`|The last point in time that this device sent Update Session data. | diff --git a/windows/deployment/update/update-compliance-v2-configuration-mem.md b/windows/deployment/update/update-compliance-v2-configuration-mem.md index 1dabf9b1e5..765128a9dc 100644 --- a/windows/deployment/update/update-compliance-v2-configuration-mem.md +++ b/windows/deployment/update/update-compliance-v2-configuration-mem.md @@ -9,7 +9,7 @@ ms.author: mstewart ms.localizationpriority: medium ms.collection: M365-analytics ms.topic: article -ms.date: 06/06/2022 +ms.date: 08/24/2022 --- # Configuring Microsoft Endpoint Manager devices for Update Compliance (preview) @@ -29,48 +29,79 @@ This article is specifically targeted at configuring devices enrolled to [Micros ## Create a configuration profile -Take the following steps to create a configuration profile that will set required policies for Update Compliance: +Create a configuration profile that will set the required policies for Update Compliance. There are two profile types that can be used to create a configuration profile for Update Compliance: +- The [settings catalog](#settings-catalog) +- [Template](#custom-oma-uri-based-profile) for a custom OMA URI based profile -1. Go to the Admin portal in Endpoint Manager and navigate to **Devices/Windows/Configuration profiles**. -1. On the **Configuration profiles** view, select **Create a profile**. +### Settings catalog + +1. Go to the Admin portal in Endpoint Manager and navigate to **Devices** > **Windows** > **Configuration profiles**. +1. On the **Configuration profiles** view, select **Create profile**. +1. Select **Platform**="Windows 10 and later" and **Profile type**="Settings Catalog", and then select **Create**. +1. You're now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**. +1. On the **Configuration settings** page, you'll be adding multiple settings from the **System** category. Using the **Settings picker**, select the **System** category, then add the following settings and values: + 1. Required settings for Update Compliance: + - **Setting**: Allow Commercial Data Pipeline + - **Value**: Enabled + - **Setting**: Allow Telemetry + - **Value**: Basic (*Basic is the minimum value, but it can be safely set to a higher value*) + - **Setting**: Allow Update Compliance Processing + - **Value**: Enabled + 1. (*Recommended, but not required*) Add settings for **disabling devices' Diagnostic Data opt-in settings interface**. If these aren't disabled, users of each device can potentially override the diagnostic data level of devices such that data won't be available for those devices in Update Compliance: + - **Setting**: Configure Telemetry Opt In Change Notification + - **Value**: Disable telemetry change notifications + - **Setting**: Configure Telemetry Opt In Settings Ux + - **Value**: Disable Telemetry opt-in Settings + 1. (*Recommended, but not required*) Allow device name to be sent in Windows Diagnostic Data. If this policy is disabled, the device name won't be sent and won't be visible in Update Compliance: + - **Setting**: Allow device name to be sent in Windows diagnostic data + - **Value**: Allowed + +1. Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll. +1. Review the settings and then select **Create**. + +### Custom OMA URI based profile + +1. Go to the Admin portal in Endpoint Manager and navigate to **Devices** > **Windows** > **Configuration profiles**. +1. On the **Configuration profiles** view, select **Create profile**. 1. Select **Platform**="Windows 10 and later" and **Profile type**="Templates". -1. For **Template name**, select **Custom**, and then press **Create**. +1. For **Template name**, select **Custom**, and then select **Create**. 1. You're now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**. 1. On the **Configuration settings** page, you'll be adding multiple OMA-URI Settings that correspond to the policies described in [Manually configuring devices for Update Compliance](update-compliance-v2-configuration-manual.md). - + + 1. Add a setting to **Allow commercial data pipeline**; this policy is required for Update Compliance: + - **Name**: Allow commercial data pipeline + - **Description**: Configures Microsoft to be the processor of the Windows diagnostic data collected from an Azure Active Directory-joined device. + - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline` + - **Data type**: Integer + - **Value**: 1 1. Add a setting configuring the **Windows Diagnostic Data level** for devices: - **Name**: Allow Telemetry - **Description**: Sets the maximum allowed diagnostic data to be sent to Microsoft, required for Update Compliance. - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowTelemetry` - **Data type**: Integer - - **Value**: 1 (*all that is required is 1, but it can be safely set to a higher value*). - 1. (*Recommended, but not required*) Add a setting for **disabling devices' Diagnostic Data opt-in settings interface**. If this isn't disabled, users of each device can potentially override the diagnostic data level of devices such that data won't be available for those devices in Update Compliance: - - **Name**: Disable Telemetry opt-in interface - - **Description**: Disables the ability for end-users of devices can adjust diagnostic data to levels lower than defined by the Allow Telemetry setting. - - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx` - - **Data type**: Integer - - **Value**: 1 - 1. Add a setting to **Allow device name in diagnostic data**; otherwise, there will be no device name in Update Compliance: - - **Name**: Allow device name in Diagnostic Data - - **Description**: Allows device name in Diagnostic Data. - - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData` - - **Data type**: Integer - - **Value**: 1 + - **Value**: 1 (*1 is the minimum value meaning basic, but it can be safely set to a higher value*). 1. Add a setting to **Allow Update Compliance processing**; this policy is required for Update Compliance: - **Name**: Allow Update Compliance Processing - **Description**: Opts device data into Update Compliance processing. Required to see data. - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowUpdateComplianceProcessing` - **Data type**: Integer - **Value**: 16 - 1. Add a setting to **Allow commercial data pipeline**; this policy is required for Update Compliance: - - **Name**: Allow commercial data pipeline - - **Description**: Configures Microsoft to be the processor of the Windows diagnostic data collected from an Azure Active Directory-joined device. - - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline` + 1. (*Recommended, but not required*) Add settings for **disabling devices' Diagnostic Data opt-in settings interface**. If these aren't disabled, users of each device can potentially override the diagnostic data level of devices such that data won't be available for those devices in Update Compliance: + - **Name**: Disable Telemetry opt-in interface + - **Description**: Disables the ability for end-users of devices can adjust diagnostic data to levels lower than defined by the Allow Telemetry setting. + - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx` + - **Data type**: Integer + - **Value**: 1 + 1. (*Recommended, but not required*) Add a setting to **Allow device name in diagnostic data**; otherwise, the device name won't be in Update Compliance: + - **Name**: Allow device name in Diagnostic Data + - **Description**: Allows device name in Diagnostic Data. + - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData` - **Data type**: Integer - **Value**: 1 + 1. Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll. -1. Review and select **Create**. +1. Review the settings and then select **Create**. ## Deploy the configuration script diff --git a/windows/deployment/update/update-compliance-v2-help.md b/windows/deployment/update/update-compliance-v2-help.md index 871ce3464e..e1fccf14ec 100644 --- a/windows/deployment/update/update-compliance-v2-help.md +++ b/windows/deployment/update/update-compliance-v2-help.md @@ -86,7 +86,7 @@ If you create an issue for something not related to documentation, Microsoft wil - [Product questions (using Microsoft Q&A)](/answers/products/) - [Support requests](#open-a-microsoft-support-case) for Update Compliance -To share feedback on the fundamental docs.microsoft.com platform, see [Docs feedback](https://aka.ms/sitefeedback). The platform includes all of the wrapper components such as the header, table of contents, and right menu. Also how the articles render in the browser, such as the font, alert boxes, and page anchors. +To share feedback about the Microsoft Docs platform, see [Microsoft Docs feedback](https://aka.ms/sitefeedback). The platform includes all of the wrapper components such as the header, table of contents, and right menu. Also how the articles render in the browser, such as the font, alert boxes, and page anchors. ## Troubleshooting tips diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md index aaf93bbafd..cf390b0f9a 100644 --- a/windows/deployment/update/windows-update-errors.md +++ b/windows/deployment/update/windows-update-errors.md @@ -17,6 +17,8 @@ ms.collection: highpri - Windows 10 - Windows 11 +

    Try our Virtual Agent - It can help you quickly identify and fix common Windows Update issues + The following table provides information about common errors you might run into with Windows Update, as well as steps to help you mitigate them. ## 0x8024402F diff --git a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md index 5b8cff866c..3498ee23fe 100644 --- a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md +++ b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md @@ -18,6 +18,8 @@ ms.topic: article > This is a 300 level topic (moderately advanced).
    > See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. +

    Try our Virtual Agent - It can help you quickly identify and fix common Windows boot issues + If a Windows 10 upgrade is not successful, it can be very helpful to understand *when* an error occurred in the upgrade process. > [!IMPORTANT] diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md index bbc1b4b9d4..8dc4f7f75d 100644 --- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md +++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md @@ -1,50 +1,44 @@ --- -title: Activate using Active Directory-based activation (Windows 10) -description: Learn how active directory-based activation is implemented as a role service that relies on AD DS to store activation objects. -ms.custom: seo-marvel-apr2020 +title: Activate using Active Directory-based activation +description: Learn how active directory-based activation is implemented as a role service that relies on AD DS to store activation objects. manager: dougeby -ms.author: aaroncz -ms.prod: w10 author: aczechowski +ms.author: aaroncz +ms.prod: windows-client +ms.technology: itpro-deploy ms.localizationpriority: medium -ms.date: 01/13/2022 -ms.topic: article +ms.date: 09/16/2022 +ms.topic: how-to ms.collection: highpri --- # Activate using Active Directory-based activation -**Applies to** +**Applies to supported versions of** -Windows 11 -Windows 10 -Windows 8.1 -Windows 8 -Windows Server 2012 R2 -Windows Server 2012 -Windows Server 2016 -Windows Server 2019 -Office 2021* -Office 2019* -Office 2016* -Office 2013* +- Windows +- Windows Server +- Office -**Looking for retail activation?** +> [!TIP] +> Are you looking for information on retail activation? +> +> - [Product activation for Windows](https://support.microsoft.com/windows/product-activation-for-windows-online-support-telephone-numbers-35f6a805-1259-88b4-f5e9-b52cccef91a0) +> - [Activate Windows](https://support.microsoft.com/windows/activate-windows-c39005d4-95ee-b91e-b399-2820fda32227) -- [Get Help Activating Microsoft Windows 7 or Windows 8.1](https://support.microsoft.com/help/15083/windows-activate-windows-7-or-8-1) -- [Get Help Activating Microsoft Windows 10](https://support.microsoft.com/help/12440/windows-10-activate) +Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. Active Directory-based activation requires that you update the forest schema using *adprep.exe* on a supported server OS. After the schema is updated, older domain controllers can still activate clients. -Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. Active Directory-based activation requires that the forest schema be updated using *adprep.exe* on a supported server OS, but after the schema is updated, older domain controllers can still activate clients. +Any domain-joined computers running a supported OS with a Generic Volume License Key (GVLK) will be activated automatically and transparently. They'll stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the Licensing service starts. When this service starts, the computer contacts AD DS automatically, receives the activation object, and is activated without user intervention. -Any domain-joined computers running a supported operating system with a Generic Volume License Key (GVLK) will be activated automatically and transparently. They will stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the Licensing service starts. When this service starts, the computer contacts AD DS automatically, receives the activation object, and is activated without user intervention. - -To allow computers with GVLKs to activate themselves, use the Volume Activation Tools console or the [Volume Activation Management Tool (VAMT)](volume-activation-management-tool.md) in earlier versions of Windows Server to create an object in the AD DS forest. You create this activation object by submitting a KMS host key to Microsoft, as shown in Figure 10. +To allow computers with GVLKs to activate themselves, use the Volume Activation Tools console or the [Volume Activation Management Tool (VAMT)](volume-activation-management-tool.md) in earlier versions of Windows Server to create an object in the AD DS forest. You create this activation object by submitting a KMS host key to Microsoft, as shown in Figure 10. The process proceeds as follows: -1. Perform one of the following tasks: - - Install the Volume Activation Services server role on a domain controller and add a KMS host key by using the Volume Activation Tools Wizard. - - Extend the domain to the Windows Server 2012 R2 or higher schema level, and add a KMS host key by using the VAMT. +1. Do _one_ of the following tasks: + + - Install the Volume Activation Services server role on a domain controller. Then add a KMS host key by using the Volume Activation Tools Wizard. + + - Extend the domain schema level to Windows Server 2012 R2 or later. Then add a KMS host key by using the VAMT. 2. Microsoft verifies the KMS host key, and an activation object is created. @@ -55,87 +49,91 @@ The process proceeds as follows: **Figure 10**. The Active Directory-based activation flow -For environments in which all computers are running an operating system listed under *Applies to*, and they are joined to a domain, Active Directory-based activation is the best option for activating all client computers and servers, and you may be able to remove any KMS hosts from your environment. +For environments in which all computers are running a supported OS version, and they're joined to a domain, Active Directory-based activation is the best option for activating all client computers and servers. You may be able to remove any KMS hosts from your environment. -If an environment will continue to contain earlier volume licensing operating systems and applications or if you have workgroup computers outside the domain, you need to maintain a KMS host to maintain activation status for earlier volume licensing editions of Windows and Office. +If an environment will continue to contain earlier versions of volume licensed operating systems and applications, or if you have workgroup computers outside the domain, you need to maintain a KMS host to maintain activation status. -Clients that are activated with Active Directory-based activation will maintain their activated state for up to 180 days since the last contact with the domain, but they will periodically attempt to reactivate before then and at the end of the 180 day period. By default, this reactivation event occurs every seven days. +Clients that are activated with Active Directory-based activation will maintain their activated state for up to 180 days since the last contact with the domain. They'll periodically attempt to reactivate before then and at the end of the 180 day period. By default, this reactivation event occurs every seven days. -When a reactivation event occurs, the client queries AD DS for the activation object. Client computers examine the activation object and compare it to the local edition as defined by the GVLK. If the object and GVLK match, reactivation occurs. If the AD DS object cannot be retrieved, client computers use KMS activation. If the computer is removed from the domain, and the computer or the Software Protection service is restarted, the operating system will change the status from activated to not activated, and the computer will try to activate with KMS. +When a reactivation event occurs, the client queries AD DS for the activation object. Client computers examine the activation object and compare it to the local edition as defined by the GVLK. If the object and GVLK match, reactivation occurs. If the AD DS object can't be retrieved, client computers use KMS activation. If the computer is removed from the domain, and the computer or the Software Protection service is restarted, Windows will change the status to "not activated" and the computer will try to activate with KMS. ## Step-by-step configuration: Active Directory-based activation > [!NOTE] -> You must be a member of the local Administrators group on all computers mentioned in these steps. You also need to be a member of the Enterprise Administrators group, because setting up Active Directory-based activation changes forest-wide settings. +> You must be a member of the local **Administrators** group on all computers mentioned in these steps. You also need to be a member of the **Enterprise Administrators** group, because setting up Active Directory-based activation changes forest-wide settings. -**To configure Active Directory-based activation on Windows Server 2012 R2 or higher, complete the following steps:** +To configure Active Directory-based activation on a supported version of Windows Server, complete the following steps: -1. Use an account with Domain Administrator and Enterprise Administrator credentials to sign in to a domain controller. +1. Use an account with **Domain Administrator** and **Enterprise Administrator** credentials to sign in to a domain controller. -2. Launch Server Manager. +2. Launch **Server Manager**. -3. Add the Volume Activation Services role, as shown in Figure 11. +3. Add the **Volume Activation Services** role, as shown in Figure 11. ![Adding the Volume Activation Services role.](../images/volumeactivationforwindows81-11.jpg) **Figure 11**. Adding the Volume Activation Services role -4. Click the link to launch the Volume Activation Tools (Figure 12). +4. Select the **Volume Activation Tools**, as shown in Figure 12. ![Launching the Volume Activation Tools.](../images/volumeactivationforwindows81-12.jpg) **Figure 12**. Launching the Volume Activation Tools -5. Select the **Active Directory-Based Activation** option (Figure 13). +5. Select the **Active Directory-Based Activation** option, as shown in Figure 13. ![Selecting Active Directory-Based Activation.](../images/volumeactivationforwindows81-13.jpg) **Figure 13**. Selecting Active Directory-Based Activation -6. Enter your KMS host key and (optionally) a display name (Figure 14). +6. Enter your KMS host key and optionally specify a display name, as shown in Figure 14. ![Choosing how to activate your product.](../images/volumeactivationforwindows81-15.jpg) **Figure 14**. Entering your KMS host key -7. Activate your KMS host key by phone or online (Figure 15). +7. Activate your KMS host key by phone or online, as shown in Figure 15. ![Entering your KMS host key.](../images/volumeactivationforwindows81-14.jpg) - + **Figure 15**. Choosing how to activate your product > [!NOTE] - > To activate a KMS Host Key (CSVLK) for Microsoft Office, you need to install the version-specific Office Volume License Pack on the server where the Volume Activation Server Role is installed. For more details, see [Activate volume licensed versions of Office by using Active Directory](/deployoffice/vlactivation/activate-office-by-using-active-directory). - - > - > + > To activate a KMS Host Key (CSVLK) for Microsoft Office, you need to install the version-specific Office Volume License Pack on the server where the Volume Activation Server Role is installed. + > > - [Office 2013 VL pack](https://www.microsoft.com/download/details.aspx?id=35584) - > + > > - [Office 2016 VL pack](https://www.microsoft.com/download/details.aspx?id=49164) > > - [Office 2019 VL pack](https://www.microsoft.com/download/details.aspx?id=57342) > > - [Office LTSC 2021 VL pack](https://www.microsoft.com/download/details.aspx?id=103446) + > + > For more information, see [Activate volume licensed versions of Office by using Active Directory](/deployoffice/vlactivation/activate-office-by-using-active-directory). -8. After activating the key, click **Commit**, and then click **Close**. +8. After activating the key, select **Commit**, and then select **Close**. ## Verifying the configuration of Active Directory-based activation To verify your Active Directory-based activation configuration, complete the following steps: -1. After you configure Active Directory-based activation, start a computer that is running an edition of Windows that is configured by volume licensing. -2. If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK by running the **slmgr.vbs /ipk** command and specifying the GLVK as the new product key. -3. If the computer is not joined to your domain, join it to the domain. +1. After you configure Active Directory-based activation, start a computer that is running an edition of Windows that's configured by volume licensing. + +2. If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK. Run the `slmgr.vbs /ipk` command and specifying the GLVK as the new product key. + +3. If the computer isn't joined to your domain, join it to the domain. + 4. Sign in to the computer. -5. Open Windows Explorer, right-click **Computer**, and then click **Properties**. + +5. Open Windows Explorer, right-click **Computer**, and then select **Properties**. + 6. Scroll down to the **Windows activation** section, and verify that this client has been activated. > [!NOTE] - > If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmgr.vbs /dlv** command also indicates whether KMS has been used. - > - > To manage individual activations or apply multiple (mass) activations, please consider using the [VAMT](./volume-activation-management-tool.md). - + > If you're using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that hasn't already been activated by KMS. The `slmgr.vbs /dlv` command also indicates whether KMS has been used. + > + > To manage individual activations or apply multiple (mass) activations, use the [VAMT](./volume-activation-management-tool.md). ## See also -- [Volume Activation for Windows 10](volume-activation-windows-10.md) +[Volume Activation for Windows 10](volume-activation-windows-10.md) diff --git a/windows/deployment/volume-activation/introduction-vamt.md b/windows/deployment/volume-activation/introduction-vamt.md index 403b5a2209..e8e03b1772 100644 --- a/windows/deployment/volume-activation/introduction-vamt.md +++ b/windows/deployment/volume-activation/introduction-vamt.md @@ -4,61 +4,62 @@ description: VAMT enables administrators to automate and centrally manage the Wi ms.reviewer: manager: dougeby ms.author: aaroncz -ms.prod: w10 +ms.prod: windows-client +ms.technology: itpro-deploy author: aczechowski -ms.date: 04/25/2017 -ms.topic: article +ms.date: 09/16/2022 +ms.topic: overview --- # Introduction to VAMT -The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office®, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has one of the following Windows operating systems: Windows® 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, or Windows Server 2012. +The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows, Office, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has a supported Windows OS version. > [!NOTE] -> VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated. +> VAMT can be installed on, and can manage, physical or virtual instances. VAMT can't detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated. -## In this Topic - -- [Managing Multiple Activation Key (MAK) and Retail Activation](#bkmk-managingmak) -- [Managing Key Management Service (KMS) Activation](#bkmk-managingkms) -- [Enterprise Environment](#bkmk-enterpriseenvironment) -- [VAMT User Interface](#bkmk-userinterface) - -## Managing Multiple Activation Key (MAK) and Retail Activation +## Managing MAK and retail activation You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios: -- **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft. -- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host. +- **Online activation**: Many organizations maintain a single Windows system image or Office installation package for deployment across the organization. Occasionally there's also a need to use retail product keys in special situations. Online activation enables you to activate over the internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft. -## Managing Key Management Service (KMS) Activation +- **Proxy activation**: This activation method enables you to perform volume activation for products installed on client computers that don't have internet access. The VAMT host computer distributes a MAK, KMS host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs internet access. You can also activate products installed on computers in a workgroup that's isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the internet-connected VAMT host. -In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 and Microsoft Office 2010.\ -VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type product key; therefore, the experience for product key entry and activation management are identical for both these product key types. +## Managing KMS activation -## Enterprise Environment +In addition to MAK or retail activation, you can use VAMT to perform volume activation using the KMS. VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by volume license editions of Windows, Windows Server, and Office. -VAMT is commonly implemented in enterprise environments. The following screenshot illustrates three common environments—Core Network, Secure Zone, and Isolated Lab. +VAMT treats a KMS host key (CSVLK) product key identically to a retail-type product key. The experience for product key entry and activation management are identical for both these product key types. + +## Enterprise environment + +VAMT is commonly implemented in enterprise environments. The following screenshot illustrates three common environments: core network, secure zone, and isolated lab. ![VAMT in the enterprise.](images/dep-win8-l-vamt-image001-enterprise.jpg) -In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have extra firewall protection. -The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab. +- In the core network environment, all computers are within a common network managed by Active Directory Domain Services (AD DS). +- The secure zone represents higher-security core network computers that have extra firewall protection. +- The isolated lab environment is a workgroup that is physically separate from the core network, and its computers don't have internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the isolated lab. -## VAMT User Interface +## VAMT user interface -The following screenshot shows the VAMT graphical user interface. +The following screenshot shows the VAMT graphical user interface: ![VAMT user interface.](images/vamtuserinterfaceupdated.jpg) VAMT provides a single, graphical user interface for managing activations, and for performing other activation-related tasks such as: -- **Adding and removing computers.** You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query. -- **Discovering products.** You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers. -- **Monitoring activation status.** You can collect activation information about each product, including the last five characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information. -- **Managing product keys.** You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs. -- **Managing activation data.** VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format. +- **Adding and removing computers**: You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query. -## Related topics +- **Discovering products**: You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers. -- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md) +- **Monitoring activation status**: You can collect activation information about each product, including the last five characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information. + +- **Managing product keys**: You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs. + +- **Managing activation data**: VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format. + +## Next steps + +[VAMT step-by-step scenarios](vamt-step-by-step.md) diff --git a/windows/deployment/volume-activation/volume-activation-management-tool.md b/windows/deployment/volume-activation/volume-activation-management-tool.md index ec4715c198..fd360dd5f2 100644 --- a/windows/deployment/volume-activation/volume-activation-management-tool.md +++ b/windows/deployment/volume-activation/volume-activation-management-tool.md @@ -1,40 +1,36 @@ --- -title: Volume Activation Management Tool (VAMT) Technical Reference (Windows 10) +title: VAMT technical reference description: The Volume Activation Management Tool (VAMT) enables network administrators to automate and centrally manage volume activation and retail activation. manager: dougeby ms.author: aaroncz -ms.prod: w10 +ms.prod: windows-client +ms.technology: itpro-deploy author: aczechowski -ms.date: 04/25/2017 -ms.topic: article +ms.date: 09/16/2022 +ms.topic: overview ms.custom: seo-marvel-apr2020 ms.collection: highpri --- -# Volume Activation Management Tool (VAMT) Technical Reference +# Volume Activation Management Tool (VAMT) technical reference -The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. -VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in that requires the Microsoft Management Console (MMC) 3.0. VAMT can be installed on any computer that has one of the following Windows operating systems: -- Windows® 7 or above -- Windows Server 2008 R2 or above +The Volume Activation Management Tool (VAMT) lets you automate and centrally manage the Windows, Office, and select other Microsoft products volume and retail-activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in. VAMT can be installed on any computer that has a supported Windows OS version. - -**Important**   -VAMT is designed to manage volume activation for: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 (or later), Microsoft Office 2010 (or above). +> [!IMPORTANT] +> VAMT is designed to manage volume activation for supported versions of Windows, Windows Server, and Office. VAMT is only available in an EN-US (x86) package. ## In this section -|Topic |Description | +|Article |Description | |------|------------| |[Introduction to VAMT](introduction-vamt.md) |Provides a description of VAMT and common usages. | -|[Active Directory-Based Activation Overview](active-directory-based-activation-overview.md) |Describes Active Directory-Based Activation scenarios. | -|[Install and Configure VAMT](install-configure-vamt.md) |Describes how to install VAMT and use it to configure client computers on your network. | -|[Add and Manage Products](add-manage-products-vamt.md) |Describes how to add client computers into VAMT. | -|[Manage Product Keys](manage-product-keys-vamt.md) |Describes how to add and remove a product key from VAMT. | -|[Manage Activations](manage-activations-vamt.md) |Describes how to activate a client computer by using a variety of activation methods. | -|[Manage VAMT Data](manage-vamt-data.md) |Describes how to save, import, export, and merge a Computer Information List (CILX) file using VAMT. | -|[VAMT Step-by-Step Scenarios](vamt-step-by-step.md) |Provides step-by-step instructions for using VAMT in typical environments. | -|[VAMT Known Issues](vamt-known-issues.md) |Lists known issues in VAMT. | - +|[Active Directory-based activation overview](active-directory-based-activation-overview.md) |Describes Active Directory-based activation scenarios. | +|[Install and configure VAMT](install-configure-vamt.md) |Describes how to install VAMT and use it to configure client computers on your network. | +|[Add and manage products](add-manage-products-vamt.md) |Describes how to add client computers into VAMT. | +|[Manage product keys](manage-product-keys-vamt.md) |Describes how to add and remove a product key from VAMT. | +|[Manage activations](manage-activations-vamt.md) |Describes how to activate a client computer by using various activation methods. | +|[Manage VAMT data](manage-vamt-data.md) |Describes how to save, import, export, and merge a Computer Information List (CILX) file using VAMT. | +|[VAMT step-by-step scenarios](vamt-step-by-step.md) |Provides step-by-step instructions for using VAMT in typical environments. | +|[VAMT known issues](vamt-known-issues.md) |Lists known issues in VAMT. | diff --git a/windows/deployment/windows-10-deployment-posters.md b/windows/deployment/windows-10-deployment-posters.md index 18021d5a5d..c4377a6979 100644 --- a/windows/deployment/windows-10-deployment-posters.md +++ b/windows/deployment/windows-10-deployment-posters.md @@ -5,31 +5,33 @@ ms.reviewer: manager: dougeby author: aczechowski ms.author: aaroncz -ms.prod: w10 +ms.prod: windows-client +ms.technology: itpro-deploy ms.localizationpriority: medium -ms.topic: article +ms.topic: reference --- -# Windows 10 deployment process posters +# Windows 10 deployment process posters **Applies to** -- Windows 10 +- Windows 10 -The following posters step through various options for deploying Windows 10 with Windows Autopilot or Microsoft Endpoint Configuration Manager. +The following posters step through various options for deploying Windows 10 with Windows Autopilot or Microsoft Endpoint Configuration Manager. ## Deploy Windows 10 with Autopilot -The Windows Autopilot poster is two pages in portrait mode (11x17). Click the image to view a PDF in your browser. You can also download this poster in [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10AutopilotFlowchart.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10Autopilotflowchart.vsdx) format. +The Windows Autopilot poster is two pages in portrait mode (11x17). Select the image to download a PDF version. -[![Deploy Windows 10 with Autopilot.](./media/windows10-autopilot-flowchart.png)](./media/Windows10AutopilotFlowchart.pdf) +[![Deploy Windows 10 with Autopilot.](./media/windows10-autopilot-flowchart.png)](https://download.microsoft.com/download/8/4/b/84b5e640-8f66-4b43-81a9-1c3b9ea18eda/Windows10AutopilotFlowchart.pdf) ## Deploy Windows 10 with Microsoft Endpoint Configuration Manager -The Configuration Manager poster is one page in landscape mode (17x11). Click the image to view a PDF in your browser. You can also download this poster in [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10DeploymentConfigManager.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10DeploymentConfigManager.vsdx) format. +The Configuration Manager poster is one page in landscape mode (17x11). Select the image to download a PDF version. -[![Deploy Windows 10 with Configuration Manager.](./media/windows10-deployment-config-manager.png)](./media/Windows10DeploymentConfigManager.pdf) +[![Deploy Windows 10 with Configuration Manager.](./media/windows10-deployment-config-manager.png)](https://download.microsoft.com/download/e/2/a/e2a70587-d3cc-4f1a-ba49-cfd724a1736b/Windows10DeploymentConfigManager.pdf) ## See also -[Overview of Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot)
    -[Scenarios to deploy enterprise operating systems with Configuration Manager](/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems) +[Overview of Windows Autopilot](/mem/autopilot/windows-autopilot) + +[Scenarios to deploy enterprise operating systems with Configuration Manager](/mem/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems) diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml index b56c8a8916..f2950818eb 100644 --- a/windows/deployment/windows-autopatch/TOC.yml +++ b/windows/deployment/windows-autopatch/TOC.yml @@ -32,6 +32,8 @@ href: deploy/windows-autopatch-device-registration-overview.md - name: Register your devices href: deploy/windows-autopatch-register-devices.md + - name: Post-device registration readiness checks + href: deploy/windows-autopatch-post-reg-readiness-checks.md - name: Operate href: operate/index.md items: diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md index 1d55fce3d7..ede51bee83 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md @@ -1,7 +1,7 @@ --- title: Device registration overview description: This article provides and overview on how to register devices in Autopatch -ms.date: 07/28/2022 +ms.date: 09/07/2022 ms.prod: w11 ms.technology: windows ms.topic: conceptual @@ -44,12 +44,12 @@ See the following detailed workflow diagram. The diagram covers the Windows Auto | **Step 1: Identify devices** | IT admin identifies devices to be managed by the Windows Autopatch service. | | **Step 2: Add devices** | IT admin adds devices through direct membership or nests other Azure AD assigned or dynamic groups into the **Windows Autopatch Device Registration** Azure AD assigned group. | | **Step 3: Discover devices** | The Windows Autopatch Discover Devices function hourly discovers devices previously added by the IT admin into the **Windows Autopatch Device Registration** Azure AD assigned group in **step #2**. The Azure AD device ID is used by Windows Autopatch to query device attributes in both Microsoft Endpoint Manager-Intune and Azure AD when registering devices into its service.

    1. Once devices are discovered from the Azure AD group, the same function gathers additional device attributes and saves it into its memory during the discovery operation. The following device attributes are gathered from Azure AD in this step:
      1. **AzureADDeviceID**
      2. **OperatingSystem**
      3. **DisplayName (Device name)**
      4. **AccountEnabled**
      5. **RegistrationDateTime**
      6. **ApproximateLastSignInDateTime**
    2. In this same step, the Windows Autopatch discover devices function calls another function, the device prerequisite check function. The device prerequisite check function evaluates software-based device-level prerequisites to comply with Windows Autopatch device readiness requirements prior to registration.
    | -| **Step 4: Check prerequisites** | The Windows Autopatch prerequisite function makes an Intune Graph API call to sequentially validate device readiness attributes required for the registration process. For detailed information, see the [Detailed prerequisite check workflow diagram](#detailed-prerequisite-check-workflow-diagram) section. The service checks the following device readiness attributes, and/or prerequisites:
    1. **Serial number, model, and manufacturer.**
      1. Checks if the serial number already exists in the Windows Autopatch’s managed device database.
    2. **If the device is Intune-managed or not.**
      1. Windows Autopatch looks to see **if the Azure AD device ID has an Intune device ID associated with it**.
        1. If **yes**, it means this device is enrolled into Intune.
        2. If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
      2. **If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name and other attributes. When this happens, the Windows Autopatch service uses the Azure AD device attributes gathered and saved to its memory in **step 3a**.
        1. Once it has the device attributes gathered from Azure AD in **step 3a**, the device is flagged with the **Prerequisite failed** status, then added to the **Not ready** tab so the IT admin can review the reason(s) the device wasn't registered into Windows Autopatch. The IT admin will remediate these devices. In this case, the IT admin should check why the device wasn’t enrolled into Intune.
        2. A common reason is when the Azure AD device ID is stale, it doesn’t have an Intune device ID associated with it anymore. To remediate, [clean up any stale Azure AD device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).
      3. **If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device has checked into Intune in the last 28 days.
    3. **If the device is a Windows device or not.**
      1. Windows Autopatch looks to see if the Azure AD device ID has an Intune device ID associated with it.
        1. **If yes**, it means this device is enrolled into Intune.
        2. **If not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
    4. **Windows Autopatch checks the Windows SKU family**. The SKU must be either:
      1. **Enterprise**
      2. **Pro**
      3. **Pro Workstation**
    5. **If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:
      1. **Only managed by Intune.**
        1. If the device is only managed by Intune, the device is marked as Passed all prerequisites.
      2. **Co-managed by both Configuration Manager and Intune.**
        1. If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:
          1. **Windows Updates Policies**
          2. **Device Configuration**
          3. **Office Click to Run**
        2. If Windows Autopatch determines that one of these workloads isn’t enabled on the device, the service marks the device as **Prerequisite failed** and moves the device to the **Not Ready** tab.
    | +| **Step 4: Check prerequisites** | The Windows Autopatch prerequisite function makes an Intune Graph API call to sequentially validate device readiness attributes required for the registration process. For detailed information, see the [Detailed prerequisite check workflow diagram](#detailed-prerequisite-check-workflow-diagram) section. The service checks the following device readiness attributes, and/or prerequisites:
    1. **Serial number, model, and manufacturer.**
      1. Checks if the serial number already exists in the Windows Autopatch’s managed device database.
    2. **If the device is Intune-managed or not.**
      1. Windows Autopatch looks to see **if the Azure AD device ID has an Intune device ID associated with it**.
        1. If **yes**, it means this device is enrolled into Intune.
        2. If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
      2. **If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name and other attributes. When this happens, the Windows Autopatch service uses the Azure AD device attributes gathered and saved to its memory in **step 3a**.
        1. Once it has the device attributes gathered from Azure AD in **step 3a**, the device is flagged with the **Prerequisite failed** status, then added to the **Not registered** tab so the IT admin can review the reason(s) the device wasn't registered into Windows Autopatch. The IT admin will remediate these devices. In this case, the IT admin should check why the device wasn’t enrolled into Intune.
        2. A common reason is when the Azure AD device ID is stale, it doesn’t have an Intune device ID associated with it anymore. To remediate, [clean up any stale Azure AD device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).
      3. **If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device has checked into Intune in the last 28 days.
    3. **If the device is a Windows device or not.**
      1. Windows Autopatch looks to see if the Azure AD device ID has an Intune device ID associated with it.
        1. **If yes**, it means this device is enrolled into Intune.
        2. **If not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
    4. **Windows Autopatch checks the Windows SKU family**. The SKU must be either:
      1. **Enterprise**
      2. **Pro**
      3. **Pro Workstation**
    5. **If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:
      1. **Only managed by Intune.**
        1. If the device is only managed by Intune, the device is marked as Passed all prerequisites.
      2. **Co-managed by both Configuration Manager and Intune.**
        1. If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:
          1. **Windows Updates Policies**
          2. **Device Configuration**
          3. **Office Click to Run**
        2. If Windows Autopatch determines that one of these workloads isn’t enabled on the device, the service marks the device as **Prerequisite failed** and moves the device to the **Not registered** tab.
    | | **Step 5: Calculate deployment ring assignment** | Once the device passes all prerequisites described in **step #4**, Windows Autopatch starts its deployment ring assignment calculation. The following logic is used to calculate the Windows Autopatch deployment ring assignment:
    1. If the Windows Autopatch tenant’s existing managed device size is **≤ 200**, the deployment ring assignment is **First (5%)**, **Fast (15%)**, remaining devices go to the **Broad ring (80%)**.
    2. If the Windows Autopatch tenant’s existing managed device size is **>200**, the deployment ring assignment will be **First (1%)**, **Fast (9%)**, remaining devices go to the **Broad ring (90%)**.
    | | **Step 6: Assign devices to a deployment ring group** | Once the deployment ring calculation is done, Windows Autopatch assigns devices to one of the following deployment ring groups:
    1. **Modern Workplace Devices-Windows Autopatch-First**
      1. The Windows Autopatch device registration process doesn’t automatically assign devices to the Test ring represented by the Azure AD group (Modern Workplace Devices-Windows Autopatch-Test). It’s important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.
    2. **Modern Workplace Devices-Windows Autopatch-Fast**
    3. **Modern Workplace Devices-Windows Autopatch-Broad**
    | | **Step 7: Assign devices to an Azure AD group** | Windows Autopatch also assigns devices to the following Azure AD groups when certain conditions apply:
    1. **Modern Workplace Devices - All**
      1. This group has all devices managed by Windows Autopatch.
    2. When registering **Windows 10 devices**, use **Modern Workplace Devices Dynamic - Windows 10**
      1. This group has all devices managed by Windows Autopatch and that have Windows 10 installed.
    3. When registering **Windows 11 devices**, use **Modern Workplace Devices Dynamic - Windows 11**
      1. This group has all devices managed by Windows Autopatch and that have Windows 11 installed.
    4. When registering **virtual devices**, use **Modern Workplace Devices - Virtual Machine**
      1. This group has all virtual devices managed by Windows Autopatch.
      | | **Step 8: Post-device registration** | In post-device registration, three actions occur:
      1. Windows Autopatch adds devices to its managed database.
      2. Flags devices as **Active** in the **Ready** tab.
      3. The Azure AD device ID of the device successfully registered is added into the Microsoft Cloud Managed Desktop Extension’s allowlist. Windows Autopatch installs the Microsoft Cloud Managed Desktop Extension agent once devices are registered, so the agent can communicate back to the Microsoft Cloud Managed Desktop Extension service.
        1. The agent is the **Modern Workplace - Autopatch Client setup** PowerShell script that was created during the Windows Autopatch tenant enrollment process. The script is executed once devices are successfully registered into the Windows Autopatch service.
        | -| **Step 9: Review device registration status** | IT admins review the device registration status in both the **Ready** and **Not ready** tabs.
        1. If the device was **successfully registered**, the device shows up in the **Ready** tab.
        2. If **not**, the device shows up in the **Not ready** tab.
        | +| **Step 9: Review device registration status** | IT admins review the device registration status in both the **Ready** and **Not registered** tabs.
        1. If the device was **successfully registered**, the device shows up in the **Ready** tab.
        2. If **not**, the device shows up in the **Not registered** tab.
        | | **Step 10: End of registration workflow** | This is the end of the Windows Autopatch device registration workflow. | ## Detailed prerequisite check workflow diagram diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md new file mode 100644 index 0000000000..ad127f56ad --- /dev/null +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md @@ -0,0 +1,102 @@ +--- +title: Post-device registration readiness checks +description: This article details how post-device registration readiness checks are performed in Windows Autopatch +ms.date: 09/16/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: andredm7 +--- + +# Post-device registration readiness checks (public preview) + +> [!IMPORTANT] +> This feature is in "public preview". It is being actively developed, and may not be complete. They're made available on a “Preview” basis. You can test and use these features in production environments and scenarios, and provide feedback. + +One of the most expensive aspects of the software update management process is to make sure devices are always healthy to receive and report software updates for each software update release cycle. + +Having a way of measuring, quickly detecting and remediating when something goes wrong with on-going change management processes is important; it helps mitigate high Helpdesk ticket volumes, reduces cost, and improves overall update management results. + +Windows Autopatch provides proactive device readiness information about devices that are and aren't ready to be fully managed by the service. IT admins can easily detect and fix device-related issues that are preventing them from achieving their update management compliance report goals. + +## Device readiness scenarios + +Device readiness in Windows Autopatch is divided into two different scenarios: + +| Scenario | Description | +| ----- | ----- | +| Prerequisite checks | Ensures devices follow software-based requirements before being registered with the service. | +| Post-device registration readiness checks | Provides continuous monitoring of device health for registered devices.

        IT admins can easily detect and remediate configuration mismatches in their environments or issues that prevent devices from having one or more software update workloads (Windows quality, feature updates, Microsoft Office, Microsoft Teams, or Microsoft Edge) fully managed by the Windows Autopatch service. Configuration mismatches can leave devices in a vulnerable state, out of compliance and exposed to security threats.

        | + +### Device readiness checks available for each scenario + +| Required device readiness (prerequisite checks) prior to device registration (powered by Intune Graph API) | Required post-device registration readiness checks (powered by Microsoft Cloud Managed Desktop Extension) | +| ----- | ----- | +|
        • Windows OS (build, architecture and edition)
        • Managed by either Intune or ConfigMgr co-management
        • ConfigMgr co-management workloads
        • Last communication with Intune
        • Personal or non-Windows devices
        |
        • Windows OS (build, architecture and edition)
        • Windows updates & Office Group Policy Object (GPO) versus Intune mobile device management (MDM) policy conflict
        • Bind network endpoints (Microsoft Defender, Microsoft Teams, Microsoft Edge, Microsoft Office)
        • Internet connectivity
        | + +The status of each post-device registration readiness check is shown in the Windows Autopatch’s Devices blade under the **Not ready** tab. You can take appropriate action(s) on devices that aren't ready to be fully managed by the Windows Autopatch service. + +## About the three tabs in the Devices blade + +You deploy software updates to secure your environment, but these deployments only reach healthy and active devices. Unhealthy or not ready devices affect the overall software update compliance. Figuring out device health can be challenging and disruptive to the end user when IT can’t obtain proactive data sent by the device to the service for IT admins to proactively detect, troubleshoot, and fix issues. + +Windows Autopatch has three tabs within its Devices blade. Each tab is designed to provide a different set of device readiness statuses so IT admins know where to go to monitor, and troubleshoot potential device health issues: + +| Tab | Description | +| ----- | ----- | +| Ready | This tab only lists devices with the **Active** status. Devices with the **Active** status successfully:
        • Passed the prerequisite checks.
        • Registered with Windows Autopatch.
        This tab also lists devices that have passed all postdevice registration readiness checks. | +| Not ready | This tab only lists devices with the **Readiness failed** and **Inactive** status.
        • **Readiness failed status**: Devices that didn’t pass one or more post-device registration readiness checks.
        • **Inactive**: Devices that haven’t communicated with the Microsoft Endpoint Manager-Intune service in the last 28 days.
        | +| Not registered | Only lists devices with the **Prerequisite failed** status in it. Devices with the **Prerequisite failed** status didn’t pass one or more prerequisite checks during the device registration process. | + +## Details about the post-device registration readiness checks + +A healthy or active device in Windows Autopatch is: + +- Online +- Actively sending data +- Passes all post-device registration readiness checks + +The post-device registration readiness checks are powered by the **Microsoft Cloud Managed Desktop Extension**. It's installed right after devices are successfully registered with Windows Autopatch. The **Microsoft Cloud Managed Desktop Extension** has the Device Readiness Check Plugin. The Device Readiness Check Plugin is responsible for performing the readiness checks and reporting the results back to the service. The **Microsoft Cloud Managed Desktop Extension** is a subcomponent of the overall Windows Autopatch service. + +The following list of post-device registration readiness checks is performed in Windows Autopatch: + +| Check | Description | +| ----- | ----- | +| **Windows OS build, architecture, and edition** | Checks to see if devices support Windows 1809+ build (10.0.17763), 64-bit architecture and either Pro or Enterprise SKUs. | +| **Windows update policies managed via Microsoft Endpoint Manager-Intune** | Checks to see if devices have Windows Updates policies managed via Microsoft Endpoint Manager-Intune (MDM). | +| **Windows update policies managed via Group Policy Object (GPO)** | Checks to see if devices have Windows update policies managed via GPO. Windows Autopatch doesn’t support Windows update policies managed via GPOs. Windows update must be managed via Microsoft Endpoint Manager-Intune. | +| **Microsoft Office update policy managed via Group Policy Object (GPO)** | Checks to see if devices have Microsoft Office updates policies managed via GPO. Windows Autopatch doesn’t support Microsoft Office update policies managed via GPOs. Office updates must be managed via Microsoft Endpoint Manager-Intune or another Microsoft Office policy management method where Office update bits are downloaded directly from the Office Content Delivery Network (CDN). | +| **Windows Autopatch network endpoints** | There's a set of [network endpoints](../prepare/windows-autopatch-configure-network.md) that Windows Autopatch services must be able to reach for the various aspects of the Windows Autopatch service. | +| **Microsoft Teams network endpoints** | There's a set of [network endpoints](../prepare/windows-autopatch-configure-network.md) that devices with Microsoft Teams must be able to reach for software updates management. | +| **Microsoft Edge network endpoints** | There's a set of [network endpoints](../prepare/windows-autopatch-configure-network.md) that devices with Microsoft Edge must be able to reach for software updates management. | +| **Internet connectivity** | Checks to see if a device has internet connectivity to communicate with Microsoft cloud services. Windows Autopatch uses the PingReply class. Windows Autopatch tries to ping at least three different Microsoft’s public URLs two times each, to confirm that ping results aren't coming from the device’s cache. | + +## Post-device registration readiness checks workflow + +See the following diagram for the post-device registration readiness checks workflow: + +:::image type="content" source="../media/windows-autopatch-post-device-registration-readiness-checks.png" alt-text="Post-device registration readiness checks" lightbox="../media/windows-autopatch-post-device-registration-readiness-checks.png"::: + +| Step | Description | +| ----- | ----- | +| **Steps 1-7** | For more information, see the [Device registration overview diagram](windows-autopatch-device-registration-overview.md).| +| **Step 8: Perform readiness checks** |
        1. Once devices are successfully registered with Windows Autopatch, the devices are added to the **Ready** tab.
        2. The Microsoft Cloud Managed Desktop Extension agent performs readiness checks against devices in the **Ready** tab every 24 hours.
        | +| **Step 9: Check readiness status** |
        1. The Microsoft Cloud Managed Desktop Extension service evaluates the readiness results gathered by its agent.
        2. The readiness results are sent from the Microsoft Cloud Managed Desktop Extension service component to the Device Readiness component within the Windows Autopatch’s service.
        | +| **Step 10: Add devices to the Not ready** | When devices don’t pass one or more readiness checks, even if they’re registered with Windows Autopatch, they’re added to the **Not ready** tab so IT admins can remediate devices based on Windows Autopatch recommendations. | +| **Step 11: IT admin understands what the issue is and remediates** | The IT admin checks and remediates issues in the Devices blade (**Not ready** tab). It can take up to 24 hours for devices to show back up into the **Ready** tab. | + +## FAQ + +| Question | Answer | +| ----- | ----- | +| **How frequent are the post-device registration readiness checks performed?** |
        • The **Microsoft Cloud Managed Desktop Extension** agent collects device readiness statuses when it runs (once a day).
        • Once the agent collects results for the post-device registration readiness checks, it generates readiness results in the device in the `%programdata%\Microsoft\CMDExtension\Plugins\DeviceReadinessPlugin\Logs\DRCResults.json.log`.
        • The readiness results are sent over to the **Microsoft Cloud Managed Desktop Extension service**.
        • The **Microsoft Cloud Managed Desktop Extension** service component sends the readiness results to the Device Readiness component. The results appear in the Windows Autopatch Devices blade (**Not ready** tab).
        | +| **What to expect when one or more checks fail?** | Devices are automatically sent to the **Ready** tab once they're successfully registered with Windows Autopatch. When devices don’t meet one or more post-device registration readiness checks, the devices are moved to the **Not ready** tab. IT admins can learn about these devices and take appropriate actions to remediate them. Windows Autopatch will provide information about the failure and how to potentially remediate devices.

        Once devices are remediated, it can take up to **24 hours** to show up in the **Ready** tab.

        | + +## Additional resources + +- [Device registration overview](windows-autopatch-device-registration-overview.md) +- [Register your devices](windows-autopatch-register-devices.md) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index 61a5e35dfe..ddd32f7d97 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -1,7 +1,7 @@ --- title: Register your devices description: This article details how to register devices in Autopatch -ms.date: 08/08/2022 +ms.date: 09/07/2022 ms.prod: w11 ms.technology: windows ms.topic: how-to @@ -28,7 +28,13 @@ Windows Autopatch can take over software update management control of devices th ### About the use of an Azure AD group to register devices -You must choose what devices to manage with Windows Autopatch by either adding them through direct membership or by nesting other Azure AD dynamic/assigned groups into the **Windows Autopatch Device Registration** Azure AD assigned group. Windows Autopatch automatically runs its discover devices function every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices. +You must choose what devices to manage with Windows Autopatch by adding them to the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can be added using the following methods: + +- Direct membership +- Nesting other Azure AD dynamic/assigned groups +- [Bulk add/import group members](/azure/active-directory/enterprise-users/groups-bulk-import-members) + +Windows Autopatch automatically runs its discover devices function every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices. > [!NOTE] > Devices that are intended to be managed by the Windows Autopatch service **must** be added into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can only be added to this group if they have an Azure AD device ID. Windows Autopatch scans the Azure AD group hourly to discover newly added devices to be registered. You can also use the **Discover devices** button in either the **Ready** or **Not ready** tab to register devices on demand. @@ -78,14 +84,26 @@ To be eligible for Windows Autopatch management, devices must meet a minimum set For more information, see [Windows Autopatch Prerequisites](../prepare/windows-autopatch-prerequisites.md). -## About the Ready and Not ready tabs +## About the Ready, Not ready and Not registered tabs -Windows Autopatch introduces a new user interface to help IT admins detect and troubleshoot device readiness statuses seamlessly with actionable in-UI device readiness reports for unregistered devices or unhealthy devices. +Windows Autopatch has three tabs within its device blade. Each tab is designed to provide a different set of device readiness status so IT admin knows where to go to monitor, and troubleshoot potential device health issues. -| Tab | Purpose | -| ----- | ----- | -| Ready | The purpose of the Ready tab is to show devices that were successfully registered to the Windows Autopatch service. | -| Not ready | The purpose of the Not ready tab is to help you identify and remediate devices that don't meet the pre-requisite checks to register into the Windows Autopatch service. This tab only shows devices that didn't successfully register into Windows Autopatch. | +| Device blade tab | Purpose | Expected device readiness status | +| ----- | ----- | ----- | +| Ready | The purpose of this tab is to show devices that were successfully registered with the Windows Autopatch service. | Active | +| Not ready | The purpose of this tab is to help you identify and remediate devices that failed to pass one or more post-device registration readiness checks. Devices showing up in this tab were successfully registered with Windows Autopatch. However, these devices aren't ready to have one or more software update workloads managed by the service. | Readiness failed and/or Inactive | +| Not registered | The purpose of this tab is to help you identify and remediate devices that don't meet one or more prerequisite checks to successfully register with the Windows Autopatch service. | Pre-requisites failed | + +## Device readiness statuses + +See all possible device readiness statuses in Windows Autopatch: + +| Readiness status | Description | Device blade tab | +| ----- | ----- | ----- | +| Active | Devices with this status successfully passed all prerequisite checks and subsequently successfully registered with Windows Autopatch. Additionally, devices with this status successfully passed all post-device registration readiness checks. | Ready | +| Readiness failed | Devices with this status haven't passed one or more post-device registration readiness checks. These devices aren't ready to have one or more software update workloads managed by Windows Autopatch. | Not ready | +| Inactive | Devices with this status haven't communicated with Microsoft Endpoint Manager-Intune in the last 28 days. | Not ready | +| Pre-requisites failed | Devices with this status haven't passed one or more pre-requisite checks and haven't successfully registered with Windows Autopatch | Not registered | ## Built-in roles required for device registration @@ -117,18 +135,18 @@ Since existing Windows 365 Cloud PCs already have an existing Azure AD device ID **To register devices with Windows Autopatch:** 1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). -2. Select **Windows Autopatch** from the left navigation menu. -3. Select **Devices**. -4. Select either the **Ready** or the **Not ready** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens. +2. Select **Devices** from the left navigation menu. +3. Under the **Windows Autopatch** section, select **Devices**. +4. Select either the **Ready** or the **Not registered** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens. 5. Add either devices through direct membership, or other Azure AD dynamic or assigned groups as nested groups in the **Windows Autopatch Device Registration** group. > [!NOTE] -> The **Windows Autopatch Device Registration** hyperlink is in the center of the Ready tab when there's no devices registered with the Windows Autopatch service. Once you have one or more devices registered with the Windows Autopatch service, the **Windows Autopatch Device registration** hyperlink is at the top of both **Ready** and **Not ready** tabs. +> The **Windows Autopatch Device Registration** hyperlink is in the center of the Ready tab when there's no devices registered with the Windows Autopatch service. Once you have one or more devices registered with the Windows Autopatch service, the **Windows Autopatch Device registration** hyperlink is at the top of both **Ready** and **Not registered** tabs. Once devices or other Azure AD groups (either dynamic or assigned) containing devices are added to the **Windows Autopatch Device Registration** group, Windows Autopatch's device discovery hourly function discovers these devices, and runs software-based prerequisite checks to try to register them with its service. > [!TIP] -> You can also use the **Discover Devices** button in either the **Ready** or **Not ready** tab to discover devices from the **Windows Autopatch Device Registration** Azure AD group on demand. +> You can also use the **Discover Devices** button in either one of the **Ready**, **Not ready**, or **Not registered** device blade tabs to discover devices from the **Windows Autopatch Device Registration** Azure AD group on demand. On demand means you don't have to wait for Windows Autopatch to discover devices from the Azure AD group on your behalf. ### Windows Autopatch on Windows 365 Enterprise Workloads @@ -148,6 +166,7 @@ Windows 365 Enterprise gives IT admins the option to register devices with the W 1. Select **Create**. Now your newly provisioned Windows 365 Enterprise Cloud PCs will automatically be enrolled and managed by Windows Autopatch. For more information, see [Create a Windows 365 Provisioning Policy](/windows-365/enterprise/create-provisioning-policy). + ### Contact support for device registration-related incidents Support is available either through Windows 365, or the Windows Autopatch Service Engineering team for device registration-related incidents. diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png index 3abdb9288e..f5a8284a8c 100644 Binary files a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png and b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-post-device-registration-readiness-checks.png b/windows/deployment/windows-autopatch/media/windows-autopatch-post-device-registration-readiness-checks.png new file mode 100644 index 0000000000..c6abcd6790 Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-autopatch-post-device-registration-readiness-checks.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-quality-update-grace-period.png b/windows/deployment/windows-autopatch/media/windows-quality-update-grace-period.png index 043e275574..4e347dc3cf 100644 Binary files a/windows/deployment/windows-autopatch/media/windows-quality-update-grace-period.png and b/windows/deployment/windows-autopatch/media/windows-quality-update-grace-period.png differ diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md index 15a138fcdf..50e4fd586e 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md @@ -37,7 +37,7 @@ In this example, we'll be discussing a device in the First ring. The Autopatch s In the following example, the user schedules the restart and is notified 15 minutes prior to the scheduled restart time. The user can reschedule, if necessary, but isn't able to reschedule past the deadline. -:::image type="content" source="../media/windows-feature-typical-update-experience.png" alt-text="Typical Windows feature update experience"::: +:::image type="content" source="../media/windows-feature-typical-update-experience.png" alt-text="Typical Windows feature update experience" lightbox="../media/windows-feature-typical-update-experience.png"::: ### Feature update deadline forces an update @@ -45,7 +45,7 @@ The following example builds on the scenario outlined in the typical user experi The deadline specified in the update policy is five days. Therefore, once this deadline is passed, the device will ignore the active hours and force a restart to complete the installation. The user will receive a 15-minute warning, after which, the device will install the update and restart. -:::image type="content" source="../media/windows-feature-force-update.png" alt-text="Force Windows feature update"::: +:::image type="content" source="../media/windows-feature-force-update.png" alt-text="Force Windows feature update" lightbox="../media/windows-feature-force-update.png"::: ### Feature update grace period @@ -53,7 +53,7 @@ In the following example, the user is on holiday and the device is offline beyon Since the deadline has already passed, the device is granted a two-day grace period to install the update and restart. The user will be notified of a pending installation and given options to choose from. Once the two-day grace period has expired, the user is forced to restart with a 15-minute warning notification. -:::image type="content" source="../media/windows-feature-update-grace-period.png" alt-text="Window feature update grace period"::: +:::image type="content" source="../media/windows-feature-update-grace-period.png" alt-text="Windows feature update grace period" lightbox="../media/windows-feature-update-grace-period.png"::: ## Servicing window diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md index 8e6075fd7e..1f19a0fd64 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md @@ -46,7 +46,7 @@ The final release schedule is communicated prior to release and may vary a littl | Fast | Release start + 60 days | | Broad | Release start + 90 days | -:::image type="content" source="../media/windows-feature-release-process-timeline.png" alt-text="Windows feature release timeline"::: +:::image type="content" source="../media/windows-feature-release-process-timeline.png" alt-text="Windows feature release timeline" lightbox="../media/windows-feature-release-process-timeline.png"::: ## New devices to Windows Autopatch @@ -64,7 +64,7 @@ When releasing a feature update, there are two policies that are configured by t | Ring | Target version (DSS) Policy | Feature update deferral | Feature update deadline | Feature update grace period | | ----- | ----- | ----- | ----- | ----- | | Test | 21H2 | 0 | 5 | 0 | -| First | 21H2 | 0 | 5 | 0 | +| First | 21H2 | 0 | 5 | 2 | | Fast | 21H2 | 0 | 5 | 2 | | Broad | 21H2 | 0 | 5 | 2 | diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md index 93e03a5de2..9fa7e60794 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md @@ -26,5 +26,8 @@ After you've completed enrollment in Windows Autopatch, some management settings | Setting | Description | | ----- | ----- | -| Conditional access policies | If you create any new conditional access or multi-factor authentication policies related to Azure AD, or Microsoft Intune after Windows Autopatch enrollment, exclude the Modern Workplace Service Accounts Azure AD group from them. For more information, see [Conditional Access: Users and groups](/azure/active-directory/conditional-access/concept-conditional-access-users-groups). Windows Autopatch maintains separate conditional access policies to restrict access to these accounts.

        **To review the Windows Autopatch conditional access policy (Modern Workplace – Secure Workstation):**

        Go to Microsoft Endpoint Manager and navigate to **Conditional Access** in **Endpoint Security**. Do **not** modify any Azure AD conditional access policies created by Windows Autopatch that have "**Modern Workplace**" in the name.

        | | Update rings for Windows 10 or later | For any update rings for Windows 10 or later policies you've created, exclude the **Modern Workplace Devices - All** Azure AD group from each policy. For more information, see [Create and assign update rings](/mem/intune/protect/windows-10-update-rings#create-and-assign-update-rings).

        Windows Autopatch will also have created some update ring policies. all of which The policies will have "**Modern Workplace**" in the name. For example:

        • Modern Workplace Update Policy [Broad]-[Windows Autopatch]
        • Modern Workplace Update Policy [Fast]-[Windows Autopatch]
        • Modern Workplace Update Policy [First]-[Windows Autopatch]
        • Modern Workplace Update Policy [Test]-[Windows Autopatch]

        When you update your own policies, ensure that you don't exclude the **Modern Workplace Devices - All** Azure AD group from the policies that Windows Autopatch created.

        **To resolve the Not ready result:**

        After enrolling into Autopatch, make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Azure Active Directory (AD) group.For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).

        **To resolve the Advisory result:**

        1. Make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Azure Active Directory (AD) group.
        2. If you have assigned Azure AD user groups to these policies, make sure that any update ring policies you have also **exclude** the **Modern Workplace - All** Azure AD group that you add your Windows Autopatch users to (or an equivalent group).

        For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).

        | + +## Windows Autopatch configurations + +Windows Autopatch deploys, manages and maintains all configurations related to the operation of the service, as described in [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). Don't make any changes to any of the Windows Autopatch configurations. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md index ddefb5977c..d3ef9e518e 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md @@ -33,7 +33,7 @@ For a device to be eligible for Microsoft 365 Apps for enterprise updates, as a All devices registered for Windows Autopatch will receive updates from the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). This practice provides your users with new features each month, and they'll receive just one update per month on a predictable release schedule. Updates are released on the second Tuesday of the month; these updates can include feature, security, and quality updates. These updates occur automatically and are pulled directly from the Office Content Delivery Network (CDN). -Unlike Windows update, the Office CDN doesn't make the update available to all devices at once. Over the course of the release, the Office CDN gradually makes the update available to the whole population of devices. Windows Autopatch doesn't control the order in which updates are offered to devices across your estate. After the update has been downloaded, there's a three-day [update deadline](/deployoffice/configure-update-settings-microsoft-365-apps) that specifies how long the user has until the user must apply the update. +Unlike Windows update, the Office CDN doesn't make the update available to all devices at once. Over the course of the release, the Office CDN gradually makes the update available to the whole population of devices. Windows Autopatch doesn't control the order in which updates are offered to devices across your estate. After the update has been downloaded, there's a seven day [update deadline](/deployoffice/configure-update-settings-microsoft-365-apps) that specifies how long the user has until the user must apply the update. ## Update rings diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md index 36f12e46cd..9d1f37b506 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md @@ -41,8 +41,6 @@ Unenrolling from Windows Autopatch requires manual actions from both you and fro | ----- | ----- | | Updates | After the Windows Autopatch service is unenrolled, we’ll no longer provide updates to your devices. You must ensure that your devices continue to receive updates through your own policies to ensure they're secure and up to date. | | Optional Windows Autopatch configuration | Windows Autopatch won’t remove the configuration policies or groups used to enable updates on your devices. You're responsible for these policies following tenant unenrollment. If you don’t wish to use these policies for your devices after unenrollment, you may safely delete them. For more information, see [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). | -| Windows Autopatch cloud service accounts | After unenrollment, you may safely remove the cloud service accounts created during the enrollment process. The accounts are:
        • MsAdmin
        • MsAdminInt
        • MsTest
        | -| Conditional access policy | After unenrollment, you may safely remove the **Modern Workplace – Secure Workstation** conditional access policy. | | Microsoft Endpoint Manager roles | After unenrollment, you may safely remove the Modern Workplace Intune Admin role. | ## Unenroll from Windows Autopatch diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md index 983a41a940..3169d13cff 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md @@ -40,13 +40,16 @@ During the [tenant enrollment process](../prepare/windows-autopatch-enroll-tenan Each deployment ring has a different set of update deployment policies to control the updates rollout. +> [!WARNING] +> Adding or importing devices into any of these groups directly is not supported and doing so might cause an unexpected impact on the Windows Autopatch service. To move devices between these groups, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings). + > [!IMPORTANT] > Windows Autopatch device registration doesn't assign devices to its test deployment ring (**Modern Workplace Devices-Windows Autopatch-Test**). This is intended to prevent devices that are essential to a business from being affected or devices that are used by executives from receiving early software update deployments. Also, during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md), Windows Autopatch assigns each device being registered to one of its deployment rings so that the service has the proper representation of the device diversity across the organization in each deployment ring. The deployment ring distribution is designed to release software update deployments to as few devices as possible to get the signals needed to make a quality evaluation of a given update deployment. > [!NOTE] -> Windows Autopatch deployment rings only apply to Windows quality updates. Additionally, you can't create additional deployment rings or use your own for devices managed by the Windows Autopatch service. +> You can't create additional deployment rings or use your own for devices managed by the Windows Autopatch service. ### Deployment ring calculation logic @@ -58,7 +61,7 @@ The Windows Autopatch deployment ring calculation happens during the [device reg | Deployment ring | Default device balancing percentage | Description | | ----- | ----- | ----- | -| Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring. The recommended number of devices in this ring, based upon your environment size, is as follows:
        • **0–500** devices: minimum **one** device.
        • **500–5000** devices: minimum **five** devices.
        • **5000+** devices: minimum **50** devices.
        Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. | +| Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring following the required procedure. For more information on these procedures, see [Moving devices in between deployment rings](/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management#moving-devices-in-between-deployment-rings). The recommended number of devices in this ring, based upon your environment size, is as follows:
        • **0–500** devices: minimum **one** device.
        • **500–5000** devices: minimum **five** devices.
        • **5000+** devices: minimum **50** devices.
        Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. | | First | **1%** | The First ring is the first group of production users to receive a change.

        This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.

        Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.| | Fast | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.

        The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.

        | | Broad | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in an software update deployment.| @@ -80,7 +83,10 @@ When the assignment is complete, the **Ring assigned by** column changes to **Ad > [!NOTE] > You can only move devices to other deployment rings when they're in an active state in the **Ready** tab.

        If you don't see the **Ring assigned by column** change to **Pending** in Step 5, check to see whether the device exists in Microsoft Endpoint Manager-Intune or not by searching for it in its device blade. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory). - + +> [!WARNING] +> Moving devices between deployment rings through directly changing Azure AD group membership isn't supported and may cause unintended configuration conflicts within the Windows Autopatch service. To avoid service interruption to devices, use the **Assign device to ring** action described previously to move devices between deployment rings. + ## Automated deployment ring remediation functions Windows Autopatch monitors device membership in its deployment rings, except for the **Modern Workplace Devices-Windows Autopatch-Test** ring, to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either: diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md index 555d20ee68..b83dc059df 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md @@ -36,7 +36,7 @@ Once the deferral period has passed, the device will download the update and not In the following example, the user schedules the restart and is notified 15 minutes prior to the scheduled restart time. The user can reschedule, if necessary, but isn't able to reschedule past the deadline. -:::image type="content" source="../media/windows-quality-typical-update-experience.png" alt-text="Typical windows quality update experience"::: +:::image type="content" source="../media/windows-quality-typical-update-experience.png" alt-text="Typical windows quality update experience" lightbox="../media/windows-quality-typical-update-experience.png"::: ### Quality update deadline forces an update @@ -48,7 +48,7 @@ In the following example, the user: The deadline specified in the update policy is five days. Therefore, once this deadline is passed, the device will ignore the [active hours](#servicing-window) and force a restart to complete the update installation. The user will receive a 15-minute warning, after which, the device will install the update and restart. -:::image type="content" source="../media/windows-quality-force-update.png" alt-text="Force Windows quality update"::: +:::image type="content" source="../media/windows-quality-force-update.png" alt-text="Force Windows quality update" lightbox="../media/windows-quality-force-update.png"::: ### Quality update grace period @@ -56,7 +56,7 @@ In the following example, the user is on holiday and the device is offline beyon Since the deadline has already passed, the device is granted a two-day grace period to install the update and restart. The user will be notified of a pending installation and given options to choose from. Once the two-day grace period has expired, the user is forced to restart with a 15-minute warning notification. -:::image type="content" source="../media/windows-quality-update-grace-period.png" alt-text="Windows quality update grace period"::: +:::image type="content" source="../media/windows-quality-update-grace-period.png" alt-text="Windows quality update grace period" lightbox="../media/windows-quality-update-grace-period.png"::: ## Servicing window diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md index c7c96c2575..a8da5aeb86 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md @@ -50,7 +50,7 @@ To release updates to devices in a gradual manner, Windows Autopatch deploys a s Windows Autopatch configures these policies differently across update rings to gradually release the update to devices in your estate. Devices in the Test ring receive changes first and devices in the Broad ring receive changes last. For more information, see [Windows Autopatch deployment rings](../operate/windows-autopatch-update-management.md#windows-autopatch-deployment-rings). -:::image type="content" source="../media/release-process-timeline.png" alt-text="Release process timeline"::: +:::image type="content" source="../media/release-process-timeline.png" alt-text="Release process timeline" lightbox="../media/release-process-timeline.png"::: ## Expedited releases @@ -74,10 +74,6 @@ If we pause the release, a policy will be deployed which prevents devices from u You can pause or resume a Windows quality update from the Release management tab in Microsoft Endpoint Manager. -## Rollback - -Windows Autopatch will rollback updates if we detect a [significant issue with a release](../operate/windows-autopatch-wqu-signals.md). - ## Incidents and outages If devices in your tenant aren't meeting the [service level objective](../operate/windows-autopatch-wqu-overview.md#service-level-objective) for Windows quality updates, an incident will be raised, and the Windows Autopatch Service Engineering Team will work to bring the devices back into compliance. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md index cf052fbba4..d8b16b880a 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md @@ -40,9 +40,9 @@ The update is released to the Test ring on the second Tuesday of the month. Thos ## Device reliability signals -Windows Autopatch monitors devices for a set of core reliability metrics as a part of the service. +Windows Autopatch monitors devices for a set of core reliability metrics as a part of the service. -The service then uses statistical models to assess if there are significant differences between the two Windows versions. To make a statistically significant assessment, Windows Autopatch requires that at least 500 devices have upgraded to the new version. +The service then uses statistical models to assess if there are significant differences between the two Windows versions. To make a statistically significant assessment, Windows Autopatch requires that at least 500 devices in your tenant have upgraded to the new version. As more devices update, the confidence of the analysis increases and gives us a clearer picture of release quality. If we determine that the user experience is impaired, Autopatch will either post a customer advisory or pause the release, depending on the criticality of the update. @@ -51,8 +51,8 @@ Autopatch monitors the following reliability signals: | Device reliability signal | Description | | ----- | ----- | | Blue screens | These events are highly disruptive to end users so are closely watched. | -| Overall app reliability | Tracks the total number of app crashes and freezes on a device. A known issue with this measure is that if one app becomes 10% more reliable and another becomes 10% less reliable then it shows up as a flat line in the measure. | -| Microsoft Office reliability | Tracks the number of Office crashes or freezes per application per device. | +| Overall app reliability | Tracks the total number of app crashes and freezes on a device. A known limitation with this measure is that if one app becomes 10% more reliable and another becomes 10% less reliable then it shows up as a flat line in the measure. | +| Microsoft Office reliability | Tracks the number of Office crashes and freezes per application per device. | | Microsoft Edge reliability | Tracks the number of Microsoft Edge crashes and freezes per device. | | Microsoft Teams reliability | Tracks the number of Microsoft Teams crashes and freezes per device. | diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index 54b36ea6ce..0ab881bf82 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -4,7 +4,7 @@ metadata: description: Answers to frequently asked questions about Windows Autopatch. ms.prod: w11 ms.topic: faq - ms.date: 08/08/2022 + ms.date: 08/26/2022 audience: itpro ms.localizationpriority: medium manager: dougeby @@ -51,7 +51,7 @@ sections: - [Switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune](/mem/configmgr/comanage/how-to-switch-workloads) (minimum Pilot Intune. Pilot collection must contain the devices you want to register into Autopatch.) - question: What are the licensing requirements for Windows Autopatch? answer: | - - Windows Autopatch is included with Window 10/11 Enterprise E3 or higher. For more information, see [More about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). + - Windows Autopatch is included with Window 10/11 Enterprise E3 or higher (user-based only). For more information, see [More about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). - [Azure AD Premium](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses) (for Co-management) - [Microsoft Intune](/mem/intune/fundamentals/licenses) (includes Configuration Manager 2010 or greater via co-management) - question: Are there hardware requirements for Windows Autopatch? @@ -67,21 +67,22 @@ sections: No, Windows 365 Enterprise Cloud PC's support all features of Windows Autopatch. For more information, see [Virtual devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#virtual-devices). - question: Do my Cloud PCs appear any differently in the Windows Autopatch admin center? answer: | - Cloud PC displays the model as the license type you have provisioned. For more information, see [Virtual devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#virtual-devices). + Cloud PC displays the model as the license type you have provisioned. For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#windows-autopatch-on-windows-365-enterprise-workloads). - question: Can I run Autopatch on my Windows 365 Business Workloads? answer: | - No. Autopatch is only available on enterprise workloads. For more information, see [Virtual devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#virtual-devices). + No. Autopatch is only available on enterprise workloads. For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#windows-autopatch-on-windows-365-enterprise-workloads). - name: Update Management questions: - question: What systems does Windows Autopatch update? answer: | - Windows 10/11 quality updates: Windows Autopatch manages all aspects of update rings. + - Windows 10/11 feature updates: Windows Autopatch manages all aspects of update rings. - Microsoft 365 Apps for enterprise updates: All devices registered for Windows Autopatch will receive updates from the Monthly Enterprise Channel. - Microsoft Edge: Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel and will provide support for issues with Microsoft Edge updates. - Microsoft Teams: Windows Autopatch allows eligible devices to benefit from the standard automatic update channels and will provide support for issues with Teams updates. - question: What does Windows Autopatch do to ensure updates are done successfully? answer: | - For Windows quality updates, updates are applied to device in the Test ring first. The devices are evaluated, and then rolled out to the First, Fast then Broad rings. There's an evaluation period at each progression. This process is dependent on customer testing and verification of all updates during these rollout stages. The outcome is to ensure that registered devices are always up to date and disruption to business operations is minimized to free up your IT department from that ongoing task. + For Windows quality updates, updates are applied to devices in the Test ring first. The devices are evaluated, and then rolled out to the First, Fast then Broad rings. There's an evaluation period at each progression. This process is dependent on customer testing and verification of all updates during these rollout stages. The outcome is to ensure that registered devices are always up to date and disruption to business operations is minimized to free up your IT department from that ongoing task. - question: What happens if there's an issue with an update? answer: | Autopatch relies on the following capabilities to help resolve update issues: @@ -98,7 +99,7 @@ sections: No, you can't customize update scheduling. However, you can specify [active hours](../operate/windows-autopatch-wqu-end-user-exp.md#servicing-window) to prevent users from updating during business hours. - question: Does Autopatch support include and exclude groups, or dynamic groups to define deployment ring membership? answer: | - Windows autopatch doesn't support managing update deployment ring membership using your Azure AD groups. For more information, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings). + Windows Autopatch doesn't support managing update deployment ring membership using your Azure AD groups. For more information, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings). - question: Does Autopatch have two release cadences per update or are there two release cadences per-ring? answer: | The release cadences are defined based on the update type. For example, a [regular cadence](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) (for a Windows quality update would be a gradual rollout from the Test ring to the Broad ring over 14 days whereas an [expedited release](../operate/windows-autopatch-wqu-overview.md#expedited-releases) would roll out more rapidly. diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md index 7ff9f212c0..cb7b64d172 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md @@ -14,7 +14,7 @@ msreviewer: hathind # Enroll your tenant -Before you enroll in Windows Autopatch, there are settings and other parameters you must set ahead of time. +Before you enroll in Windows Autopatch, there are settings, and other parameters you must set ahead of time. > [!IMPORTANT] > You must be a Global Administrator to enroll your tenant. @@ -30,7 +30,7 @@ To start using the Windows Autopatch service, ensure you meet the [Windows Autop > [!IMPORTANT] > The online Readiness assessment tool helps you check your readiness to enroll in Windows Autopatch for the first time. Once you enroll, you'll no longer be able to access the tool again. -The Readiness assessment tool checks the settings in [Microsoft Endpoint Manager](#microsoft-intune-settings) (specifically, Microsoft Intune) and [Azure Active Directory](#azure-active-directory-settings) (Azure AD) to ensure they'll work with Windows Autopatch. We aren't, however, checking the workloads in Configuration Manager necessary for Windows Autopatch. For more information about workload prerequisites, see [Configuration Manager Co-management requirements](../prepare/windows-autopatch-prerequisites.md#configuration-manager-co-management-requirements). +The Readiness assessment tool checks the settings in [Microsoft Endpoint Manager](#microsoft-intune-settings) (specifically, Microsoft Intune) and [Azure Active Directory](#azure-active-directory-settings) (Azure AD) to ensure they'll work with Windows Autopatch. We aren't, however, checking the workloads in Configuration Manager necessary for Windows Autopatch. For more information about workload prerequisites, see [Configuration Manager co-management requirements](../prepare/windows-autopatch-prerequisites.md#configuration-manager-co-management-requirements). **To access and run the Readiness assessment tool:** @@ -43,8 +43,6 @@ The Readiness assessment tool checks the settings in [Microsoft Endpoint Manager > [!IMPORTANT] > If you don't see the Tenant enrollment blade, this is because you don't meet the prerequisites or the proper licenses. For more information, see [Windows Autopatch prerequisites](windows-autopatch-prerequisites.md#more-about-licenses). -A Global Administrator should be used to run this tool. Other roles, such as the Global Reader and Intune Administrator have insufficient permissions to complete the checks on Conditional Access Policies and Multi-factor Authentication. For more information about the extra permissions, see [Conditional access policies](../prepare/windows-autopatch-fix-issues.md#conditional-access-policies). - The Readiness assessment tool checks the following settings: ### Microsoft Intune settings @@ -62,9 +60,7 @@ The following are the Azure Active Directory settings: | Check | Description | | ----- | ----- | -| Conditional access | Verifies that conditional access policies and multi-factor authentication aren't assigned to all users.

        Your conditional access policies must not prevent our service accounts from accessing the service and must not require multi-factor authentication. For more information, see [Conditional access policies](../prepare/windows-autopatch-fix-issues.md#conditional-access-policies). | -| Windows Autopatch cloud service accounts | Checks that no usernames conflict with ones that Windows Autopatch reserves for its own use. The cloud service accounts are:

        • MsAdmin
        • MsAdminInt
        • MsTest
        For more information, see [Tenant access](../references/windows-autopatch-privacy.md#tenant-access). | -| Security defaults | Checks whether your Azure Active Directory organization has security defaults enabled. | +| Co-management | This advisory check only applies if co-management is applied to your tenant. This check ensures that the proper workloads are in place for Windows Autopatch. If co-management doesn't apply to your tenant, this check can be safely disregarded, and won't block device deployment. | | Licenses | Checks that you've obtained the necessary [licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). | ### Check results diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md index 4e430a1b6d..ae202548a6 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md @@ -25,7 +25,7 @@ For each check, the tool will report one of four possible results: | Ready | No action is required before completing enrollment. | | Advisory | Follow the steps in the tool or this article for the best experience with enrollment and for users.

        You can complete enrollment, but you must fix these issues before you deploy your first device. | | Not ready | You must fix these issues before enrollment. You won’t be able to enroll into Windows Autopatch if you don't fix these issues. Follow the steps in the tool or this article to resolve them. | -| Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permission to run this check or your tenant is not properly licensed for Microsoft Intune. | +| Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permission to run this check or your tenant isn't properly licensed for Microsoft Intune. | > [!NOTE] > The results reported by this tool reflect the status of your settings only at the time that you ran it. If you make changes later to policies in Microsoft Intune, Azure Active Directory (AD), or Microsoft 365, items that were "Ready" can become "Not ready". To avoid problems with Windows Autopatch operations, review the specific settings described in this article before you change any policies. @@ -55,14 +55,13 @@ Your "Windows 10 update ring" policy in Intune must not target any Windows Autop You can access Azure Active Directory (AD) settings in the [Azure portal](https://portal.azure.com/). -### Conditional access policies +### Co-management -Conditional access policies must not prevent Windows Autopatch from connecting to your tenant. +Co-management enables you to concurrently manage Windows 10 or later devices by using both Configuration Manager and Microsoft Intune. | Result | Meaning | | ----- | ----- | -| Advisory | You have at least one conditional access policy that targets all users or at least one conditional access policy set as required for multi-factor authentication. These policies could prevent Windows Autopatch from managing the Windows Autopatch service.

        During enrollment, we'll attempt to exclude Windows Autopatch service accounts from relevant conditional access policies and apply new conditional access policies to restrict access to these accounts. However, if we're unsuccessful, this can cause errors during your enrollment experience.

        For best practice, [create an assignment that targets a specific Azure Active Directory (AD) group](/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal) that doesn't include Windows Autopatch service accounts.

        | -| Error | The Intune Administrator role doesn't have sufficient permissions for this check. You'll also need to have these Azure Active Directory (AD) roles assigned to run this check:
        • Security Reader
        • Security Administrator
        • Conditional Access Administrator
        • Global Reader
        • Devices Administrator
        | +| Advisory | To successfully enroll devices that are co-managed into Windows Autopatch, it's necessary that the following co-managed workloads are set to **Intune**:
        • Device configuration
        • Windows update policies
        • Office 365 client apps

        If co-management doesn't apply to your tenant, this check can be safely disregarded, and it won't block device deployment.

        | ### Licenses @@ -71,19 +70,3 @@ Windows Autopatch requires the following licenses: | Result | Meaning | | ----- | ----- | | Not ready | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium, and Microsoft Intune are required. For more information, see [more about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). | - -### Windows Autopatch cloud service accounts - -Certain account names could conflict with account names created by Windows Autopatch. - -| Result | Meaning | -| ----- | ----- | -| Not ready | You have at least one account name that will conflict with account names created by Windows Autopatch. The cloud service accounts are:
        • MsAdmin
        • MsAdminInt
        • MsTest

        You must either rename or remove conflicting accounts to move forward with enrolling to the Windows Autopatch service as we'll create these accounts as part of running our service. For more information, see [Tenant Access](../references/windows-autopatch-privacy.md#tenant-access).

        | - -### Security defaults - -Security defaults in Azure Active Directory (AD) will prevent Windows Autopatch from managing your devices. - -| Result | Meaning | -| ----- | ----- | -| Not ready | You have Security defaults turned on. Turn off Security defaults and set up conditional access policies. For more information, see [Common conditional access policies](/azure/active-directory/conditional-access/concept-conditional-access-policy-common). | diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md index abbe0e525e..0b64d2adfa 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md @@ -1,7 +1,7 @@ --- title: Prerequisites description: This article details the prerequisites needed for Windows Autopatch -ms.date: 08/04/2022 +ms.date: 09/16/2022 ms.prod: w11 ms.technology: windows ms.topic: conceptual @@ -24,12 +24,12 @@ Getting started with Windows Autopatch has been designed to be easy. This articl | Licensing | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium and Microsoft Intune are required. For details about the specific service plans, see [more about licenses](#more-about-licenses).

        For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).

        For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). | | Connectivity | All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network.

        For the full list of required IPs and URLs, see [Configure your network](../prepare/windows-autopatch-configure-network.md). | | Azure Active Directory | Azure Active Directory must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Azure Active Directory Connect to enable Hybrid Azure Active Directory join.

        • For more information, see [Azure Active Directory Connect](/azure/active-directory/hybrid/whatis-azure-ad-connect) and [Hybrid Azure Active Directory join](/azure/active-directory/devices/howto-hybrid-azure-ad-join)
        • For more information on supported Azure Active Directory Connect versions, see [Azure AD Connect:Version release history](/azure/active-directory/hybrid/reference-connect-version-history).
        | -| Device management | Windows Autopatch devices must be managed by Microsoft Intune. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.

        At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see Co-management requirements for Windows Autopatch below.

        Other device management prerequisites include:

        • Devices must be corporate-owned. Windows bring-your-own-devices (BYOD) are blocked during device registration prerequisite checks.
        • Devices must be managed by either Intune or Configuration Manager Co-management. Devices only managed by Configuration Manager aren't supported.
        • Devices must be in communication with Microsoft Intune in the **last 28 days**. Otherwise, the devices won't be registered with Autopatch.
        • Devices must be connected to the internet.
        • Devices must have a **Serial number**, **Model** and **Manufacturer**. Device emulators that don't generate this information fail to meet **Intune or Cloud-attached** prerequisite check.

        See [Register your devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices) for more details on device prerequisites and on how the device registration process works.

        For more information on co-management, see [Co-management for Windows devices](/mem/configmgr/comanage/overview).

        | +| Device management | Windows Autopatch devices must be managed by Microsoft Intune. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.

        At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see [co-management requirements for Windows Autopatch](#configuration-manager-co-management-requirements).

        Other device management prerequisites include:

        • Devices must be corporate-owned. Windows bring-your-own-devices (BYOD) are blocked during device registration prerequisite checks.
        • Devices must be managed by either Intune or Configuration Manager co-management. Devices only managed by Configuration Manager aren't supported.
        • Devices must be in communication with Microsoft Intune in the **last 28 days**. Otherwise, the devices won't be registered with Autopatch.
        • Devices must be connected to the internet.
        • Devices must have a **Serial number**, **Model** and **Manufacturer**. Device emulators that don't generate this information fail to meet **Intune or Cloud-attached** prerequisite check.

        See [Register your devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices) for more details on device prerequisites and on how the device registration process works.

        For more information on co-management, see [co-management for Windows devices](/mem/configmgr/comanage/overview).

        | | Data and privacy | For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../references/windows-autopatch-privacy.md). | ## More about licenses -Windows Autopatch is included with Window 10/11 Enterprise E3 or higher. The following are the other licenses that grant entitlement to Windows Autopatch: +Windows Autopatch is included with Window 10/11 Enterprise E3 or higher (user-based only). The following are the service plan SKUs that are eligible for Windows Autopatch: | License | ID | GUID number | | ----- | ----- | ------| @@ -45,13 +45,13 @@ The following Windows OS 10 editions, 1809 builds and architecture are supported - Windows 10 (1809+)/11 Enterprise - Windows 10 (1809+)/11 Pro for Workstations -## Configuration Manager Co-management requirements +## Configuration Manager co-management requirements Windows Autopatch fully supports co-management. The following co-management requirements apply: - Use a currently supported [Configuration Manager version](/mem/configmgr/core/servers/manage/updates#supported-versions). -- ConfigMgr must be [cloud-attached with Intune (Co-management)](/mem/configmgr/cloud-attach/overview) and must have the following Co-management workloads enabled: - - Set the [Windows Update workload](/mem/configmgr/comanage/workloads#windows-update-policies) to Pilot Intune or Intune. +- ConfigMgr must be [cloud-attached with Intune (co-management)](/mem/configmgr/cloud-attach/overview) and must have the following co-management workloads enabled: + - Set the [Windows Update policies workload](/mem/configmgr/comanage/workloads#windows-update-policies) to Pilot Intune or Intune. - Set the [Device configuration workload](/mem/configmgr/comanage/workloads#device-configuration) to Pilot Intune or Intune. - Set the [Office Click-to-Run apps workload](/mem/configmgr/comanage/workloads#office-click-to-run-apps) to Pilot Intune or Intune. diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index 62a9d46a41..698612aa82 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -14,6 +14,11 @@ msreviewer: hathind # Changes made at tenant enrollment +The following configuration details are provided as information to help you understand the changes made to your tenant when enrolling into the Windows Autopatch service. + +> [!IMPORTANT] +> The service manages and maintains the following configuration items. Don't change, edit, add to, or remove any of the configurations. Doing so might cause unintended configuration conflicts and impact the Windows Autopatch service. + ## Service principal Windows Autopatch will create a service principal in your tenant allowing the service to establish an identity and restrict access to what resources the service has access to within the tenant. For more information, see [Application and service principal objects in Azure Active Directory](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object). The service principal created by Windows Autopatch is: @@ -22,25 +27,21 @@ Windows Autopatch will create a service principal in your tenant allowing the se ## Azure Active Directory groups -Windows Autopatch will create Azure Active Directory groups that are required to operate the service. The following groups are used for targeting Windows Autopatch configurations to devices and management of the service by our service accounts. +Windows Autopatch will create Azure Active Directory groups that are required to operate the service. The following groups are used for targeting Windows Autopatch configurations to devices and management of the service by our [first party enterprise applications](#windows-autopatch-enterprise-applications). | Group name | Description | | ----- | ----- | | Modern Workplace-All | All Modern Workplace users | | Modern Workplace - Windows 11 Pre-Release Test Devices | Device group for Windows 11 Pre-Release testing. | | Modern Workplace Devices-All | All Modern Workplace devices | -| Modern Workplace Devices-Windows Autopatch-Test | Immediate ring for device rollout | -| Modern Workplace Devices-Windows Autopatch-First | First production ring for early adopters | -| Modern Workplace Devices-Windows Autopatch-Fast | Fast ring for quick rollout and adoption | -| Modern Workplace Devices-Windows Autopatch-Broad | Final ring for broad rollout into an organization | +| Modern Workplace Devices-Windows Autopatch-Test | Deployment ring for testing update deployments prior production rollout | +| Modern Workplace Devices-Windows Autopatch-First | First production deployment ring for early adopters | +| Modern Workplace Devices-Windows Autopatch-Fast | Fast deployment ring for quick rollout and adoption | +| Modern Workplace Devices-Windows Autopatch-Broad | Final deployment ring for broad rollout into the organization | | Modern Workplace Devices Dynamic - Windows 10 | Microsoft Managed Desktop Devices with Windows 10

        Group Rule:

        • `(device.devicePhysicalIds -any _ -startsWith \"[OrderID]:Microsoft365Managed_\")`
        • `(device.deviceOSVersion -notStartsWith \"10.0.22000\")`

        Exclusions:
        • Modern Workplace - Telemetry Settings for Windows 11
        | | Modern Workplace Devices Dynamic - Windows 11 | Microsoft Managed Desktop Devices with Windows 11

        Group Rule:

        • `(device.devicePhysicalIds -any _ -startsWith \"[OrderID]:Microsoft365Managed_\")`
        • `(device.deviceOSVersion -startsWith \"10.0.22000\")`

        Exclusions:
        • Modern Workplace - Telemetry Settings for Windows 10
        | | Modern Workplace Roles - Service Administrator | All users granted access to Modern Workplace Service Administrator Role | | Modern Workplace Roles - Service Reader | All users granted access to Modern Workplace Service Reader Role | -| Modern Workplace Service - Intune Admin All | Group for Intune Admins

        Assigned to:

        • Modern Workplace Service Accounts
        | -| Modern Workplace Service - Intune Reader All | Group for Intune readers

        Assigned to:

        • Modern Workplace Service Accounts
        | -| Modern Workplace Service - Intune Reader MMD | Group for Intune readers of MMD devices and users

        Assigned to:

        • Modern Workplace Service Accounts
        | -| Modern Workplace Service Accounts | Group for Windows Autopatch service accounts | | Windows Autopatch Device Registration | Group for automatic device registration for Windows Autopatch | ## Windows Autopatch enterprise applications @@ -56,19 +57,6 @@ Windows Autopatch creates an enterprise application in your tenant. This enterpr > [!NOTE] > Enterprise application authentication is only available on tenants enrolled after July 9th, 2022. For tenants enrolled before this date, Enterprise Application authentication will be made available for enrollment soon. -## Windows Autopatch cloud service accounts - -Windows Autopatch will create three cloud service accounts in your tenant. These accounts are used to run the service and all need to be excluded from any multi-factor authentication controls. - -> [!NOTE] -> Effective Aug 15th, 2022, these accounts will no longer be added to newly enrolled tenants, and existing tenants will be provided an option to migrate to enterprise application-based authentication. These accounts will be removed with that transition. - -| Cloud service account name | Usage | Mitigating controls | -| ----- | ----- | ------ | -| MsAdmin@tenantDomain.onmicrosoft.com |
        • This account is a limited-service account with administrator privileges. This account is used as an Intune and User administrator to define and configure the tenant for Microsoft Modern desktop devices.
        • This account doesn't have interactive sign-in permissions.  The account performs operations only through the service.
        | Audited sign-ins | -| MsAdminInt@tenantDomain.onmicrosoft.com |
        • This account is an Intune and User administrator account used to define and configure the tenant for Modern Workplace devices.
        • This account is used for interactive sign-in to the customers’ tenant.
        • The use of this account is extremely limited as most operations are exclusively through msadmin (non-interactive).
          • |
          • Restricted to be accessed only from defined secure access workstations (SAWs) through the Modern Workplace - Secure Workstation conditional access policy.
          • Audited sign-ins
          | -| MsTest@tenantDomain.onmicrosoft.com | This is a standard account used as a validation account for initial configuration and roll out of policy, application, and device compliance settings. | Audited sign-ins | - ## Device configuration policies - Modern Workplace - Set MDM to Win Over GPO @@ -145,17 +133,8 @@ Windows Autopatch will create three cloud service accounts in your tenant. These | Modern Workplace - Edge Update Channel Stable | Deploys updates via the Edge Stable Channel

          Assigned to:

          • Modern Workplace Devices-Windows Autopatch-First
          • Modern Workplace Devices-Windows Autopatch-Fast
          • Modern Workplace Devices-Windows Autopatch-Broad
          | `./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge` | Enabled | | Modern Workplace - Edge Update Channel Beta | Deploys updates via the Edge Beta Channel

          Assigned to:

          • Modern Workplace Devices-Windows Autopatch-Test
          | `./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge` | Enabled | -## Conditional access policies - -> [!NOTE] -> Effective Aug 15, 2022, the following policy will no longer be added to newly enrolled tenants, and existing tenants will be provided an option to migrate to enterprise application-based authentication. This policy will be removed with that transition. - -| Conditional access policy | Description | -| ----- | ----- | -| Modern Workplace - Secure Workstation | This policy is targeted to only the Windows Autopatch cloud service accounts. The policy blocks access to the tenant unless the user is accessing the tenant from a Microsoft authorized location. | - ## PowerShell scripts | Script | Description | | ----- | ----- | -| Modern Workplace - Autopatch Client Setup | Installs necessary client components for the Windows Autopatch service | +| Modern Workplace - Autopatch Client Setup v1.1 | Installs necessary client components for the Windows Autopatch service | diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md index ee8956decd..c90d19fae5 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md @@ -20,7 +20,7 @@ Windows Autopatch is a cloud service for enterprise customers designed to keep e Windows Autopatch provides its service to enterprise customers, and properly administers customers' enrolled devices by using data from various sources. -The sources include Azure Active Directory (AD), Microsoft Intune, and Microsoft Windows 10/11. The sources provide a comprehensive view of the devices that Windows Autopatch manages. The service also uses these Microsoft services to enable Windows Autopatch to provide IT as a Service (ITaaS) capabilities: +The sources include Azure Active Directory (Azure AD), Microsoft Intune, and Microsoft Windows 10/11. The sources provide a comprehensive view of the devices that Windows Autopatch manages. | Data source | Purpose | | ------ | ------ | @@ -74,7 +74,7 @@ Microsoft Windows Update for Business uses data from Windows diagnostics to anal ## Microsoft Azure Active Directory -Identifying data used by Windows Autopatch is stored by Azure Active Directory (Azure AD) in a geographical location. The geographical location is based on the location provided by the organization upon subscribing to Microsoft online services, such as Microsoft Apps for Enterprise and Azure. For more information on where your Azure AD data is located, see [Azure Active Directory - Where is your data located?](https://msit.powerbi.com/view?r=eyJrIjoiODdjOWViZDctMWRhZS00ODUzLWI4MmQtNWM5NjBkZTBkNjFlIiwidCI6IjcyZjk4OGJmLTg2ZjEtNDFhZi05MWFiLTJkN2NkMDExZGI0NyIsImMiOjV9) +Identifying data used by Windows Autopatch is stored by Azure Active Directory (AD) in a geographical location. The geographical location is based on the location provided by the organization upon subscribing to Microsoft online services, such as Microsoft Apps for Enterprise and Azure. For more information on where your Azure AD data is located, see [Azure Active Directory - Where is your data located?](https://msit.powerbi.com/view?r=eyJrIjoiODdjOWViZDctMWRhZS00ODUzLWI4MmQtNWM5NjBkZTBkNjFlIiwidCI6IjcyZjk4OGJmLTg2ZjEtNDFhZi05MWFiLTJkN2NkMDExZGI0NyIsImMiOjV9) ## Microsoft Intune diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index 0164891a96..b8fe13f82f 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -419,15 +419,9 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B > [!IMPORTANT] > If you've already registered your VM (or device) using Intune, then skip this step. -Optional: see the following video for an overview of the process. - -  - -> [!video https://www.youtube.com/embed/IpLIZU_j7Z0] - First, you need a Microsoft Store for Business account. You can use the same one you created above for Intune, or follow [these instructions](/microsoft-store/windows-store-for-business-overview) to create a new one. -Next, to sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) with your test account, select **Sign in** on the upper-right-corner of the main page. +Next, to sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/store) with your test account, select **Sign in** on the upper-right-corner of the main page. Select **Manage** from the top menu, then select the **Windows Autopilot Deployment Program** link under the **Devices** card. See the following example: @@ -528,8 +522,6 @@ Select **OK**, and then select **Create**. If you already created and assigned a profile via Intune with the steps immediately above, then skip this section. -A [video](https://www.youtube.com/watch?v=IpLIZU_j7Z0) is available that covers the steps required to create and assign profiles in Microsoft Store for Business. These steps are also summarized below. - First, sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/manage/dashboard) using the Intune account you initially created for this lab. Select **Manage** from the top menu, then select **Devices** from the left navigation tree. diff --git a/windows/hub/WaaS-infographic.pdf b/windows/hub/WaaS-infographic.pdf deleted file mode 100644 index cb1ef988a1..0000000000 Binary files a/windows/hub/WaaS-infographic.pdf and /dev/null differ diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json index 461e6028a8..508d741a9b 100644 --- a/windows/hub/docfx.json +++ b/windows/hub/docfx.json @@ -22,8 +22,7 @@ "**/*.png", "**/*.jpg", "**/*.svg", - "**/*.gif", - "**/*.pdf" + "**/*.gif" ], "exclude": [ "**/obj/**", diff --git a/windows/media/ModernSecureDeployment/Deploy-CleanInstallation.pdf b/windows/media/ModernSecureDeployment/Deploy-CleanInstallation.pdf deleted file mode 100644 index 557f45193a..0000000000 Binary files a/windows/media/ModernSecureDeployment/Deploy-CleanInstallation.pdf and /dev/null differ diff --git a/windows/media/ModernSecureDeployment/Deploy-InplaceUpgrade.pdf b/windows/media/ModernSecureDeployment/Deploy-InplaceUpgrade.pdf deleted file mode 100644 index d01542ed2b..0000000000 Binary files a/windows/media/ModernSecureDeployment/Deploy-InplaceUpgrade.pdf and /dev/null differ diff --git a/windows/media/ModernSecureDeployment/Deploy-WindowsAutoPilot.pdf b/windows/media/ModernSecureDeployment/Deploy-WindowsAutoPilot.pdf deleted file mode 100644 index 87110d6b3e..0000000000 Binary files a/windows/media/ModernSecureDeployment/Deploy-WindowsAutoPilot.pdf and /dev/null differ diff --git a/windows/media/ModernSecureDeployment/ProtectionSolutions.pdf b/windows/media/ModernSecureDeployment/ProtectionSolutions.pdf deleted file mode 100644 index 8d04e66910..0000000000 Binary files a/windows/media/ModernSecureDeployment/ProtectionSolutions.pdf and /dev/null differ diff --git a/windows/media/ModernSecureDeployment/Series-ModernAndSecureWindowsDeployment.pdf b/windows/media/ModernSecureDeployment/Series-ModernAndSecureWindowsDeployment.pdf deleted file mode 100644 index 86529c1665..0000000000 Binary files a/windows/media/ModernSecureDeployment/Series-ModernAndSecureWindowsDeployment.pdf and /dev/null differ diff --git a/windows/media/ModernSecureDeployment/WindowsServicing.pdf b/windows/media/ModernSecureDeployment/WindowsServicing.pdf deleted file mode 100644 index 19a419e3a9..0000000000 Binary files a/windows/media/ModernSecureDeployment/WindowsServicing.pdf and /dev/null differ diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md index 06dbd93c71..e63e7f1322 100644 --- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md +++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md @@ -108,7 +108,7 @@ If you don’t sign up for any of these enterprise services, Microsoft will act ### Rollout plan for this change -This change will roll out initially to Windows devices enrolled in the [Dev Channel](/windows-insider/flighting#dev-channel) of the Windows Insider program no earlier than July 2022. Once the rollout is initiated, devices in the Dev Channel that are joined to an Azure AD tenant with a billing address in the EU or EFTA will be automatically enabled for the processor configuration option. +This change will rollout in phases, starting with Windows devices enrolled in the [Dev Channel](/windows-insider/flighting#dev-channel) of the Windows Insider program. Starting in build 25169, devices in the Dev Channel that are joined to an Azure AD tenant with a billing address in the EU or EFTA will be automatically enabled for the processor configuration option. During this initial rollout, the following conditions apply to devices in the Dev Channel that are joined to an Azure AD tenant with a billing address outside of the EU or EFTA: @@ -129,4 +129,4 @@ As part of this change, the following policies will no longer be supported to co - Allow Desktop Analytics Processing - Allow Update Compliance Processing - Allow WUfB Cloud Processing - - Configure the Commercial ID \ No newline at end of file + - Configure the Commercial ID diff --git a/windows/privacy/docfx.json b/windows/privacy/docfx.json index a0c9217603..79774ab7cc 100644 --- a/windows/privacy/docfx.json +++ b/windows/privacy/docfx.json @@ -21,6 +21,7 @@ "files": [ "**/*.png", "**/*.jpg", + "**/*.svg", "**/*.gif" ], "exclude": [ diff --git a/windows/privacy/index.yml b/windows/privacy/index.yml index e518d55a86..a90c978811 100644 --- a/windows/privacy/index.yml +++ b/windows/privacy/index.yml @@ -45,17 +45,17 @@ productDirectory: # Card - title: Windows 11 required diagnostic data # imageSrc should be square in ratio with no whitespace - imageSrc: https://docs.microsoft.com/media/common/i_extend.svg + imageSrc: /media/common/i_extend.svg summary: Learn more about basic Windows diagnostic data events and fields collected. url: required-windows-11-diagnostic-events-and-fields.md # Card - title: Windows 10 required diagnostic data - imageSrc: https://docs.microsoft.com/media/common/i_build.svg + imageSrc: /media/common/i_build.svg summary: See what changes Windows is making to align to the new data collection taxonomy url: required-windows-diagnostic-data-events-and-fields-2004.md # Card - title: Optional diagnostic data - imageSrc: https://docs.microsoft.com/media/common/i_get-started.svg + imageSrc: /media/common/i_get-started.svg summary: Get examples of the types of optional diagnostic data collected from Windows url: windows-diagnostic-data.md @@ -181,4 +181,4 @@ additionalContent: - text: Support for GDPR Accountability on Service Trust Portal url: https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted # footer (optional) - # footer: "footertext [linktext](/footerfile)" \ No newline at end of file + # footer: "footertext [linktext](/footerfile)" diff --git a/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md b/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md deleted file mode 100644 index c84b17cee4..0000000000 --- a/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md +++ /dev/null @@ -1,42 +0,0 @@ ---- -title: WebAuthn APIs -description: Learn how to use WebAuthn APIs to enable password-less authentication for your sites and apps. -ms.prod: m365-security -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium -ms.date: 02/15/2019 ---- -# WebAuthn APIs for password-less authentication on Windows - -### Passwords leave your customers vulnerable. With the new WebAuthn APIs, your sites and apps can use password-less authentication. - -Microsoft has long been a proponent to do away with passwords. -While working towards that goal, we'd like to introduce you to the latest Windows 10 (version 1903) W3C/FIDO2 Win32 WebAuthn platform APIs! -These APIs allow Microsoft developer partners and the developer community to use Windows Hello and FIDO2 security keys -as a password-less authentication mechanism for their applications on Windows devices. - -#### What does this mean? - -This opens opportunities for developers or relying parties (RPs') to enable password-less authentication. -They can now use [Windows Hello](./index.yml) or [FIDO2 Security Keys](./microsoft-compatible-security-key.md) -as a password-less multi-factor credential for authentication. -
          -Users of these sites can use any browser that supports WebAuthn Windows 10 APIs for password-less authentication - and will have a familiar and consistent experience on Windows 10, no matter which browser they use to get to the RPs' site! -

          -The native Windows 10 WebAuthn APIs are currently supported by Microsoft Edge on Windows 10 1809 or later - and latest versions of other browsers. -

          -Developers of FIDO2 authentication keys should use the new Windows 10 APIs, to enable these scenarios in a consistent way for users. - Moreover, this enables the use of all the transports available per FIDO2 specifications - USB, NFC, and BLE - without having to deal with the interaction and management overhead. -This also implies browsers or apps on Windows 10 will no longer have direct access to above transports for FIDO-related messaging. - -#### Where can developers learn more? - -The new Windows 10 APIs are documented on [GitHub](https://github.com/Microsoft/webauthn) diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md index ebbea60361..d057f242cd 100644 --- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md +++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md @@ -78,7 +78,7 @@ To allow facial recognition, you must have devices with integrated special infra - Effective, real world FRR with Anti-spoofing or liveness detection: <10% > [!NOTE] ->Windows Hello face authentication does not currently support wearing a mask during enrollment or authentication. Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock you device. The product group is aware of this behavior and is investigating this topic further. Please remove a mask if you are wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn’t allow you to remove a mask temporarily, please consider unenrolling from face authentication and only using PIN or fingerprint. +>Windows Hello face authentication does not currently support wearing a mask during enrollment or authentication. Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock your device. The product group is aware of this behavior and is investigating this topic further. Please remove a mask if you are wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn’t allow you to remove a mask temporarily, please consider unenrolling from face authentication and only using PIN or fingerprint. ## Related topics diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index d995550c13..3a4f97b0d0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -69,9 +69,7 @@ If the error occurs again, check the error code against the following table to s | 0x801C044D | Authorization token does not contain device ID. | Unjoin the device from Azure AD and rejoin. | | | Unable to obtain user token. | Sign out and then sign in again. Check network and credentials. | | 0x801C044E | Failed to receive user credentials input. | Sign out and then sign in again. | -| 0xC00000BB | Your PIN or this option is temporarily unavailable.| The destination domain controller doesn't support the login method. Most often the KDC service doesn't have the proper certificate to support the login. Use a different login method.| - - +| 0xC00000BB | Your PIN or this option is temporarily unavailable. | The destination domain controller doesn't support the login method. Most often the KDC service doesn't have the proper certificate to support the login. Another common cause can be the client can not verify the KDC certificate CRL. Use a different login method.| ## Errors with unknown mitigation @@ -100,6 +98,7 @@ For errors listed in this table, contact Microsoft Support for assistance. | 0x801C03F1 | ​There is no UPN in the token. | | ​0x801C044C | There is no core window for the current thread. | | 0x801c004D | DSREG_NO_DEFAULT_ACCOUNT: NGC provisioning is unable to find the default WAM account to use to request Azure Active Directory token for provisioning. Unable to enroll a device to use a PIN for login. | +| 0xCAA30193 | HTTP 403 Request Forbidden: it means request left the device, however either Server, proxy or firewall generated this response. | ## Related topics diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 5900a1444c..bc542d1967 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -84,7 +84,7 @@ sections: - question: Can I use an external Windows Hello compatible camera when my computer has a built-in Windows Hello compatible camera? answer: | - Yes. Starting with Windows 10, version 21H1 an external Windows Hello compatible camera can be used if a device already supports an internal Windows Hello camera. When both cameras are present, the external camera is used for face authentication. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). However, using external Hello cameras and accessories is restricted if ESS is enabled, please see [Windows Hello Enhanced Sign-in Security](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security#pluggableperipheral-biometric-sensors). + Yes. Starting with Windows 10, version 21H1 an external Windows Hello compatible camera can be used if a device already supports an internal Windows Hello camera. When both cameras are present, the external camera is used for face authentication. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). However, using external Hello cameras and accessories is restricted if ESS is enabled, please see [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security#pluggableperipheral-biometric-sensors). - question: Can I use an external Windows Hello compatible camera or other Windows Hello compatible accessory when my laptop lid is closed or docked? answer: | @@ -155,7 +155,7 @@ sections: - question: Where is Windows Hello biometrics data stored? answer: | - When you enroll in Windows Hello, a representation of your face called an enrollment profile is created more information can be found on [Windows Hello face authentication](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-face-authentication). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn’t roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details see [Windows Hello biometrics in the enterprise](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored). + When you enroll in Windows Hello, a representation of your face called an enrollment profile is created more information can be found on [Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn't roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details see [Windows Hello biometrics in the enterprise](/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored). - question: What is the format used to store Windows Hello biometrics data on the device? answer: | @@ -261,5 +261,4 @@ sections: - question: Does Windows Hello for Business work with Azure Active Directory Domain Services (Azure AD DS) clients? answer: | - No, Azure AD DS is a separately managed environment in Azure, and hybrid device registration with cloud Azure AD isn't available for it via Azure AD Connect. Hence, Windows Hello for Business doesn't work with Azure AD. - + No, Azure AD DS is a separately managed environment in Azure, and hybrid device registration with cloud Azure AD isn't available for it via Azure AD Connect. Hence, Windows Hello for Business doesn't work with Azure AD DS. diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 5b2df11202..435fe6109b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -234,70 +234,34 @@ The _PIN reset_ configuration can be viewed by running [**dsregcmd /status**](/a **Applies to:** -- Windows 10, version 1803 or later -- Windows 11 -- Azure AD joined - -The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy allows you to specify a list of domains that are allowed to be navigated to during PIN reset flows on Azure AD-joined devices. If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, this policy should be set to ensure that authentication pages from that identity provider can be used during Azure AD joined PIN reset. - -### Configuring Policy Using Intune - -1. Sign-in to [Endpoint Manager admin center](https://endpoint.microsoft.com/) using a Global administrator account. - -1. Click **Devices**. Click **Configuration profiles**. Click **Create profile**. - -1. For Platform select **Windows 10 and later** and for Profile type select **Templates**. In the list of templates that is loaded, select **Custom** and click Create. - -1. In the **Name** field type **Web Sign In Allowed URLs** and optionally provide a description for the configuration. Click Next. - -1. On the Configuration settings page, click **Add** to add a custom OMA-URI setting. Provide the following information for the custom settings: - - - **Name:** Web Sign In Allowed URLs - - **Description:** (Optional) List of domains that are allowed during PIN reset flows. - - **OMA-URI:** ./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls - - **Data type:** String - - **Value**: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be _signin.contoso.com;portal.contoso.com_ (without quotation marks) - - :::image type="content" alt-text="Custom Configuration for ConfigureWebSignInAllowedUrls policy." source="images/pinreset/allowlist.png" lightbox="images/pinreset/allowlist.png"::: - -1. Click the **Save** button to save the custom configuration. - -1. On the Assignments page, use the Included groups and Excluded groups sections to define the groups of users or devices that should receive this policy. Once you have completed configuring groups click the Next button. - -1. On the Applicability rules page, click **Next**. - -1. Review the configuration that is shown on the Review + create page to make sure that it is accurate. Click create to save the profile and apply it to the configured groups. - -### Configure Web Sign-in Allowed URLs for Third Party Identity Providers on Azure AD Joined Devices +- Azure AD joined devices The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy allows you to specify a list of domains that can be reached during PIN reset flows on Azure AD-joined devices. If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, this policy should be set to ensure that authentication pages from that identity provider can be used during Azure AD joined PIN reset. +### Configure Web Sign-in Allowed URLs using Microsoft Intune -#### Configure Web Sign-in Allowed URLs using Microsoft Intune - -1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Select **Devices** > **Configuration profiles** > **Create profile**. +1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com) +1. Select **Devices** > **Configuration profiles** > **Create profile** 1. Enter the following properties: - - **Platform**: Select **Windows 10 and later**. - - **Profile type**: Select **Templates**. - - In the list of templates that is loaded, select **Custom** > **Create**. + - **Platform**: Select **Windows 10 and later** + - **Profile type**: Select **Templates** + - In the list of templates that is loaded, select **Custom** > **Create** 1. In **Basics**, enter the following properties: - - **Name**: Enter a descriptive name for the profile. - - **Description**: Enter a description for the profile. This setting is optional, but recommended. -1. Select **Next**. + - **Name**: Enter a descriptive name for the profile + - **Description**: Enter a description for the profile. This setting is optional, but recommended +1. Select **Next** 1. In **Configuration settings**, select **Add** and enter the following settings: - Name: **Web Sign In Allowed URLs** - Description: **(Optional) List of domains that are allowed during PIN reset flows** - OMA-URI: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls` - Data type: **String** - - Value: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be **signin.contoso.com;portal.contoso.com** (without quotation marks). + - Value: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be **signin.contoso.com;portal.contoso.com** :::image type="content" alt-text="Custom Configuration for ConfigureWebSignInAllowedUrls policy." source="images/pinreset/allowlist.png" lightbox="images/pinreset/allowlist-expanded.png"::: -1. Select **Save** > **Next**. -1. In **Assignments**, select the security groups that will receive the policy. -1. Select **Next**. -1. In **Applicability Rules**, select **Next**. -1. In **Review + create**, review your settings and select **Create**. - +1. Select **Save** > **Next** +1. In **Assignments**, select the security groups that will receive the policy +1. Select **Next** +1. In **Applicability Rules**, select **Next** +1. In **Review + create**, review your settings and select **Create** > [!NOTE] > For Azure Government, there is a known issue with PIN reset on Azure AD Joined devices failing. When the user attempts to launch PIN reset, the PIN reset UI shows an error page that says, "We can't open that page right now." The ConfigureWebSignInAllowedUrls policy can be used to work around this issue. If you are experiencing this problem and you are using Azure US Government cloud, set **login.microsoftonline.us** as the value for the ConfigureWebSignInAllowedUrls policy. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md index e8589d8b29..95583c6427 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md @@ -63,6 +63,11 @@ The following scenarios aren't supported using Windows Hello for Business cloud - Using cloud trust for "Run as" - Signing in with cloud trust on a Hybrid Azure AD joined device without previously signing in with DC connectivity +> [!NOTE] +> The default security policy for AD does not grant permission to sign high privilege accounts on to on-premises resources with Cloud Trust or FIDO2 security keys. +> +> To unblock the accounts, use Active Directory Users and Computers to modify the msDS-NeverRevealGroup property of the Azure AD Kerberos Computer object (CN=AzureADKerberos,OU=Domain Controllers,\). + ## Deployment Instructions Deploying Windows Hello for Business cloud trust consists of two steps: @@ -253,3 +258,7 @@ Windows Hello for Business cloud trust requires line of sight to a domain contro ### Can I use RDP/VDI with Windows Hello for Business cloud trust? Windows Hello for Business cloud trust cannot be used as a supplied credential with RDP/VDI. Similar to key trust, cloud trust can be used for RDP with [remote credential guard](/windows/security/identity-protection/remote-credential-guard) or if a [certificate is enrolled into Windows Hello for Business](hello-deployment-rdp-certs.md) for this purpose. + +### Do all my domain controllers need to be fully patched as per the prerequisites for me to use Windows Hello for Business cloud trust? + +No, only the number necessary to handle the load from all cloud trust devices. diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index 7a9e8e62b1..f62e08bd4d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -38,7 +38,7 @@ The table shows the minimum requirements for each deployment. For key trust in a | **Domain and Forest Functional Level** | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |Windows Server 2008 R2 Domain/Forest functional level | | **Domain Controller Version** | Windows Server 2016 or later | Windows Server 2016 or later | Windows Server 2008 R2 or later | Windows Server 2008 R2 or later | | **Certificate Authority**| N/A | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | -| **AD FS Version** | N/A | N/A | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) (hybrid Azure AD joined clients),
          and
          Windows Server 2012 or later Network Device Enrollment Service (Azure AD joined) | Windows Server 2012 or later Network Device Enrollment Service | +| **AD FS Version** | N/A | N/A | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) (hybrid Azure AD joined clients managed by Group Policy),
          and
          Windows Server 2012 or later Network Device Enrollment Service (hybrid Azure AD joined & Azure AD joined managed by MDM) | Windows Server 2012 or later Network Device Enrollment Service | | **MFA Requirement** | Azure MFA tenant, or
          AD FS w/Azure MFA adapter, or
          AD FS w/Azure MFA Server adapter, or
          AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
          AD FS w/Azure MFA adapter, or
          AD FS w/Azure MFA Server adapter, or
          AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
          AD FS w/Azure MFA adapter, or
          AD FS w/Azure MFA Server adapter, or
          AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
          AD FS w/Azure MFA adapter, or
          AD FS w/Azure MFA Server adapter, or
          AD FS w/3rd Party MFA Adapter | | **Azure AD Connect** | N/A | Required | Required | Required | | **Azure AD License** | Azure AD Premium, optional | Azure AD Premium, optional | Azure AD Premium, needed for device write-back | Azure AD Premium, optional. Intune license required | diff --git a/windows/security/identity-protection/hello-for-business/images/webauthn-apis/webauthn-apis-fido2-overview-microsoft-version.png b/windows/security/identity-protection/hello-for-business/images/webauthn-apis/webauthn-apis-fido2-overview-microsoft-version.png new file mode 100644 index 0000000000..49639cefcf Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/webauthn-apis/webauthn-apis-fido2-overview-microsoft-version.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/webauthn-apis/webauthn-apis-fido2-overview.png b/windows/security/identity-protection/hello-for-business/images/webauthn-apis/webauthn-apis-fido2-overview.png new file mode 100644 index 0000000000..97ca13f648 Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/webauthn-apis/webauthn-apis-fido2-overview.png differ diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml index bdd841ab2c..a0fa9d6144 100644 --- a/windows/security/identity-protection/hello-for-business/index.yml +++ b/windows/security/identity-protection/hello-for-business/index.yml @@ -65,6 +65,8 @@ landingContent: url: hello-identity-verification.md - linkListType: how-to-guide links: + - text: Hybrid Cloud Trust Deployment + url: hello-hybrid-cloud-trust.md - text: Hybrid Azure AD Joined Key Trust Deployment url: hello-hybrid-key-trust.md - text: Hybrid Azure AD Joined Certificate Trust Deployment diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml index 1e3bd031b3..6e71a47657 100644 --- a/windows/security/identity-protection/hello-for-business/toc.yml +++ b/windows/security/identity-protection/hello-for-business/toc.yml @@ -21,6 +21,8 @@ href: hello-how-it-works-provisioning.md - name: Authentication href: hello-how-it-works-authentication.md + - name: WebAuthn APIs + href: webauthn-apis.md - name: How-to Guides items: - name: Windows Hello for Business Deployment Overview diff --git a/windows/security/identity-protection/hello-for-business/webauthn-apis.md b/windows/security/identity-protection/hello-for-business/webauthn-apis.md new file mode 100644 index 0000000000..8926ad4417 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/webauthn-apis.md @@ -0,0 +1,122 @@ +--- +title: WebAuthn APIs +description: Learn how to use WebAuthn APIs to enable passwordless authentication for your sites and apps. +ms.prod: m365-security +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva +ms.collection: M365-identity-device-management +ms.topic: article +localizationpriority: medium +ms.date: 08/30/2022 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +--- +# WebAuthn APIs for passwordless authentication on Windows + +Passwords can leave your customers vulnerable to data breaches and security attacks by malicious users. + +Microsoft has long been a proponent of passwordless authentication, and introduced the W3C/Fast IDentity Online 2 (FIDO2) Win32 WebAuthn platform APIs in Windows 10 (version 1903). + +## What does this mean? + +By using WebAuthn APIs, developer partners and the developer community can use [Windows Hello](./index.yml) or [FIDO2 Security Keys](./microsoft-compatible-security-key.md) to implement passwordless multi-factor authentication for their applications on Windows devices. + +Users of these apps or sites can use any browser that supports WebAuthn APIs for passwordless authentication. Users will have a familiar and consistent experience on Windows, no matter which browser they use. + +Developers should use the WebAuthn APIs to support FIDO2 authentication keys in a consistent way for users. Additionally, developers can use all the transports that are available per FIDO2 specifications (USB, NFC, and BLE) while avoiding the interaction and management overhead. + +> [!NOTE] +> When these APIs are in use, Windows 10 browsers or apps don't have direct access to the FIDO2 transports for FIDO-related messaging. + +## The big picture + +Client to Authenticator Protocol 2 (CTAP2) and WebAuthn define an abstraction layer that creates an ecosystem for strongly authenticated credentials. In this ecosystem, any interoperable client (such as a native app or browser) that runs on a given client device uses a standardized method to interact with any interoperable authenticator. Interoperable authenticators include authenticators that are built into the client device (platform authenticators) and authenticators that connect to the client device by using USB, BLE, or NFC connections (roaming authenticators). + +The authentication process starts when the user makes a specific user gesture that indicates consent for the operation. At the request of the client, the authenticator securely creates strong cryptographic keys and stores them locally. + +After these client-specific keys are created, clients can request attestations for registration and authentication. The type of signature that the private key uses reflects the user gesture that was made. + +The following diagram shows how CTAP and WebAuthn interact. The light blue dotted arrows represent interactions that depend on the specific implementation of the platform APIs. + +:::image type="content" source="images/webauthn-apis/webauthn-apis-fido2-overview.png" alt-text="The diagram shows how the WebAuthn API interacts with the relying parties and the CTAPI2 API."::: + +*Relationships of the components that participate in passwordless authentication* + +A combined WebAuthn/CTAP2 dance includes the following cast of characters: + +- **Client device**. The *client device* is the hardware that hosts a given strong authentication. Laptops and phones are examples of client devices. + +- **Relying parties and clients**. *Relying parties* are web or native applications that consume strong credentials. The relying parties run on client devices. + + - As a relying party, a native application can also act as a WebAuthn client to make direct WebAuthn calls. + + - As a relying party, a web application can't directly interact with the WebAuthn API. The relying party must broker the deal through the browser. + + > [!NOTE] + > The preceding diagram doesn't depict single sign-on authentication. Be careful not to confuse FIDO relying parties with federated relying parties. + +- **WebAuthn API**. The *WebAuthn API* enables clients to make requests to authenticators. The client can request that the authenticator create a key, provide an assertion about a key, report capabilities, manage a PIN, and so on. + +- **CTAP2 platform/host**. The *platform* (also called the host in the CTAP2 spec) is the part of the client device that negotiates with authenticators. The platform is responsible for securely reporting the origin of the request and for calling the CTAP2 Concise Binary Object Representation (CBOR) APIs. If the platform isn't CTAP2-aware, the clients themselves take on more of the burden. In this case, the components and interactions of the preceding diagram may differ. + +- **Platform authenticator**. A *platform authenticator* usually resides on a client device. Examples of platform authenticators include fingerprint recognition technology that uses a built-in laptop fingerprint reader and facial recognition technology that uses a built-in smartphone camera. Cross-platform transport protocols such as USB, NFC or BLE can't access platform authenticators. + +- **Roaming authenticator**. A *roaming authenticator* can connect to multiple client devices. Client devices must use a supported transport protocol to negotiate interactions. Examples of roaming authenticators include USB security keys, BLE-enabled smartphone applications, and NFC-enabled proximity cards. Roaming authenticators can support CTAP1, CTAP2, or both protocols. + +Many relying parties and clients can interact with many authenticators on a single client device. A user can install multiple browsers that support WebAuthn, and might simultaneously have access to a built-in fingerprint reader, a plugged-in security key, and a BLE-enabled mobile app. + +## Interoperability + +Before there was WebAuthn and CTAP2, there was U2F and CTAP1. U2F is the FIDO Alliance universal second-factor specification. There are many authenticators that speak CTAP1 and manage U2F credentials. WebAuthn was designed to be interoperable with CTAP1 Authenticators. A relying party that uses WebAuthn can still use U2F credentials if the relying party doesn't require FIDO2-only functionality. + +FIDO2 authenticators have already implemented and WebAuthn relying parties might require the following optional features: + +- Keys for multiple accounts (keys can be stored per relying party) +- Client PIN +- Location (the authenticator returns a location) +- [Hash-based Message Authentication Code (HMAC)-secret](/dotnet/api/system.security.cryptography.hmac) (enables offline scenarios) + +The following options and might be useful in the future, but haven't been observed in the wild yet: + +- Transactional approval +- User verification index (servers can determine whether biometric data that's stored locally has changed over time) +- User verification method (the authenticator returns the exact method) +- Biometric performance bounds (the relying party can specify acceptable false acceptance and false rejection rates) + +## Microsoft implementation + +The Microsoft FIDO2 implementation has been years in the making. Software and services are implemented independently as standards-compliant entities. As of the Windows 10, version 1809 (October 2018) release, all Microsoft components use the latest WebAuthn Candidate Release. It's a stable release that's not expected to normatively change before the specification is finally ratified. Because Microsoft is among the first in the world to deploy FIDO2, some combinations of popular non-Microsoft components won't be interoperable yet. + +Here's an approximate layout of where the Microsoft bits go: + +:::image type="content" source="images/webauthn-apis/webauthn-apis-fido2-overview-microsoft-version.png" alt-text="The diagram shows how the WebAuthn API interacts with the Microsoft relying parties and the CTAPI2 API."::: + +*Microsoft's implementation of WebAuthn and CATP2 APIs* + +- **WebAuthn relying party: Microsoft Account**. If you aren't familiar with Microsoft Account, it's the sign-in service for Xbox, Outlook, and many other sites. The sign-in experience uses client-side JavaScript to trigger Microsoft Edge to talk to the WebAuthn APIs. Microsoft Account requires that authenticators have the following characteristics: + + - Keys are stored locally on the authenticator and not on a remote server + - Offline scenarios work (enabled by using HMAC) + - Users can put keys for multiple user accounts on the same authenticator + - If it's necessary, authenticators can use a client PIN to unlock a TPM + > [!IMPORTANT] + > Because Microsoft Account requires features and extensions that are unique to FIDO2 CTAP2 authenticators, it doesn't accept CTAP1 (U2F) credentials. + +- **WebAuthn client: Microsoft Edge**. Microsoft Edge can handle the user interface for the WebAuthn and CTAP2 features that this article describes. It also supports the AppID extension. Microsoft Edge can interact with both CTAP1 and CTAP2 authenticators. This means that it can create and use both U2F and FIDO2 credentials. However, Microsoft Edge doesn't speak the U2F protocol. Therefore, relying parties must use only the WebAuthn specification. Microsoft Edge on Android doesn't support WebAuthn. + + > [!NOTE] + > For authoritative information about Microsoft Edge support for WebAuthn and CTAP, see [Legacy Microsoft Edge developer documentation](/microsoft-edge/dev-guide/windows-integration/web-authentication). + +- **Platform: Windows 10, Windows 11**. Windows 10 and Windows 11 host the Win32 Platform WebAuthn APIs. + +- **Roaming Authenticators**. You might notice that there's no *Microsoft* roaming authenticator. That's because there's already a strong ecosystem of products that specialize in strong authentication, and every one of our customers (whether corporations or individuals) has different requirements for security, ease of use, distribution, and account recovery. To see the ever-growing list of FIDO2 certified authenticators, see [FIDO Certified Products](https://fidoalliance.org/certification/fido-certified-products/). The list includes built-in authenticators, roaming authenticators, and even chip manufacturers who have certified designs. + +## Developer references + +The WebAuthn APIs are documented in the [Microsoft/webauthn](https://github.com/Microsoft/webauthn) GitHub repo. To understand how FIDO2 authenticators work, review the following two specifications: + +- [Web Authentication: An API for accessing Public Key Credentials](https://www.w3.org/TR/webauthn/) (available on the W3C site). This document is known as the WebAuthn spec. +- [Client to Authenticator Protocol (CTAP)](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html). This is available at the [FIDO Alliance](http://fidoalliance.org/) site, on which hardware and platform teams are working together to solve the problem of FIDO authentication. diff --git a/windows/security/index.yml b/windows/security/index.yml index 2fedb0e205..c8868f61f1 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -133,13 +133,13 @@ landingContent: - linkListType: concept links: - text: Mobile device management - url: https://docs.microsoft.com/windows/client-management/mdm/ + url: /windows/client-management/mdm/ - text: Azure Active Directory url: https://www.microsoft.com/security/business/identity-access-management/azure-active-directory - text: Your Microsoft Account url: identity-protection/access-control/microsoft-accounts.md - text: OneDrive - url: https://docs.microsoft.com/onedrive/onedrive + url: /onedrive/onedrive - text: Family safety url: threat-protection/windows-defender-security-center/wdsc-family-options.md # Cards and links should be based on top customer tasks or top subjects @@ -170,4 +170,3 @@ landingContent: links: - text: Windows and Privacy Compliance url: /windows/privacy/windows-10-and-privacy-compliance - diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 28426e5d60..7c87a7eecd 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -497,7 +497,7 @@ You can reset the recovery password in two ways: > [!NOTE] > To manage a remote computer, you can specify the remote computer name rather than the local computer name. -You can use the following sample script to create a VBScript file to reset the recovery passwords: +You can use the following sample VBScript to reset the recovery passwords: ```vb ' Target drive letter diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md index 6e85b47920..d9221e9bca 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 03/10/2022 +ms.date: 08/22/2022 ms.reviewer: manager: dansimp ms.custom: sasr @@ -30,6 +30,9 @@ Application Guard uses both network isolation and application-specific settings. These settings, located at `Computer Configuration\Administrative Templates\Network\Network Isolation`, help you define and manage your organization's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container. +> [!NOTE] +> For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you don't need to configure network isolation policy to enable Application Guard for Microsoft Edge in managed mode. + > [!NOTE] > You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. Proxy servers must be a neutral resource listed in the **Domains categorized as both work and personal** policy. @@ -53,16 +56,15 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind |Name|Supported versions|Description|Options| |-----------|------------------|-----------|-------| -|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

          Windows 10 Pro, 1803 or higher

          Windows 11|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
          - Disable the clipboard functionality completely when Virtualization Security is enabled.
          - Enable copying of certain content from Application Guard into Microsoft Edge.
          - Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.

          **Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| -|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

          Windows 10 Pro, 1803 or higher

          Windows 11|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
          - Enable Application Guard to print into the XPS format.
          - Enable Application Guard to print into the PDF format.
          - Enable Application Guard to print to locally attached printers.
          - Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.

          **Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| -|Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer|Windows 10 Enterprise, 1709 or higher

          Windows 11|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.

          **NOTE**: This action might also block assets cached by CDNs and references to analytics sites. Add them to the trusted enterprise resources to avoid broken pages.

          **Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. | -|Allow Persistence|Windows 10 Enterprise, 1709 or higher

          Windows 10 Pro, 1803 or higher

          Windows 11|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

          **Disabled or not configured.** All user data within Application Guard is reset between sessions.

          **NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

          **To reset the container:**
          1. Open a command-line program and navigate to `Windows/System32`.
          2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
          3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.| -|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher

          Windows 11|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
          - Enable Microsoft Defender Application Guard only for Microsoft Edge
          - Enable Microsoft Defender Application Guard only for Microsoft Office
          - Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office

          **Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.| -|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher

          Windows 11|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.

          **Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.| -|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher

          Windows 10 Pro, 1803 or higher

          Windows 11|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

          **Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.| -|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

          Windows 10 Pro, 1809 or higher

          Windows 11|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.

          **Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.| +|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

          Windows 10 Pro, 1803 or higher

          Windows 11|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** This is effective only in managed mode. Turns On the clipboard functionality and lets you choose whether to additionally:
          - Disable the clipboard functionality completely when Virtualization Security is enabled.
          - Enable copying of certain content from Application Guard into Microsoft Edge.
          - Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.

          **Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| +|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

          Windows 10 Pro, 1803 or higher

          Windows 11|Determines whether Application Guard can use the print functionality.|**Enabled.** This is effective only in managed mode. Turns On the print functionality and lets you choose whether to additionally:
          - Enable Application Guard to print into the XPS format.
          - Enable Application Guard to print into the PDF format.
          - Enable Application Guard to print to locally attached printers.
          - Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.

          **Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| +|Allow Persistence|Windows 10 Enterprise, 1709 or higher

          Windows 10 Pro, 1803 or higher

          Windows 11|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

          **Disabled or not configured.** All user data within Application Guard is reset between sessions.

          **NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

          **To reset the container:**
          1. Open a command-line program and navigate to `Windows/System32`.
          2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
          3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.| +|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher

          Windows 11|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
          - Enable Microsoft Defender Application Guard only for Microsoft Edge
          - Enable Microsoft Defender Application Guard only for Microsoft Office
          - Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office

          **Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.

          **Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.| +|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher

          Windows 11|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** This is effective only in managed mode. Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.

          **Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.| +|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher

          Windows 10 Pro, 1803 or higher

          Windows 11|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** This is effective only in managed mode. Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

          **Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.| +|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

          Windows 10 Pro, 1809 or higher

          Windows 11|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.

          **Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.| |Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher

          Windows 10 Pro, 1809 or higher

          Windows 11|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.

          **Disabled or not configured.** Certificates aren't shared with Microsoft Defender Application Guard.| -|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

          Windows 10 Pro, 1809 or higher

          Windows 11|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.

          **Disabled or not configured.** event logs aren't collected from your Application Guard container.| +|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

          Windows 10 Pro, 1809 or higher

          Windows 11|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.

          **Disabled or not configured.** Event logs aren't collected from your Application Guard container.| ## Application Guard support dialog settings diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index ddf7e13d0d..e02cee6ffc 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -1,26 +1,23 @@ --- title: System requirements for Microsoft Defender Application Guard description: Learn about the system requirements for installing and running Microsoft Defender Application Guard. -ms.prod: m365-security -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security +ms.prod: windows-client +ms.technology: itpro-security +ms.topic: overview ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.date: 10/20/2021 -ms.reviewer: -manager: dansimp -ms.custom: asr -ms.technology: windows-sec +author: vinaypamnani-msft +ms.author: vinpa +ms.date: 08/25/2022 +ms.reviewer: sazankha +manager: aaroncz --- # System requirements for Microsoft Defender Application Guard **Applies to** -- Windows 10 -- Windows 11 +- Windows 10 Education, Enterprise, and Professional +- Windows 11 Education, Enterprise, and Professional The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive. @@ -31,6 +28,9 @@ The threat landscape is continually evolving. While hackers are busy developing Your environment must have the following hardware to run Microsoft Defender Application Guard. +> [!NOTE] +> Application Guard currently isn't supported on Windows 11 ARM64 devices. + | Hardware | Description | |--------|-----------| | 64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).| @@ -45,6 +45,6 @@ Your environment must have the following hardware to run Microsoft Defender Appl | Software | Description | |--------|-----------| -| Operating system | Windows 10 Enterprise edition, version 1809 or higher
          Windows 10 Professional edition, version 1809 or higher
          Windows 10 Professional for Workstations edition, version 1809 or higher
          Windows 10 Professional Education edition, version 1809 or higher
          Windows 10 Education edition, version 1809 or higher
          Professional editions are only supported for non-managed devices; Intune or any other third-party mobile device management (MDM) solutions aren't supported with MDAG for Professional editions.
          Windows 11 | +| Operating system | Windows 10 Enterprise edition, version 1809 or later
          Windows 10 Professional edition, version 1809 or later
          Windows 10 Professional for Workstations edition, version 1809 or later
          Windows 10 Professional Education edition, version 1809 or later
          Windows 10 Education edition, version 1809 or later
          Windows 11 Education, Enterprise, and Professional editions | | Browser | Microsoft Edge | | Management system
          (only for managed devices)| [Microsoft Intune](/intune/)

          **OR**

          [Microsoft Endpoint Configuration Manager](/configmgr/)

          **OR**

          [Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))

          **OR**

          Your current, company-wide, non-Microsoft mobile device management (MDM) solution. For info about non-Mirosoft MDM solutions, see the documentation that came with your product. | diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md index 3f1a94a7ad..59695ee06d 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md @@ -2,8 +2,8 @@ title: Microsoft Defender SmartScreen overview description: Learn how Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. ms.prod: m365-security -author: mjcaparas -ms.author: macapara +author: dansimp +ms.author: dansimp ms.localizationpriority: high ms.reviewer: manager: dansimp diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md index f85611c594..fe15669214 100644 --- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md +++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md @@ -49,7 +49,7 @@ The general steps for expanding the S mode base policy on your Intune-managed de - Create a new base policy using [New-CIPolicy](/powershell/module/configci/new-cipolicy?view=win10-ps&preserve-view=true) ```powershell - New-CIPolicy -MultiplePolicyFormat -ScanPath -UserPEs -FilePath "\SupplementalPolicy.xml" -Level Publisher -Fallback Hash + New-CIPolicy -MultiplePolicyFormat -ScanPath -UserPEs -FilePath "\SupplementalPolicy.xml" -Level FilePublisher -Fallback SignedVersion,Publisher,Hash ``` - Change it to a supplemental policy using [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo?view=win10-ps&preserve-view=true) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md index e30b2c517a..b7d7521a48 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md @@ -3,13 +3,13 @@ title: Script rules in AppLocker (Windows) description: This article describes the file formats and available default rules for the script rule collection. ms.assetid: fee24ca4-935a-4c5e-8a92-8cf1d134d35f ms.reviewer: -ms.author: macapara +ms.author: dansimp ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: mjcaparas +author: dansimp manager: dansimp audience: ITPro ms.collection: M365-security-compliance diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md index f99766832e..005c1ddcc2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md @@ -3,13 +3,13 @@ title: Understand AppLocker enforcement settings (Windows) description: This topic describes the AppLocker enforcement settings for rule collections. ms.assetid: 48773007-a343-40bf-8961-b3ff0a450d7e ms.reviewer: -ms.author: macapara +ms.author: dansimp ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: mjcaparas +author: dansimp manager: dansimp audience: ITPro ms.collection: M365-security-compliance diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md index 8b30f46fa9..ca600a98a7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md @@ -59,7 +59,7 @@ To familiarize yourself with creating WDAC rules from audit events, follow these 4. Use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to generate a new WDAC policy from logged audit events. This example uses a **FilePublisher** file rule level and a **Hash** fallback level. Warning messages are redirected to a text file **EventsPolicyWarnings.txt**. ```powershell - New-CIPolicy -FilePath $EventsPolicy -Audit -Level FilePublisher -Fallback Hash –UserPEs -MultiplePolicyFormat 3> $EventsPolicyWarnings + New-CIPolicy -FilePath $EventsPolicy -Audit -Level FilePublisher -Fallback SignedVersion,FilePublisher,Hash –UserPEs -MultiplePolicyFormat 3> $EventsPolicyWarnings ``` > [!NOTE] diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md index 3bb07036ab..cb5391c9a3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -14,7 +14,7 @@ author: jsuther1974 ms.reviewer: jogeurte ms.author: dansimp manager: dansimp -ms.date: 05/12/2022 +ms.date: 08/26/2022 ms.technology: windows-sec --- @@ -29,21 +29,21 @@ ms.technology: windows-sec > [!NOTE] > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). -Windows 10 (version 1703) introduced a new option for Windows Defender Application Control (WDAC), called _managed installer_, that helps balance security and manageability when enforcing application control policies. This option lets you automatically allow applications installed by a designated software distribution solution such as Microsoft Endpoint Configuration Manager. +Windows Defender Application Control (WDAC) includes an option called **managed installer** that helps balance security and manageability when enforcing application control policies. This option lets you automatically allow applications installed by a designated software distribution solution, such as Microsoft Endpoint Configuration Manager (MEMCM) or Microsoft Intune. ## How does a managed installer work? -Managed installer uses a special rule collection in **AppLocker** to designate binaries that are trusted by your organization as an authorized source for application installation. When one of these trusted binaries runs, Windows monitors the binary's process (and processes it launches) and watches for files being written to disk. As files are written, they're tagged as originating from a managed installer. +Managed installer uses a special rule collection in **AppLocker** to designate binaries that are trusted by your organization as an authorized source for application installation. When one of these trusted binaries runs, Windows monitors the binary's process (and any child processes it launches) and watches for files being written to disk. As files are written, they're tagged as originating from a managed installer. You can then configure WDAC to trust files that are installed by a managed installer by adding the "Enabled:Managed Installer" option to your WDAC policy. When that option is set, WDAC will check for managed installer origin information when determining whether or not to allow a binary to run. As long as there are no deny rules for the binary, WDAC will allow it to run based purely on its managed installer origin. ## Security considerations with managed installer -Since managed installer is a heuristic-based mechanism, it doesn't provide the same security guarantees that explicit allow or deny rules do. The managed installer is best suited for use where each user operates as a standard user and where all software is deployed and installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager. +Since managed installer is a heuristic-based mechanism, it doesn't provide the same security guarantees as explicit allow or deny rules do. Managed installer is best suited where users operate as standard user, and where all software is deployed and installed by a software distribution solution such as MEMCM. -Users with administrator privileges, or malware running as an administrator user on the system, may be able to circumvent the intent of Windows Defender Application Control when the managed installer option is allowed. +Users with administrator privileges, or malware running as an administrator user on the system, may be able to circumvent the intent of your WDAC policies when the managed installer option is allowed. -If a managed installer process runs in the context of a user with standard privileges, then it's possible that standard users or malware running as standard user may be able to circumvent the intent of Windows Defender Application Control. +If a managed installer process runs in the context of a user with standard privileges, then it's possible that standard users or malware running as standard user may be able to circumvent the intent of your WDAC policies. Some application installers may automatically run the application at the end of the installation process. If the application runs automatically, and the installer was run by a managed installer, then the managed installer's heuristic tracking and authorization will extend to all files that are created during the first run of the application. This extension could result in unintentional authorization of an executable. To avoid that, ensure that the method of application deployment that is used as a managed installer limits running applications as part of installation. @@ -62,9 +62,13 @@ To turn on managed installer tracking, you must: - Create and deploy an AppLocker policy that defines your managed installer rules and enables services enforcement for executables and DLLs. - Enable AppLocker's Application Identity and AppLockerFltr services. +> [!NOTE] +> MEMCM will automatically configure itself as a managed installer, and enable the required AppLocker components, if you deploy one of its inbox WDAC policies. If you are configuring MEMCM as a managed installer using any other method, additional setup is required. Use the [**ManagedInstaller** cmdline switch in your ccmsetup.exe setup](/mem/configmgr/core/clients/deploy/about-client-installation-properties#managedinstaller). Or you can deploy one of the MEMCM inbox audit mode policies alongside your custom policy. + ### Create and deploy an AppLocker policy that defines your managed installer rules and enables services enforcement for executables and DLLs -Currently, both the AppLocker policy creation UI in GPO Editor and the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, you can use an XML or text editor to convert an EXE rule collection policy into a ManagedInstaller rule collection. +The AppLocker policy creation UI in GPO Editor and the AppLocker PowerShell cmdlets can't be directly used to create rules for the Managed Installer rule collection. However, you can use an XML or text editor to convert an EXE rule collection policy into a ManagedInstaller rule collection. + > [!NOTE] > Only EXE file types can be designated as managed installers. diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md index 70a4c7cad7..63d3ee3fe4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md @@ -31,7 +31,7 @@ ms.technology: windows-sec ## Using fsutil to query SmartLocker EA -Customers using Windows Defender Application Control (WDAC) with Managed Installer (MI) or Intelligent Security Graph enabled can use fsutil to determine whether a file was allowed to run by one of these features. This verification can be done by querying the EAs on a file using fsutil and looking for the KERNEL.SMARTLOCKER.ORIGINCLAIM EA. The presence of this EA indicates that either MI or ISG allowed the file to run. This EA's presence can be used in conjunction with enabling the MI and ISG logging events. +Customers using Windows Defender Application Control (WDAC) with Managed Installer (MI) or Intelligent Security Graph (ISG) enabled can use fsutil to determine whether a file was allowed to run by one of these features. This verification can be done by querying the Extended Attributes (EAs) on a file using fsutil and looking for the KERNEL.SMARTLOCKER.ORIGINCLAIM EA. The presence of this EA indicates that either MI or ISG allowed the file to run. This EA's presence can be used in conjunction with enabling the MI and ISG logging events. **Example:** diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md index cd197228e8..b81414e10f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md @@ -45,7 +45,7 @@ To create effective Windows Defender Application Control deny policies, it's cru 5. If no rule exists for the file and it's not allowed based on ISG or MI, then the file is blocked implicitly. > [!NOTE] -> If your Windows Defender Application Control policy does not have an explicit rule to allow or deny a binary to run, then WDAC will make a call to the cloud to determine whether the binary is familiar and safe. However, if your policy already authorizes or denies the binary, then WDAC will not make a call to the cloud. For more details, see [How does the integration between WDAC and the Intelligent Security Graph work?](use-windows-defender-application-control-with-intelligent-security-graph.md#how-does-the-integration-between-wdac-and-the-intelligent-security-graph-work). +> If your Windows Defender Application Control policy does not have an explicit rule to allow or deny a binary to run, then WDAC will make a call to the cloud to determine whether the binary is familiar and safe. However, if your policy already authorizes or denies the binary, then WDAC will not make a call to the cloud. For more details, see [How does the integration between WDAC and the Intelligent Security Graph work?](/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph#how-does-wdac-work-with-the-isg). ## Interaction with Existing Policies @@ -126,13 +126,13 @@ Deny rules and policies can be created using the PowerShell cmdlets or the [WDAC ### Software Publisher Based Deny Rule ```Powershell -$DenyRules += New-CIPolicyRule -Level FilePublisher -DriverFilePath -Deny -Fallback FileName,Hash +$DenyRules += New-CIPolicyRule -Level FilePublisher -DriverFilePath -Fallback SignedVersion,Publisher,Hash -Deny ``` ### Software Attributes Based Deny Rule ```Powershell -$DenyRules += New-CIPolicyRule -Level FileName -DriverFilePath -Deny -Fallback Hash +$DenyRules += New-CIPolicyRule -Level FileName -DriverFilePath -Fallback Hash -Deny ``` ### Hash Based Deny Rule diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md index 9cb8de44f4..2ef75b15be 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md @@ -30,14 +30,14 @@ ms.technology: windows-sec >[!NOTE] >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). -This section outlines the process to create a Windows Defender Application Control (WDAC) policy for **lightly managed devices** within an organization. Typically, organizations that are new to application control will be most successful if they start with a permissive policy like the one described in this topic. Organizations can choose to harden the policy over time to achieve a stronger overall security posture on their WDAC-managed devices as described in later topics. +This section outlines the process to create a Windows Defender Application Control (WDAC) policy for **lightly managed devices** within an organization. Typically, organizations that are new to application control will be most successful if they start with a permissive policy like the one described in this article. Organizations can choose to harden the policy over time to achieve a stronger overall security posture on their WDAC-managed devices as described in later articles. > [!NOTE] > Some of the Windows Defender Application Control options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs. -As in the [previous topic](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. +As in the [previous article](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. -**Alice Pena** is the IT team lead tasked with the rollout of WDAC. Recognizing where Lamna is starting from, with loose application usage policies and a culture of maximum app flexibility for users, Alice knows that she'll need to take an incremental approach to application control and use different policies for different workloads. +**Alice Pena** is the IT team lead tasked with the rollout of WDAC. Recognizing that Lamna currently has loose application usage policies and a culture of maximum app flexibility for users, Alice knows she'll need to take an incremental approach to application control and use different policies for different workloads. For most users and devices, Alice wants to create an initial policy that is as relaxed as possible in order to minimize user productivity impact, while still providing security value. @@ -112,7 +112,7 @@ Alice follows these steps to complete this task: Set-RuleOption -FilePath $LamnaPolicy -Option 19 # Dynamic Code Security ``` -6. Add rules to allow windir and Program Files directories: +6. Add rules to allow the Windows and Program Files directories: ```powershell $PathRules += New-CIPolicyRule -FilePathRule "%windir%\*" @@ -133,7 +133,7 @@ Alice follows these steps to complete this task: ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin ``` -9. Upload your base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration). +9. Upload your base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/), or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration). At this point, Alice now has an initial policy that is ready to deploy in audit mode to the managed clients within Lamna. @@ -142,7 +142,7 @@ At this point, Alice now has an initial policy that is ready to deploy in audit In order to minimize user productivity impact, Alice has defined a policy that makes several trade-offs between security and user app flexibility. Some of the trade-offs include: - **Users with administrative access**
          - By far the most impactful security trade-off, this trade-off allows the device user (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer that would allow them to gain persistent app authorization for whatever apps or binaries they wish. + This is by far the most impactful security trade-off and allows the device user, or malware running with the user's privileges, to modify or remove the WDAC policy on the device. Additionally, administrators can configure any app to act as a managed installer, which would allow them to gain persistent app authorization for whatever apps or binaries they wish. Possible mitigations: - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies. @@ -161,10 +161,10 @@ In order to minimize user productivity impact, Alice has defined a policy that m - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer. - Limit who can elevate to administrator on the device. - **Intelligent Security Graph (ISG)**
          - See [security considerations with the Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md#security-considerations-with-the-intelligent-security-graph) + See [security considerations with the Intelligent Security Graph](/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph#security-considerations-with-the-isg-option) Possible mitigations: - - Implement policies requiring apps are managed by IT; audit existing app usage and deploy authorized apps using a software distribution solution such as Microsoft Endpoint Manager; move from ISG to managed installer or signature-based rules. + - Implement policies requiring that apps are managed by IT; audit existing app usage and deploy authorized apps using a software distribution solution such as Microsoft Endpoint Manager; move from ISG to managed installer or signature-based rules. - Use a restrictive audit mode policy to audit app usage and augment vulnerability detection. - **Supplemental policies**
          Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction. diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md index 65565ec200..cfea5dc30f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance author: jsuther1974 -ms.reviewer: isbrahm +ms.reviewer: jgeurten ms.author: dansimp manager: dansimp ms.date: 02/28/2018 @@ -49,7 +49,9 @@ To create a catalog file, you use a tool called **Package Inspector**. You must 2. Start Package Inspector, and then start scanning a local drive, for example, drive C: - `PackageInspector.exe Start C:` + ```powershell + PackageInspector.exe Start C: + ``` > [!NOTE] > Package inspector can monitor installations on any local drive. Specify the appropriate drive on the local computer. @@ -77,13 +79,12 @@ To create a catalog file, you use a tool called **Package Inspector**. You must For the last command, which stops Package Inspector, be sure to type the drive letter of the drive you have been scanning, for example, C:. - `$ExamplePath=$env:userprofile+"\Desktop"` - - `$CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"` - - `$CatDefName=$ExamplePath+"\LOBApp.cdf"` - - `PackageInspector.exe Stop C: -Name $CatFileName -cdfpath $CatDefName` + ```powershell + $ExamplePath=$env:userprofile+"\Desktop" + $CatFileName=$ExamplePath+"\LOBApp-Contoso.cat" + $CatDefName=$ExamplePath+"\LOBApp.cdf" + PackageInspector.exe Stop C: -Name $CatFileName -cdfpath $CatDefName + ``` >[!NOTE] >Package Inspector catalogs the hash values for each discovered binary file. If the applications that were scanned are updated, complete this process again to trust the new binaries' hash values. @@ -125,15 +126,18 @@ To sign the existing catalog file, copy each of the following commands into an e 1. Initialize the variables that will be used. Replace the *$ExamplePath* and *$CatFileName* variables as needed: - `$ExamplePath=$env:userprofile+"\Desktop"` - - `$CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"` + ```powershell + $ExamplePath=$env:userprofile+"\Desktop" + $CatFileName=$ExamplePath+"\LOBApp-Contoso.cat" + ``` 2. Import the code signing certificate that will be used to sign the catalog file. Import it to the signing user's personal store. 3. Sign the catalog file with Signtool.exe: - ` sign /n "ContosoDGSigningCert" /fd sha256 /v $CatFileName` + ```powershell + sign /n "ContosoDGSigningCert" /fd sha256 /v $CatFileName + ``` >[!NOTE] >The *<Path to signtool.exe>* variable should be the full path to the Signtool.exe utility. *ContosoDGSigningCert* represents the subject name of the certificate that you will use to sign the catalog file. This certificate should be imported to your personal certificate store on the computer on which you are attempting to sign the catalog file. @@ -156,16 +160,20 @@ After the catalog file is signed, add the signing certificate to a WDAC policy, 1. If you haven't already verified the catalog file digital signature, right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with the algorithm you expect. -2. If you already have an XML policy file that you want to add the signing certificate to, skip to the next step. Otherwise, use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to create a Windows Defender Application Control policy that you'll later merge into another policy (not deploy as-is). This example creates a policy called **CatalogSignatureOnly.xml** in the location **C:\\PolicyFolder**: +2. If you already have an XML policy file that you want to add the signing certificate to, skip to the next step. Otherwise, use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to create a Windows Defender Application Control policy that you will later merge into another policy (not deploy as-is). This example creates a policy called **CatalogSignatureOnly.xml** in the location **C:\\PolicyFolder** by scanning the system and allowlisting by signer and original filename: - `New-CIPolicy -Level PcaCertificate -FilePath C:\PolicyFolder\CatalogSignatureOnly.xml –UserPEs` + ```powershell + New-CIPolicy -Level FilePublisher -FilePath C:\PolicyFolder\CatalogSignatureOnly.xml –UserPEs -MultiplePolicyFormat -Fallback SignedVersion,Publisher,Hash + ``` > [!NOTE] > Include the **-UserPEs** parameter to ensure that the policy includes user mode code integrity. -3. Use [Add-SignerRule](/powershell/module/configci/add-signerrule) to add the signing certificate to the WDAC policy, filling in the correct path and filenames for `` and ``: +3. Use [Add-SignerRule](/powershell/module/configci/add-signerrule) to add the signing certificate to the WDAC policy, filling in the correct path and filenames for `` and ``: - `Add-SignerRule -FilePath -CertificatePath -User` + ```powershell + Add-SignerRule -FilePath -CertificatePath -User + ``` If you used step 2 to create a new WDAC policy, and want information about merging policies together, see [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md index dbe28e8b2a..b3cffd3fb8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md @@ -56,19 +56,19 @@ Prior to Windows 10 1903, Windows Defender Application Control only supported a In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in [New-CIPolicy](/powershell/module/configci/new-cipolicy?preserve-view=true&view=win10-ps) results in 1) unique GUIDs being generated for the policy ID and 2) the policy type being specified as base. The below example describes the process of creating a new policy in the multiple policy format. ```powershell -New-CIPolicy -MultiplePolicyFormat -ScanPath "" -UserPEs -FilePath ".\policy.xml" -Level Publisher -Fallback Hash +New-CIPolicy -MultiplePolicyFormat -ScanPath "" -UserPEs -FilePath ".\policy.xml" -Level FilePublisher -Fallback SignedVersion,Publisher,Hash ``` Optionally, you can choose to make the new base policy allow for supplemental policies. ```powershell -Set-RuleOption -FilePath -Option 17 +Set-RuleOption -FilePath ".\policy.xml" -Option 17 ``` For signed base policies to allow for supplemental policies, make sure that supplemental signers are defined. Use the **Supplemental** switch in **Add-SignerRule** to provide supplemental signers. ```powershell -Add-SignerRule -FilePath -CertificatePath [-Kernel] [-User] [-Update] [-Supplemental] [-Deny] [] +Add-SignerRule -FilePath ".\policy.xml" -CertificatePath [-Kernel] [-User] [-Update] [-Supplemental] [-Deny] ``` ### Supplemental policy creation @@ -79,12 +79,9 @@ In order to create a supplemental policy, begin by creating a new policy in the - "BasePolicyToSupplementPath": path to base policy file that the supplemental policy applies to ```powershell -Set-CIPolicyIdInfo [-FilePath] [-PolicyName ] [-SupplementsBasePolicyID ] [-BasePolicyToSupplementPath ] [-ResetPolicyID] [-PolicyId ] [] +Set-CIPolicyIdInfo -FilePath ".\supplemental_policy.xml" [-SupplementsBasePolicyID ] [-BasePolicyToSupplementPath ] -PolicyId -PolicyName ``` -> [!NOTE] -> **ResetPolicyId** reverts a supplemental policy to a base policy, and resets the policy GUIDs back to a random GUID. - ### Merging policies When you're merging policies, the policy type and ID of the leftmost/first policy specified is used. If the leftmost is a base policy with ID \, then regardless of what the GUIDs and types are for any subsequent policies, the merged policy will be a base policy with ID \. diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md index 407a00c553..9db5920c58 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md @@ -1,21 +1,16 @@ --- title: Deploy WDAC policies using Mobile Device Management (MDM) (Windows) description: You can use an MDM like Microsoft Intune to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide. -keywords: security, malware -ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security +ms.prod: windows-client +ms.technology: itpro-security ms.localizationpriority: medium -audience: ITPro ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: isbrahm -ms.author: dansimp -manager: dansimp +ms.author: vinpa +manager: aaroncz ms.date: 06/27/2022 -ms.technology: windows-sec +ms.topic: how-to --- # Deploy WDAC policies using Mobile Device Management (MDM) @@ -61,13 +56,13 @@ The steps to use Intune's custom OMA-URI functionality are: 1. Know a generated policy's GUID, which can be found in the policy xml as `` -2. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. +2. Convert the policy XML to binary format using the [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) cmdlet in order to be deployed. The binary policy may be signed or unsigned. 3. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10). 4. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings: - - **OMA-URI**: ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy - - **Data type**: Base64 + - **OMA-URI**: `./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy` + - **Data type**: Base64 (file) - **Certificate file**: upload your binary format policy file. You don't need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf. > [!div class="mx-imgBorder"] @@ -86,13 +81,13 @@ Upon deletion, policies deployed through Intune via the ApplicationControl CSP a The steps to use Intune's Custom OMA-URI functionality to apply the [AppLocker CSP](/windows/client-management/mdm/applocker-csp) and deploy a custom WDAC policy to pre-1903 systems are: -1. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. +1. Convert the policy XML to binary format using the [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) cmdlet in order to be deployed. The binary policy may be signed or unsigned. 2. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10). 3. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings: - - **OMA-URI**: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy) - - **Data type**: Base64 + - **OMA-URI**: `./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy` + - **Data type**: Base64 (file) - **Certificate file**: upload your binary format policy file > [!NOTE] diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index 498ab02284..0a280940df 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -1,21 +1,16 @@ --- -title: Microsoft recommended block rules (Windows) +title: Microsoft recommended block rules description: View a list of recommended block rules, based on knowledge shared between Microsoft and the wider security community. -keywords: security, malware -ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: m365-security -ms.technology: windows-sec -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security +ms.prod: windows-client +ms.technology: itpro-security ms.localizationpriority: medium -audience: ITPro ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: isbrahm -ms.author: dansimp -manager: dansimp +ms.author: vinpa +manager: aaroncz ms.date: 09/29/2021 +ms.topic: reference --- # Microsoft recommended block rules @@ -75,7 +70,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you - wslconfig.exe - wslhost.exe -1 A vulnerability in bginfo.exe has been fixed in the latest version 4.22. If you use BGInfo, for security, make sure to download and run the latest version here [BGInfo 4.22](/sysinternals/downloads/bginfo). BGInfo versions earlier than 4.22 are still vulnerable and should be blocked. +1 A vulnerability in bginfo.exe was fixed in version 4.22. If you use BGInfo, for security, make sure to download and run the latest version of [BGInfo](/sysinternals/downloads/bginfo). BGInfo versions earlier than 4.22 are still vulnerable and should be blocked. 2 If you're using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you allow msbuild.exe in your code integrity policies. However, if your reference system is an end-user device that isn't being used in a development context, we recommend that you block msbuild.exe. @@ -107,11 +102,11 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you Certain software applications may allow other code to run by design. Such applications should be blocked by your Windows Defender Application Control policy. In addition, when an application version is upgraded to fix a security vulnerability or potential Windows Defender Application Control bypass, you should add *deny* rules to your application control policies for that application’s previous, less secure versions. -Microsoft recommends that you install the latest security updates. The June 2017 Windows updates resolve several issues in PowerShell modules that allowed an attacker to bypass Windows Defender Application Control. These modules can't be blocked by name or version, and therefore must be blocked by their corresponding hashes. +Microsoft recommends that you install the latest security updates. For example, updates help resolve several issues in PowerShell modules that allowed an attacker to bypass Windows Defender Application Control. These modules can't be blocked by name or version, and therefore must be blocked by their corresponding hashes. -For October 2017, we're announcing an update to system.management.automation.dll in which we're revoking older versions by hash values, instead of version rules. +As of October 2017, system.management.automation.dll is updated to revoke earlier versions by hash values, instead of version rules. -Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet. Beginning with the March 2019 quality update, each version of Windows requires blocking a specific version of the following files: +Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet. As of March 2019, each version of Windows requires blocking a specific version of the following files: - msxml3.dll - msxml6.dll diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index e1f7559c0d..0194121a74 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -10,11 +10,11 @@ ms.pagetype: security ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance -author: dansimp -ms.reviewer: isbrahm +author: jgeurten +ms.reviewer: jsuther1974 ms.author: dansimp manager: dansimp -ms.date: 06/28/2022 +ms.date: 08/29/2022 ms.technology: windows-sec --- @@ -120,6 +120,9 @@ As part of normal operations, they'll eventually install software updates, or pe Windows Defender Application Control has a built-in file rule conflict logic that translates to precedence order. It will first process all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deployment/deploy-wdac-policies-with-memcm.md). Lastly, if none of these sets exist, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md). +> [!NOTE] +> For others to better understand the WDAC policies that have been deployed, we recommend maintaining separate ALLOW and DENY policies on Windows 10, version 1903 and later. + ## More information about filepath rules Filepath rules don't provide the same security guarantees that explicit signer rules do, since they're based on mutable access permissions. Filepath rules are best suited for environments where most users are running as standard rather than admin. Path rules are best suited to allow paths that you expect will remain admin-writeable only. You may want to avoid path rules for directories where standard users can modify ACLs on the folder. @@ -139,7 +142,7 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`. > [!NOTE] -> For others to better understand the WDAC policies that has been deployed, we recommend maintaining separate ALLOW and DENY policies on Windows 10, version 1903 and later. +> When authoring WDAC policies with Microsoft Endpoint Configuration Manager (MEMCM), you can instruct MEMCM to create rules for specified files and folders. These rules **aren't** WDAC filepath rules. Rather, MEMCM performs a one-time scan of the specified files and folders and builds rules for any binaries found in those locations at the time of that scan. File changes to those specified files and folders after that scan won't be allowed unless the MEMCM policy is reapplied. > [!NOTE] > There is currently a bug where MSIs cannot be allow listed in file path rules. MSIs must be allow listed using other rule types, for example, publisher rules or file attribute rules. diff --git a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md index c731e404ee..bcfc28eb19 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md @@ -1,21 +1,15 @@ --- title: Understanding Windows Defender Application Control (WDAC) secure settings description: Learn about secure settings in Windows Defender Application Control. -keywords: security, malware -ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security +ms.prod: windows-client +ms.technology: itpro-security ms.localizationpriority: medium -audience: ITPro ms.collection: M365-security-compliance author: jgeurten -ms.reviewer: jgeurten -ms.author: dansimp -manager: dansimp +ms.reviewer: vinpa +ms.author: jogeurte +manager: aaroncz ms.date: 10/11/2021 -ms.technology: mde --- # Understanding WDAC Policy Settings diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md index 0adc4cb74e..e430a2a554 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md @@ -30,31 +30,33 @@ ms.technology: windows-sec Application control can be difficult to implement in organizations that don't deploy and manage applications through an IT-managed system. In such environments, users can acquire the applications they want to use for work, making it hard to build an effective application control policy. -Beginning with Windows 10, version 1709, you can set an option to automatically allow applications that the Microsoft Intelligent Security Graph recognizes as having known good reputation. The ISG option helps organizations begin to implement application control even when the organization has limited control over their app ecosystem. To learn more about the Microsoft Intelligent Security Graph, see the Security section in [Major services and features in Microsoft Graph](/graph/overview-major-services). +To reduce end-user friction and helpdesk calls, you can set Windows Defender Application Control (WDAC) to automatically allow applications that Microsoft's Intelligent Security Graph (ISG) recognizes as having known good reputation. The ISG option helps organizations begin to implement application control even when the organization has limited control over their app ecosystem. To learn more about the ISG, see the Security section in [Major services and features in Microsoft Graph](/graph/overview-major-services). -## How does the integration between WDAC and the Intelligent Security Graph work? +> [!WARNING] +> Binaries that are critical to boot the system must be allowed using explicit rules in your WDAC policy. Do not rely on the ISG to authorize these files. +> +> The ISG option is not the recommended way to allow apps that are business critical. You should always authorize business critical apps using explicit allow rules or by installing them with a [managed installer](/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer). -The ISG uses the same vast security intelligence and machine learning analytics that power Microsoft Defender SmartScreen and Microsoft Defender Antivirus to help classify applications as having "known good," "known bad," or "unknown" reputation. When a binary runs on a system, with Windows Defender Application Control (WDAC) enabled with the ISG option, WDAC checks the file's reputation, by sending its hash and signing information to the cloud. If the ISG reports that the file has a "known good" reputation, the $KERNEL.SMARTLOCKER.ORIGINCLAIM kernel Extended Attribute (EA) is written to the file. +## How does WDAC work with the ISG? -If your WDAC policy doesn't have an explicit rule to allow or deny a binary to run, then WDAC will make a call to the cloud to determine whether the binary is familiar and safe. However, if your policy already authorizes or denies the binary, then WDAC won't make a call to the cloud. +The ISG isn't a "list" of apps. Rather, it uses the same vast security intelligence and machine learning analytics that power Microsoft Defender SmartScreen and Microsoft Defender Antivirus to help classify applications as having "known good", "known bad", or "unknown" reputation. This cloud-based AI is based on trillions of signals collected from Windows endpoints and other data sources, and processed every 24 hours. As a result, the decision from the cloud can change. -If the file with good reputation is an application installer, its reputation will pass along to any files that it writes to disk. This way, all the files needed to install and run an app inherit the positive reputation data from the installer. +WDAC only checks the ISG for binaries that aren't explicitly allowed or denied by your policy, and that weren't installed by a managed installer. When such a binary runs on a system with WDAC enabled with the ISG option, WDAC will check the file's reputation by sending its hash and signing information to the cloud. If the ISG reports that the file has a "known good" reputation, then the file will be allowed to run. Otherwise, it will be blocked by WDAC. -WDAC periodically re-queries the reputation data on a file. Additionally, enterprises can specify that any cached reputation results are flushed on reboot by using the **Enabled:Invalidate EAs on Reboot** option. +If the file with good reputation is an application installer, the installer's reputation will pass along to any files that it writes to disk. This way, all the files needed to install and run an app inherit the positive reputation data from the installer. Files authorized based on the installer's reputation will have the $KERNEL.SMARTLOCKER.ORIGINCLAIM kernel Extended Attribute (EA) written to the file. ->[!NOTE] ->Admins should make sure there is a Windows Defender Application Control policy in place to allow the system to boot and run any other authorized applications that may not be classified as being known good by the Intelligent Security Graph, such as custom line-of-business (LOB) apps. Since the Intelligent Security Graph is powered by global prevalence data, internal LOB apps may not be recognized as being known good. Other mechanisms like managed installer and explicit rules will help cover internal applications. Both Microsoft Endpoint Configuration Manager and Microsoft Endpoint Manager Intune can be used to create and push a WDAC policy to your client machines. +WDAC periodically requeries the reputation data on a file. Additionally, enterprises can specify that any cached reputation results are flushed on reboot by using the **Enabled:Invalidate EAs on Reboot** option. -## Configuring Intelligent Security Graph authorization for Windows Defender Application Control +## Configuring ISG authorization for your WDAC policy -Setting up the ISG is easy using any management solution you wish. Configuring the Microsoft Intelligent Security Graph option involves these basic steps: +Setting up the ISG is easy using any management solution you wish. Configuring the ISG option involves these basic steps: -- [Ensure that the Microsoft Intelligent Security Graph option is enabled in the WDAC policy XML](#ensure-that-the-intelligent-security-graph-option-is-enabled-in-the-wdac-policy-xml) -- [Enable the necessary services to allow WDAC to use the Microsoft Intelligent Security Graph correctly on the client](#enable-the-necessary-services-to-allow-wdac-to-use-the-isg-correctly-on-the-client) +- [Ensure that the **Enabled:Intelligent Security Graph authorization** option is set in the WDAC policy XML](#ensure-that-the-isg-option-is-set-in-the-wdac-policy-xml) +- [Enable the necessary services to allow WDAC to use the ISG correctly on the client](#enable-the-necessary-services-to-allow-wdac-to-use-the-isg-correctly-on-the-client) -### Ensure that the Intelligent Security Graph option is enabled in the WDAC policy XML +### Ensure that the ISG option is set in the WDAC policy XML -To allow apps and binaries based on the Microsoft Intelligent Security Graph, the **Enabled:Intelligent Security Graph authorization** option must be specified in the Windows Defender Application Control policy. This step can be done with the Set-RuleOption cmdlet. You should also enable the **Enabled:Invalidate EAs on Reboot** option so that ISG results are verified again after each reboot. The ISG option isn't recommended for devices that don't have regular access to the internet. The following example shows both options being set. +To allow apps and binaries based on the Microsoft Intelligent Security Graph, the **Enabled:Intelligent Security Graph authorization** option must be specified in the WDAC policy. This step can be done with the Set-RuleOption cmdlet. You should also set the **Enabled:Invalidate EAs on Reboot** option so that ISG results are verified again after each reboot. The ISG option isn't recommended for devices that don't have regular access to the internet. The following example shows both options set. ```xml @@ -84,50 +86,29 @@ To allow apps and binaries based on the Microsoft Intelligent Security Graph, th ### Enable the necessary services to allow WDAC to use the ISG correctly on the client -In order for the heuristics used by the ISG to function properly, many components in Windows must be enabled. You can configure these components by running the appidtel executable in `c:\windows\system32`. +In order for the heuristics used by the ISG to function properly, other components in Windows must be enabled. You can configure these components by running the appidtel executable in `c:\windows\system32`. ```console appidtel start ``` -This step isn't required for Windows Defender Application Control policies deployed over MDM, as the CSP will enable the necessary components. This step is also not required when the ISG is configured using Configuration Manager's WDAC integration. +This step isn't required for WDAC policies deployed over MDM, as the CSP will enable the necessary components. This step is also not required when the ISG is configured using Configuration Manager's WDAC integration. -## Security considerations with the Intelligent Security Graph +## Security considerations with the ISG option -Since the Microsoft Intelligent Security Graph is a heuristic-based mechanism, it doesn't provide the same security guarantees that explicit allow or deny rules do. It's best suited where users operate with standard user rights and where a security monitoring solution like Microsoft Defender for Endpoint is used. +Since the ISG is a heuristic-based mechanism, it doesn't provide the same security guarantees as explicit allow or deny rules. It's best suited where users operate with standard user rights and where a security monitoring solution like Microsoft Defender for Endpoint is used. -Processes running with kernel privileges can circumvent WDAC by setting the ISG extended file attribute to make a binary appear to have known good reputation. Also, since the ISG option passes along reputation from application installers to the binaries they write to disk, it can over-authorize files in some cases where the installer launches the application upon completion. +Processes running with kernel privileges can circumvent WDAC by setting the ISG extended file attribute to make a binary appear to have known good reputation. -## Using fsutil to query SmartLocker EA -Customers using Windows Defender Application Control (WDAC) with Managed Installer (MI) or Intelligent Security Graph enabled can use fsutil to determine whether a file was allowed to run by one of these features. This verification can be done by querying the EAs on a file using fsutil and looking for the KERNEL.SMARTLOCKER.ORIGINCLAIM EA. The presence of this EA indicates that either MI or ISG allowed the file to run. This EA's presence can be used in conjunction with enabling the MI and ISG logging events. +Also, since the ISG option passes along reputation from app installers to the binaries they write to disk, it can over-authorize files in some cases. For example, if the installer launches the app upon completion, any files the app writes during that first run will also be allowed. -#### Example +## Known limitations with using the ISG -```console -fsutil file queryEA C:\Users\Temp\Downloads\application.exe +Since the ISG only allows binaries that are "known good", there are cases where the ISG may be unable to predict whether legitimate software is safe to run. If that happens, the software will be blocked by WDAC. In this case, you need to allow the software with a rule in your WDAC policy, deploy a catalog signed by a certificate trusted in the WDAC policy, or install the software from a WDAC managed installer. Installers or applications that dynamically create binaries at runtime, and self-updating applications, may exhibit this symptom. -Extended Attributes (EA) information for file C:\Users\Temp\Downloads\application.exe: - -Ea Buffer Offset: 410 -Ea Name: $KERNEL.SMARTLOCKER.ORIGINCLAIM -Ea Value Length: 7e -0000: 01 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 ................ -0010: b2 ff 10 66 bc a8 47 c7 00 d9 56 9d 3d d4 20 2a ...f..G...V.=. * -0020: 63 a3 80 e2 d8 33 8e 77 e9 5c 8d b0 d5 a7 a3 11 c....3.w.\...... -0030: 83 00 00 00 00 00 00 00 5c 00 00 00 43 00 3a 00 ........\...C.:. -0040: 5c 00 55 00 73 00 65 00 72 00 73 00 5c 00 6a 00 \.U.s.e.r.s.\.T. -0050: 6f 00 67 00 65 00 75 00 72 00 74 00 65 00 2e 00 e.m.p..\D.o.w.n... -0060: 52 00 45 00 44 00 4d 00 4f 00 4e 00 44 00 5c 00 l.o.a.d.\a.p.p.l. -0070: 44 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 i.c.a.t.i.o.n..e.x.e -``` - -## Known limitations with using the Intelligent Security Graph - -Since the ISG only allows binaries that are known good, there are cases where legitimate software may be unknown to the ISG and will be blocked by Windows Defender Application Control (WDAC). In this case, you need to allow the software with a rule in your WDAC policy, deploy a catalog signed by a certificate trusted in the WDAC policy, or install the software from a WDAC managed installer. Installers or applications that dynamically create binaries at runtime, and self-updating applications, may exhibit this symptom. - -Packaged apps aren't supported with the Microsoft Intelligent Security Graph heuristics and will need to be separately authorized in your WDAC policy. Since packaged apps have a strong app identity and must be signed, it's straightforward to authorize these apps with your WDAC policy. +Packaged apps aren't supported with the ISG and will need to be separately authorized in your WDAC policy. Since packaged apps have a strong app identity and must be signed, it's straightforward to [authorize packaged apps](/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control) with your WDAC policy. The ISG doesn't authorize kernel mode drivers. The WDAC policy must have rules that allow the necessary drivers to run. > [!NOTE] -> A rule that explicitly denies or allows a file will take precedence over that file's reputation data. Microsoft Endpoint Manager Intune's built-in Windows Defender Application Control support includes the option to trust apps with good reputation via the Microsoft Intelligent Security Graph, but it has no option to add explicit allow or deny rules. In most circumstances, customers enforcing application control need to deploy a custom WDAC policy (which can include the Microsoft Intelligent Security Graph option if desired) using [Intune's OMA-URI functionality](deployment/deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri). +> A rule that explicitly denies or allows a file will take precedence over that file's reputation data. Microsoft Endpoint Manager Intune's built-in WDAC support includes the option to trust apps with good reputation via the ISG, but it has no option to add explicit allow or deny rules. In most cases, customers using application control will need to deploy a custom WDAC policy (which can include the ISG option if desired) using [Intune's OMA-URI functionality](deployment/deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri). diff --git a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md index f031321396..1c50e07a18 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md +++ b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md @@ -84,3 +84,38 @@ As Windows 10 boots, a series of integrity measurements are taken by Windows Def After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or Microsoft Endpoint Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources. +## System requirements for System Guard + +|For Intel® vPro™ processors starting with Intel® Coffeelake, Whiskeylake, or later silicon|Description| +|--------|-----------| +|64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more information about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more information about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).| +|Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0. Integrated/firmware TPMs aren't supported, except Intel chips that support Platform Trust Technology (PTT), which is a type of integrated hardware TPM that meets the TPM 2.0 spec.| +|Windows DMA Protection|Platforms must meet the Windows DMA Protection Specification (all external DMA ports must be off by default until the OS explicitly powers them).| +|SMM communication buffers| All SMM communication buffers must be implemented in EfiRuntimeServicesData, EfiRuntimeServicesCode, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types. | +|SMM Page Tables| Must NOT contain any mappings to EfiConventionalMemory (for example no OS/VMM owned memory).
          Must NOT contain any mappings to code sections within EfiRuntimeServicesCode.
          Must NOT have execute and write permissions for the same page
          Must allow ONLY that TSEG pages can be marked executable and the memory map must report TSEG EfiReservedMemoryType.
          BIOS SMI handler must be implemented such that SMM page tables are locked on every SMM entry. | +|Modern/Connected Standby|Platforms must support Modern/Connected Standby.| +|TPM AUX Index|Platform must set up a AUX index with index, attributes, and policy that exactly corresponds to the AUX index specified in the TXT DG with a data size of exactly 104 bytes (for SHA256 AUX data). (NameAlg = SHA256)
          Platforms must set up a PS (Platform Supplier) index with:

          • Exactly the "TXT PS2" style Attributes on creation as follows:
            • AuthWrite
            • PolicyDelete
            • WriteLocked
            • WriteDefine
            • AuthRead
            • WriteDefine
            • NoDa
            • Written
            • PlatformCreate
          • A policy of exactly PolicyCommandCode(CC = TPM2_CC_UndefineSpaceSpecial) (SHA256 NameAlg and Policy)
          • Size of exactly 70 bytes
          • NameAlg = SHA256
          • Also, it must have been initialized and locked (TPMA_NV_WRITTEN = 1, TPMA_NV_WRITELOCKED = 1) at time of OS launch.
          PS index data DataRevocationCounters, SINITMinVersion, and PolicyControl must all be 0x00 | +|AUX Policy|The required AUX policy must be as follows:
          • A = TPM2_PolicyLocality (Locality 3 & Locality 4)
          • B = TPM2_PolicyCommandCode (TPM_CC_NV_UndefineSpecial)
          • authPolicy = \{A} OR {{A} AND \{B}}
          • authPolicy digest = 0xef, 0x9a, 0x26, 0xfc, 0x22, 0xd1, 0xae, 0x8c, 0xec, 0xff, 0x59, 0xe9, 0x48, 0x1a, 0xc1, 0xec, 0x53, 0x3d, 0xbe, 0x22, 0x8b, 0xec, 0x6d, 0x17, 0x93, 0x0f, 0x4c, 0xb2, 0xcc, 0x5b, 0x97, 0x24
          | +|TPM NV Index|Platform firmware must set up a TPM NV index for use by the OS with:
          • Handle: 0x01C101C0
          • Attributes:
            • TPMA_NV_POLICYWRITE
            • TPMA_NV_PPREAD
            • TPMA_NV_OWNERREAD
            • TPMA_NV_AUTHREAD
            • TPMA_NV_POLICYREAD
            • TPMA_NV_NO_DA
            • TPMA_NV_PLATFORMCREATE
            • TPMA_NV_POLICY_DELETE
          • A policy of:
            • A = TPM2_PolicyAuthorize(MSFT_DRTM_AUTH_BLOB_SigningKey)
            • B = TPM2_PolicyCommandCode(TPM_CC_NV_UndefineSpaceSpecial)
            • authPolicy = \{A} OR {{A} AND \{B}}
            • Digest value of 0xcb, 0x45, 0xc8, 0x1f, 0xf3, 0x4b, 0xcf, 0x0a, 0xfb, 0x9e, 0x1a, 0x80, 0x29, 0xfa, 0x23, 0x1c, 0x87, 0x27, 0x30, 0x3c, 0x09, 0x22, 0xdc, 0xce, 0x68, 0x4b, 0xe3, 0xdb, 0x81, 0x7c, 0x20, 0xe1
          | +|Platform firmware|Platform firmware must carry all code required to execute an Intel® Trusted Execution Technology secure launch:
          • Intel® SINIT ACM must be carried in the OEM BIOS
          • Platforms must ship with a production ACM signed by the correct production Intel® ACM signer for the platform
          | +|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. | + +|For AMD® processors starting with Zen2 or later silicon|Description| +|--------|-----------| +|64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more information about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more information about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).| +|Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0 OR Microsoft Pluton TPM.| +|Windows DMA Protection|Platforms must meet the Windows DMA Protection Specification (all external DMA ports must be off by default until the OS explicitly powers them).| +|SMM communication buffers| All SMM communication buffers must be implemented in EfiRuntimeServicesData, EfiRuntimeServicesCode, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types. | +|SMM Page Tables| Must NOT contain any mappings to EfiConventionalMemory (for example no OS/VMM owned memory).
          Must NOT contain any mappings to code sections within EfiRuntimeServicesCode.
          Must NOT have execute and write permissions for the same page
          BIOS SMI handler must be implemented such that SMM page tables are locked on every SMM entry. | +|Modern/Connected Standby|Platforms must support Modern/Connected Standby.| +|TPM NV Index|Platform firmware must set up a TPM NV index for use by the OS with:
          • Handle: 0x01C101C0
          • Attributes:
            • TPMA_NV_POLICYWRITE
            • TPMA_NV_PPREAD
            • TPMA_NV_OWNERREAD
            • TPMA_NV_AUTHREAD
            • TPMA_NV_POLICYREAD
            • TPMA_NV_NO_DA
            • TPMA_NV_PLATFORMCREATE
            • TPMA_NV_POLICY_DELETE
          • A policy of:
            • A = TPM2_PolicyAuthorize(MSFT_DRTM_AUTH_BLOB_SigningKey)
            • B = TPM2_PolicyCommandCode(TPM_CC_NV_UndefineSpaceSpecial)
            • authPolicy = \{A} OR {{A} AND \{B}}
            • Digest value of 0xcb, 0x45, 0xc8, 0x1f, 0xf3, 0x4b, 0xcf, 0x0a, 0xfb, 0x9e, 0x1a, 0x80, 0x29, 0xfa, 0x23, 0x1c, 0x87, 0x27, 0x30, 0x3c, 0x09, 0x22, 0xdc, 0xce, 0x68, 0x4b, 0xe3, 0xdb, 0x81, 0x7c, 0x20, 0xe1
          | +|Platform firmware|Platform firmware must carry all code required to execute Secure Launch:
          • AMD® Secure Launch platforms must ship with AMD® DRTM driver devnode exposed and the AMD® DRTM driver installed

          Platform must have AMD® Secure Processor Firmware Anti-Rollback protection enabled
          Platform must have AMD® Memory Guard enabled.| +|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. | + +|For Qualcomm® processors with SD850 or later chipsets|Description| +|--------|-----------| +|Monitor Mode Communication|All Monitor Mode communication buffers must be implemented in either EfiRuntimeServicesData (recommended), data sections of EfiRuntimeServicesCode as described by the Memory Attributes Table, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types| +|Monitor Mode Page Tables|All Monitor Mode page tables must:
          • NOT contain any mappings to EfiConventionalMemory (for example no OS/VMM owned memory)
          • They must NOT have execute and write permissions for the same page
          • Platforms must only allow Monitor Mode pages marked as executable
          • The memory map must report Monitor Mode as EfiReservedMemoryType
          • Platforms must provide mechanism to protect the Monitor Mode page tables from modification
          | +|Modern/Connected Standby|Platforms must support Modern/Connected Standby.| +|Platform firmware|Platform firmware must carry all code required to launch.| +|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. | diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md index 5c9e29a065..e3cc007d51 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md @@ -72,43 +72,7 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic ![Verifying Secure Launch is running in the Windows Security app.](images/secure-launch-msinfo.png) > [!NOTE] -> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs). - -## System requirements for System Guard - -|For Intel® vPro™ processors starting with Intel® Coffeelake, Whiskeylake, or later silicon|Description| -|--------|-----------| -|64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more information about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more information about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).| -|Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0. Integrated/firmware TPMs aren't supported, except Intel chips that support Platform Trust Technology (PTT), which is a type of integrated hardware TPM that meets the TPM 2.0 spec.| -|Windows DMA Protection|Platforms must meet the Windows DMA Protection Specification (all external DMA ports must be off by default until the OS explicitly powers them).| -|SMM communication buffers| All SMM communication buffers must be implemented in EfiRuntimeServicesData, EfiRuntimeServicesCode, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types. | -|SMM Page Tables| Must NOT contain any mappings to EfiConventionalMemory (for example no OS/VMM owned memory).
          Must NOT contain any mappings to code sections within EfiRuntimeServicesCode.
          Must NOT have execute and write permissions for the same page
          Must allow ONLY that TSEG pages can be marked executable and the memory map must report TSEG EfiReservedMemoryType.
          BIOS SMI handler must be implemented such that SMM page tables are locked on every SMM entry. | -|Modern/Connected Standby|Platforms must support Modern/Connected Standby.| -|TPM AUX Index|Platform must set up a AUX index with index, attributes, and policy that exactly corresponds to the AUX index specified in the TXT DG with a data size of exactly 104 bytes (for SHA256 AUX data). (NameAlg = SHA256)
          Platforms must set up a PS (Platform Supplier) index with:
          • Exactly the "TXT PS2" style Attributes on creation as follows:
            • AuthWrite
            • PolicyDelete
            • WriteLocked
            • WriteDefine
            • AuthRead
            • WriteDefine
            • NoDa
            • Written
            • PlatformCreate
          • A policy of exactly PolicyCommandCode(CC = TPM2_CC_UndefineSpaceSpecial) (SHA256 NameAlg and Policy)
          • Size of exactly 70 bytes
          • NameAlg = SHA256
          • Also, it must have been initialized and locked (TPMA_NV_WRITTEN = 1, TPMA_NV_WRITELOCKED = 1) at time of OS launch.
          PS index data DataRevocationCounters, SINITMinVersion, and PolicyControl must all be 0x00 | -|AUX Policy|The required AUX policy must be as follows:
          • A = TPM2_PolicyLocality (Locality 3 & Locality 4)
          • B = TPM2_PolicyCommandCode (TPM_CC_NV_UndefineSpecial)
          • authPolicy = \{A} OR {{A} AND \{B}}
          • authPolicy digest = 0xef, 0x9a, 0x26, 0xfc, 0x22, 0xd1, 0xae, 0x8c, 0xec, 0xff, 0x59, 0xe9, 0x48, 0x1a, 0xc1, 0xec, 0x53, 0x3d, 0xbe, 0x22, 0x8b, 0xec, 0x6d, 0x17, 0x93, 0x0f, 0x4c, 0xb2, 0xcc, 0x5b, 0x97, 0x24
          | -|TPM NV Index|Platform firmware must set up a TPM NV index for use by the OS with:
          • Handle: 0x01C101C0
          • Attributes:
            • TPMA_NV_POLICYWRITE
            • TPMA_NV_PPREAD
            • TPMA_NV_OWNERREAD
            • TPMA_NV_AUTHREAD
            • TPMA_NV_POLICYREAD
            • TPMA_NV_NO_DA
            • TPMA_NV_PLATFORMCREATE
            • TPMA_NV_POLICY_DELETE
          • A policy of:
            • A = TPM2_PolicyAuthorize(MSFT_DRTM_AUTH_BLOB_SigningKey)
            • B = TPM2_PolicyCommandCode(TPM_CC_NV_UndefineSpaceSpecial)
            • authPolicy = \{A} OR {{A} AND \{B}}
            • Digest value of 0xcb, 0x45, 0xc8, 0x1f, 0xf3, 0x4b, 0xcf, 0x0a, 0xfb, 0x9e, 0x1a, 0x80, 0x29, 0xfa, 0x23, 0x1c, 0x87, 0x27, 0x30, 0x3c, 0x09, 0x22, 0xdc, 0xce, 0x68, 0x4b, 0xe3, 0xdb, 0x81, 0x7c, 0x20, 0xe1
          | -|Platform firmware|Platform firmware must carry all code required to execute an Intel® Trusted Execution Technology secure launch:
          • Intel® SINIT ACM must be carried in the OEM BIOS
          • Platforms must ship with a production ACM signed by the correct production Intel® ACM signer for the platform
          | -|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. | - -|For AMD® processors starting with Zen2 or later silicon|Description| -|--------|-----------| -|64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more information about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more information about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).| -|Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0 OR Microsoft Pluton TPM.| -|Windows DMA Protection|Platforms must meet the Windows DMA Protection Specification (all external DMA ports must be off by default until the OS explicitly powers them).| -|SMM communication buffers| All SMM communication buffers must be implemented in EfiRuntimeServicesData, EfiRuntimeServicesCode, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types. | -|SMM Page Tables| Must NOT contain any mappings to EfiConventionalMemory (for example no OS/VMM owned memory).
          Must NOT contain any mappings to code sections within EfiRuntimeServicesCode.
          Must NOT have execute and write permissions for the same page
          BIOS SMI handler must be implemented such that SMM page tables are locked on every SMM entry. | -|Modern/Connected Standby|Platforms must support Modern/Connected Standby.| -|TPM NV Index|Platform firmware must set up a TPM NV index for use by the OS with:
          • Handle: 0x01C101C0
          • Attributes:
            • TPMA_NV_POLICYWRITE
            • TPMA_NV_PPREAD
            • TPMA_NV_OWNERREAD
            • TPMA_NV_AUTHREAD
            • TPMA_NV_POLICYREAD
            • TPMA_NV_NO_DA
            • TPMA_NV_PLATFORMCREATE
            • TPMA_NV_POLICY_DELETE
          • A policy of:
            • A = TPM2_PolicyAuthorize(MSFT_DRTM_AUTH_BLOB_SigningKey)
            • B = TPM2_PolicyCommandCode(TPM_CC_NV_UndefineSpaceSpecial)
            • authPolicy = \{A} OR {{A} AND \{B}}
            • Digest value of 0xcb, 0x45, 0xc8, 0x1f, 0xf3, 0x4b, 0xcf, 0x0a, 0xfb, 0x9e, 0x1a, 0x80, 0x29, 0xfa, 0x23, 0x1c, 0x87, 0x27, 0x30, 0x3c, 0x09, 0x22, 0xdc, 0xce, 0x68, 0x4b, 0xe3, 0xdb, 0x81, 0x7c, 0x20, 0xe1
          | -|Platform firmware|Platform firmware must carry all code required to execute Secure Launch:
          • AMD® Secure Launch platforms must ship with AMD® DRTM driver devnode exposed and the AMD® DRTM driver installed

          Platform must have AMD® Secure Processor Firmware Anti-Rollback protection enabled
          Platform must have AMD® Memory Guard enabled.| -|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. | - -|For Qualcomm® processors with SD850 or later chipsets|Description| -|--------|-----------| -|Monitor Mode Communication|All Monitor Mode communication buffers must be implemented in either EfiRuntimeServicesData (recommended), data sections of EfiRuntimeServicesCode as described by the Memory Attributes Table, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types| -|Monitor Mode Page Tables|All Monitor Mode page tables must:
          • NOT contain any mappings to EfiConventionalMemory (for example no OS/VMM owned memory)
          • They must NOT have execute and write permissions for the same page
          • Platforms must only allow Monitor Mode pages marked as executable
          • The memory map must report Monitor Mode as EfiReservedMemoryType
          • Platforms must provide mechanism to protect the Monitor Mode page tables from modification
          | -|Modern/Connected Standby|Platforms must support Modern/Connected Standby.| -|Platform firmware|Platform firmware must carry all code required to launch.| -|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. | +> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [System Guard](../windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md), [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs). > [!NOTE] > For more information around AMD processors, see [Microsoft Security Blog: Force firmware code to be measured and attested by Secure Launch on Windows 10](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/). diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md index e42fab8ddb..5325926107 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md @@ -28,13 +28,8 @@ Windows Sandbox has the following properties: - **Secure**: Uses hardware-based virtualization for kernel isolation. It relies on the Microsoft hypervisor to run a separate kernel that isolates Windows Sandbox from the host. - **Efficient:** Uses the integrated kernel scheduler, smart memory management, and virtual GPU. - > [!IMPORTANT] - > Windows Sandbox enables network connection by default. It can be disabled using the [Windows Sandbox configuration file](/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file#networking). - -The following video provides an overview of Windows Sandbox. - -> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4rFAo] - +> [!IMPORTANT] +> Windows Sandbox enables network connection by default. It can be disabled using the [Windows Sandbox configuration file](/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file#networking). ## Prerequisites diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json index 0c42863822..19bd51f371 100644 --- a/windows/whats-new/docfx.json +++ b/windows/whats-new/docfx.json @@ -21,6 +21,7 @@ "files": [ "**/**/*.png", "**/**/*.jpg", + "**/*.svg", "**/**/*.gif" ], "exclude": [ diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index 84525fe130..bbf3ef592b 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -103,29 +103,31 @@ If you use Microsoft Endpoint Manager and have onboarded devices to Endpoint ana ## Prepare a pilot deployment -A pilot deployment is a proof of concept that rolls out an upgrade to a select number of devices in production, before deploying it broadly across the organization. +A pilot deployment is a proof of concept that rolls out an upgrade to a select number of devices in production, before deploying it broadly across the organization. -At a high level, the tasks involved are: +At a high level, the tasks involved are: -1. Assign a group of users or devices to receive the upgrade. -2. Implement baseline updates. -3. Implement operational updates. -4. Validate the deployment process. -5. Deploy the upgrade to devices. -6. Test and support the pilot devices. -7. Determine broad deployment readiness based on the results of the pilot. +1. Assign a group of users or devices to receive the upgrade. +2. Implement baseline updates. +3. Implement operational updates. +4. Validate the deployment process. +5. Deploy the upgrade to devices. +6. Test and support the pilot devices. +7. Determine broad deployment readiness based on the results of the pilot. ## User readiness -Don't overlook the importance of user readiness to deliver an effective, enterprise-wide deployment of Windows 11. Windows 11 has a familiar design, but your users will see several enhancements to the overall user interface. They'll also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows 11: -- Create a communications schedule to ensure that you provide the right message at the right time to the right groups of users, based on when they'll see the changes. -- Draft concise emails that inform users of what changes they can expect to see. Offer tips on how to use or customize their experience. Include information about support and help desk options. -- Update help desk manuals with screenshots of the new user interface, the out-of-box experience for new devices, and the upgrade experience for existing devices. +Don't overlook the importance of user readiness to deliver an effective, enterprise-wide deployment of Windows 11. Windows 11 has a familiar design, but your users will see several enhancements to the overall user interface. They'll also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows 11: + +- Create a communications schedule to ensure that you provide the right message at the right time to the right groups of users, based on when they'll see the changes. +- Draft concise emails that inform users of what changes they can expect to see. Offer tips on how to use or customize their experience. Include information about support and help desk options. +- Update help desk manuals with screenshots of the new user interface, the out-of-box experience for new devices, and the upgrade experience for existing devices. ## Learn more -See the [Stay current with Windows 10 and Microsoft 365 Apps](/learn/paths/m365-stay-current/) learning path on Microsoft Learn. -- The learning path was created for Windows 10, but the basic principles and tasks outlined for the plan, prepare, and deploy phases also apply to your deployment of Windows 11. +See the [Stay current with Windows 10 and Microsoft 365 Apps](/learn/paths/m365-stay-current/) learning path. + +- The learning path was created for Windows 10, but the basic principles and tasks outlined for the plan, prepare, and deploy phases also apply to your deployment of Windows 11. ## See also