diff --git a/.openpublishing.redirection.windows-deployment.json b/.openpublishing.redirection.windows-deployment.json
index 291aac7fbf..b8c2f94fae 100644
--- a/.openpublishing.redirection.windows-deployment.json
+++ b/.openpublishing.redirection.windows-deployment.json
@@ -1104,6 +1104,11 @@
"source_path": "windows/deployment/windows-10-deployment-tools-reference.md",
"redirect_url": "/windows/deployment/windows-deployment-scenarios-and-tools",
"redirect_document_id": false
+ },
+ {
+ "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md",
+ "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device",
+ "redirect_document_id": true
}
]
}
diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md
index 5d4c8be0cb..0bfa6d278a 100644
--- a/education/includes/education-content-updates.md
+++ b/education/includes/education-content-updates.md
@@ -2,6 +2,14 @@
+## Week of July 31, 2023
+
+
+| Published On |Topic title | Change |
+|------|------------|--------|
+| 8/3/2023 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified |
+
+
## Week of July 24, 2023
diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md
index df025d2857..0ef3e1439d 100644
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@@ -2,7 +2,7 @@
title: Windows 11 SE Overview
description: Learn about Windows 11 SE, and the apps that are included with the operating system.
ms.topic: overview
-ms.date: 07/25/2023
+ms.date: 08/03/2023
appliesto:
- ✅ Windows 11 SE
ms.collection:
@@ -35,11 +35,11 @@ The following table lists the different application types available in Windows o
| --- | --- | :---: | ---|
|Progressive Web Apps (PWAs) | PWAs are web-based applications that can run in a browser and that can be installed as standalone apps. |✅|PWAs are enabled by default in Windows 11 SE.|
| Web apps | Web apps are web-based applications that run in a browser. | ✅ | Web apps are enabled by default in Windows 11 SE. |
-|Win32| Win32 applications are Windows classic applications that may require installation |⛔| If users try to install or execute Win32 applications that haven't been allowed to run, they'll fail.|
-|Universal Windows Platform (UWP)/Store apps |UWP apps are commonly obtained from the Microsoft Store and may require installation |⛔|If users try to install or execute UWP applications that haven't been allowed to run, they'll fail.|
+|`Win32`| `Win32` applications are Windows classic applications that may require installation |⛔| If users try to install or execute `Win32` applications that haven't been allowed to run, they fail.|
+|Universal Windows Platform (UWP)/Store apps |UWP apps are commonly obtained from the Microsoft Store and may require installation |⛔|If users try to install or execute UWP applications that haven't been allowed to run, they fail.|
> [!IMPORTANT]
-> If there are specific Win32 or UWP applications that you want to allow, work with Microsoft to get them enabled. For more information, see [Add your own applications](#add-your-own-applications).
+> If there are specific `Win32` or UWP applications that you want to allow, work with Microsoft to get them enabled. For more information, see [Add your own applications](#add-your-own-applications).
## Applications included in Windows 11 SE
@@ -50,10 +50,10 @@ The following table lists all the applications included in Windows 11 SE and the
| Alarm & Clock | UWP | | |
| Calculator | UWP | ✅ | |
| Camera | UWP | ✅ | |
-| Microsoft Edge | Win32 | ✅ | ✅ |
-| Excel | Win32 | ✅ | |
+| Microsoft Edge | `Win32` | ✅ | ✅ |
+| Excel | `Win32` | ✅ | |
| Feedback Hub | UWP | | |
-| File Explorer | Win32 | | ✅ |
+| File Explorer | `Win32` | | ✅ |
| FlipGrid | PWA | | |
| Get Help | UWP | | |
| Media Player | UWP | ✅ | |
@@ -61,20 +61,20 @@ The following table lists all the applications included in Windows 11 SE and the
| Minecraft: Education Edition | UWP | | |
| Movies & TV | UWP | | |
| News | UWP | | |
-| Notepad | Win32 | | |
-| OneDrive | Win32 | | |
-| OneNote | Win32 | ✅ | |
+| Notepad | `Win32` | | |
+| OneDrive | `Win32` | | |
+| OneNote | `Win32` | ✅ | |
| Outlook | PWA | ✅ | |
-| Paint | Win32 | ✅ | |
+| Paint | `Win32` | ✅ | |
| Photos | UWP | | |
-| PowerPoint | Win32 | ✅ | |
+| PowerPoint | `Win32` | ✅ | |
| Settings | UWP | ✅ | |
| Snip & Sketch | UWP | | |
| Sticky Notes | UWP | | |
-| Teams | Win32 | ✅ | |
+| Teams | `Win32` | ✅ | |
| To Do | UWP | | |
| Whiteboard | UWP | ✅ | |
-| Word | Win32 | ✅ | |
+| Word | `Win32` | ✅ | |
## Available applications
@@ -82,98 +82,98 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| Application | Supported version | App Type | Vendor |
|-------------------------------------------|-------------------|----------|-------------------------------------------|
-| `3d builder` | 18.0.1931.0 | Win32 | `Microsoft` |
-| `Absolute Software Endpoint Agent` | 7.20.0.1 | Win32 | `Absolute Software Corporation` |
-| `AirSecure` | 8.0.0 | Win32 | `AIR` |
-| `Alertus Desktop` | 5.4.48.0 | Win32 | `Alertus technologies` |
-| `Brave Browser` | 106.0.5249.119 | Win32 | `Brave` |
+| `3d builder` | 18.0.1931.0 | `Win32` | `Microsoft` |
+| `Absolute Software Endpoint Agent` | 7.20.0.1 | `Win32` | `Absolute Software Corporation` |
+| `AirSecure` | 8.0.0 | `Win32` | `AIR` |
+| `Alertus Desktop` | 5.4.48.0 | `Win32` | `Alertus technologies` |
+| `Brave Browser` | 106.0.5249.119 | `Win32` | `Brave` |
| `Bulb Digital Portfolio` | 0.0.7.0 | `Store` | `Bulb` |
-| `CA Secure Browser` | 14.0.0 | Win32 | `Cambium Development` |
-| `Cisco Umbrella` | 3.0.110.0 | Win32 | `Cisco` |
-| `CKAuthenticator` | 3.6+ | Win32 | `ContentKeeper` |
-| `Class Policy` | 116.0.0 | Win32 | `Class Policy` |
-| `Classroom.cloud` | 1.40.0004 | Win32 | `NetSupport` |
+| `CA Secure Browser` | 14.0.0 | `Win32` | `Cambium Development` |
+| `Cisco Umbrella` | 3.0.110.0 | `Win32` | `Cisco` |
+| `CKAuthenticator` | 3.6+ | `Win32` | `ContentKeeper` |
+| `Class Policy` | 116.0.0 | `Win32` | `Class Policy` |
+| `Classroom.cloud` | 1.40.0004 | `Win32` | `NetSupport` |
| `Clipchamp` | 2.5.2. | `Store` | `Microsoft` |
-| `CoGat Secure Browser` | 11.0.0.19 | Win32 | `Riverside Insights` |
-| `ColorVeil` | 4.0.0.175 | Win32 | `East-Tec` |
-| `ContentKeeper Cloud` | 9.01.45 | Win32 | `ContentKeeper Technologies` |
-| `DigiExam` | 14.0.6 | Win32 | `Digiexam` |
-| `Dragon Professional Individual` | 15.00.100 | Win32 | `Nuance Communications` |
+| `CoGat Secure Browser` | 11.0.0.19 | `Win32` | `Riverside Insights` |
+| `ColorVeil` | 4.0.0.175 | `Win32` | `East-Tec` |
+| `ContentKeeper Cloud` | 9.01.45 | `Win32` | `ContentKeeper Technologies` |
+| `DigiExam` | 14.0.6 | `Win32` | `Digiexam` |
+| `Dragon Professional Individual` | 15.00.100 | `Win32` | `Nuance Communications` |
| `DRC INSIGHT Online Assessments` | 13.0.0.0 | `Store` | `Data recognition Corporation` |
-| `Duo from Cisco` | 3.0.0 | Win32 | `Cisco` |
-| `Dyknow` | 7.9.13.7 | Win32 | `Dyknow` |
-| `e-Speaking Voice and Speech recognition` | 4.4.0.11 | Win32 | `e-speaking` |
-| `EasyReader` | 10.0.4.498 | Win32 | `Dolphin Computer Access` |
-| `Easysense 2` | 1.32.0001 | Win32 | `Data Harvest` |
-| `Epson iProjection` | 3.31 | Win32 | `Epson` |
-| `eTests` | 4.0.25 | Win32 | `CASAS` |
-| `Exam Writepad` | 22.10.14.1834 | Win32 | `Sheldnet` |
-| `FirstVoices Keyboard` | 15.0.270 | Win32 | `SIL International` |
-| `FortiClient` | 7.2.0.4034+ | Win32 | `Fortinet` |
-| `Free NaturalReader` | 16.1.2 | Win32 | `Natural Soft` |
-| `Ghotit Real Writer & Reader` | 10.14.2.3 | Win32 | `Ghotit Ltd` |
-| `GoGuardian` | 1.4.4 | Win32 | `GoGuardian` |
-| `Google Chrome` | 110.0.5481.178 | Win32 | `Google` |
-| `GuideConnect` | 1.24 | Win32 | `Dolphin Computer Access` |
-| `Illuminate Lockdown Browser` | 2.0.5 | Win32 | `Illuminate Education` |
-| `Immunet` | 7.5.8.21178 | Win32 | `Immunet` |
-| `Impero Backdrop Client` | 5.0.87 | Win32 | `Impero Software` |
-| `IMT Lazarus` | 2.86.0 | Win32 | `IMTLazarus` |
-| `Inspiration 10` | 10.11 | Win32 | `TechEdology Ltd` |
-| `JAWS for Windows` | 2022.2112.24 | Win32 | `Freedom Scientific` |
-| `Kite Student Portal` | 9.0.0.0 | Win32 | `Dynamic Learning Maps` |
-| `Keyman` | 16.0.138 | Win32 | `SIL International` |
+| `Duo from Cisco` | 3.0.0 | `Win32` | `Cisco` |
+| `Dyknow` | 7.9.13.7 | `Win32` | `Dyknow` |
+| `e-Speaking Voice and Speech recognition` | 4.4.0.11 | `Win32` | `e-speaking` |
+| `EasyReader` | 10.0.4.498 | `Win32` | `Dolphin Computer Access` |
+| `Easysense 2` | 1.32.0001 | `Win32` | `Data Harvest` |
+| `Epson iProjection` | 3.31 | `Win32` | `Epson` |
+| `eTests` | 4.0.25 | `Win32` | `CASAS` |
+| `Exam Writepad` | 22.10.14.1834 | `Win32` | `Sheldnet` |
+| `FirstVoices Keyboard` | 15.0.270 | `Win32` | `SIL International` |
+| `FortiClient` | 7.2.0.4034+ | `Win32` | `Fortinet` |
+| `Free NaturalReader` | 16.1.2 | `Win32` | `Natural Soft` |
+| `Ghotit Real Writer & Reader` | 10.14.2.3 | `Win32` | `Ghotit Ltd` |
+| `GoGuardian` | 1.4.4 | `Win32` | `GoGuardian` |
+| `Google Chrome` | 110.0.5481.178 | `Win32` | `Google` |
+| `GuideConnect` | 1.24 | `Win32` | `Dolphin Computer Access` |
+| `Illuminate Lockdown Browser` | 2.0.5 | `Win32` | `Illuminate Education` |
+| `Immunet` | 7.5.8.21178 | `Win32` | `Immunet` |
+| `Impero Backdrop Client` | 5.0.87 | `Win32` | `Impero Software` |
+| `IMT Lazarus` | 2.86.0 | `Win32` | `IMTLazarus` |
+| `Inspiration 10` | 10.11 | `Win32` | `TechEdology Ltd` |
+| `JAWS for Windows` | 2022.2112.24 | `Win32` | `Freedom Scientific` |
+| `Kite Student Portal` | 9.0.0.0 | `Win32` | `Dynamic Learning Maps` |
+| `Keyman` | 16.0.138 | `Win32` | `SIL International` |
| `Kortext` | 2.3.433.0 | `Store` | `Kortext` |
-| `Kurzweil 3000 Assistive Learning` | 20.13.0000 | Win32 | `Kurzweil Educational Systems` |
-| `LanSchool Classic` | 9.1.0.46 | Win32 | `Stoneware, Inc.` |
-| `LanSchool Air` | 2.0.13312 | Win32 | `Stoneware, Inc.` |
-| `Lightspeed Smart Agent` | 1.9.1 | Win32 | `Lightspeed Systems` |
-| `Lightspeed Filter Agent` | 2.3.4 | Win32 | `Lightspeed Systems` |
+| `Kurzweil 3000 Assistive Learning` | 20.13.0000 | `Win32` | `Kurzweil Educational Systems` |
+| `LanSchool Classic` | 9.1.0.46 | `Win32` | `Stoneware, Inc.` |
+| `LanSchool Air` | 2.0.13312 | `Win32` | `Stoneware, Inc.` |
+| `Lightspeed Smart Agent` | 1.9.1 | `Win32` | `Lightspeed Systems` |
+| `Lightspeed Filter Agent` | 2.3.4 | `Win32` | `Lightspeed Systems` |
| `MetaMoJi ClassRoom` | 3.12.4.0 | `Store` | `MetaMoJi Corporation` |
| `Microsoft Connect` | 10.0.22000.1 | `Store` | `Microsoft` |
-| `Mozilla Firefox` | 105.0.0 | Win32 | `Mozilla` |
+| `Mozilla Firefox` | 105.0.0 | `Win32` | `Mozilla` |
| `Mobile Plans` | 5.1911.3171.0 | `Store` | `Microsoft Corporation` |
-| `NAPLAN` | 5.2.2 | Win32 | `NAP` |
-| `Netref Student` | 23.1.0 | Win32 | `NetRef` |
-| `NetSupport Manager` | 12.01.0014 | Win32 | `NetSupport` |
-| `NetSupport Notify` | 5.10.1.215 | Win32 | `NetSupport` |
-| `NetSupport School` | 14.00.0012 | Win32 | `NetSupport` |
-| `NextUp Talker` | 1.0.49 | Win32 | `NextUp Technologies` |
-| `NonVisual Desktop Access` | 2021.3.1 | Win32 | `NV Access` |
-| `NWEA Secure Testing Browser` | 5.4.387.0 | Win32 | `NWEA` |
-| `PC Talker Neo` | 2209 | Win32 | `Kochi System Development` |
-| `PC Talker Neo Plus` | 2209 | Win32 | `Kochi System Development` |
-| `PaperCut` | 22.0.6 | Win32 | `PaperCut Software International Pty Ltd` |
+| `NAPLAN` | 5.2.2 | `Win32` | `NAP` |
+| `Netref Student` | 23.1.0 | `Win32` | `NetRef` |
+| `NetSupport Manager` | 12.01.0014 | `Win32` | `NetSupport` |
+| `NetSupport Notify` | 5.10.1.215 | `Win32` | `NetSupport` |
+| `NetSupport School` | 14.00.0012 | `Win32` | `NetSupport` |
+| `NextUp Talker` | 1.0.49 | `Win32` | `NextUp Technologies` |
+| `NonVisual Desktop Access` | 2021.3.1 | `Win32` | `NV Access` |
+| `NWEA Secure Testing Browser` | 5.4.387.0 | `Win32` | `NWEA` |
+| `PC Talker Neo` | 2209 | `Win32` | `Kochi System Development` |
+| `PC Talker Neo Plus` | 2209 | `Win32` | `Kochi System Development` |
+| `PaperCut` | 22.0.6 | `Win32` | `PaperCut Software International Pty Ltd` |
| `Pearson TestNav` | 1.11.3 | `Store` | `Pearson` |
| `Project Monarch Outlook` | 1.2022.2250001 | `Store` | `Microsoft` |
-| `Questar Secure Browser` | 5.0.1.456 | Win32 | `Questar, Inc` |
-| `ReadAndWriteForWindows` | 12.0.74 | Win32 | `Texthelp Ltd.` |
-| `Remote Desktop client (MSRDC)` | 1.2.4066.0 | Win32 | `Microsoft` |
-| `Remote Help` | 4.0.1.13 | Win32 | `Microsoft` |
-| `Respondus Lockdown Browser` | 2.0.9.03 | Win32 | `Respondus` |
-| `Safe Exam Browser` | 3.5.0.544 | Win32 | `Safe Exam Browser` |
-|`SchoolYear` | 3.4.21 | Win32 |`SchoolYear` |
-|`School Manager` | 3.6.8.1109 | Win32 |`School Manager` |
-| `Senso.Cloud` | 2021.11.15.0 | Win32 | `Senso.Cloud` |
-| `Skoolnext` | 2.19 | Win32 | `Skool.net` |
-| `Smoothwall Monitor` | 2.9.2 | Win32 | `Smoothwall Ltd` |
-| `SuperNova Magnifier & Screen Reader` | 22.02 | Win32 | `Dolphin Computer Access` |
-| `SuperNova Magnifier & Speech` | 21.03 | Win32 | `Dolphin Computer Access` |
-|`TX Secure Browser` | 15.0.0 | Win32 | `Cambium Development` |
-| `VitalSourceBookShelf` | 10.2.26.0 | Win32 | `VitalSource Technologies Inc` |
-| `Winbird` | 19 | Win32 | `Winbird Co., Ltd.` |
-| `WordQ` | 5.4.29 | Win32 | `WordQ` |
-| `Zoom` | 5.12.8 (10232) | Win32 | `Zoom` |
-| `ZoomText Fusion` | 2023.2303.77.400 | Win32 | `Freedom Scientific` |
-| `ZoomText Magnifier/Reader` | 2023.2303.33.400 | Win32 | `Freedom Scientific` |
+| `Questar Secure Browser` | 5.0.1.456 | `Win32` | `Questar, Inc` |
+| `ReadAndWriteForWindows` | 12.0.74 | `Win32` | `Texthelp Ltd.` |
+| `Remote Desktop client (MSRDC)` | 1.2.4066.0 | `Win32` | `Microsoft` |
+| `Remote Help` | 4.0.1.13 | `Win32` | `Microsoft` |
+| `Respondus Lockdown Browser` | 2.0.9.03 | `Win32` | `Respondus` |
+| `Safe Exam Browser` | 3.5.0.544 | `Win32` | `Safe Exam Browser` |
+|`SchoolYear` | 3.4.21 | `Win32` |`SchoolYear` |
+|`School Manager` | 3.6.8.1109 | `Win32` |`School Manager` |
+| `Senso.Cloud` | 2021.11.15.0 | `Win32` | `Senso.Cloud` |
+| `Skoolnext` | 2.19 | `Win32` | `Skool.net` |
+| `Smoothwall Monitor` | 2.9.2 | `Win32` | `Smoothwall Ltd` |
+| `SuperNova Magnifier & Screen Reader` | 22.02 | `Win32` | `Dolphin Computer Access` |
+| `SuperNova Magnifier & Speech` | 21.03 | `Win32` | `Dolphin Computer Access` |
+|`TX Secure Browser` | 15.0.0 | `Win32` | `Cambium Development` |
+| `VitalSourceBookShelf` | 10.2.26.0 | `Win32` | `VitalSource Technologies Inc` |
+| `Winbird` | 19 | `Win32` | `Winbird Co., Ltd.` |
+| `WordQ` | 5.4.29 | `Win32` | `WordQ` |
+| `Zoom` | 5.12.8 (10232) | `Win32` | `Zoom` |
+| `ZoomText Fusion` | 2023.2303.77.400 | `Win32` | `Freedom Scientific` |
+| `ZoomText Magnifier/Reader` | 2023.2303.33.400 | `Win32` | `Freedom Scientific` |
## Add your own applications
-If the applications you need aren't in the [available applications list](#available-applications), then you can submit an application request at [aka.ms/eduapprequest](https://aka.ms/eduapprequest). Anyone from a school district can submit the request. In the form, sign in with your school account, such as `user@contoso.edu`. We'll update you using this email account.
+If the applications you need aren't in the [available applications list](#available-applications), you can submit an application request at [aka.ms/eduapprequest](https://aka.ms/eduapprequest). Anyone from a school district can submit the request. In the form, sign in with your school account, such as `user@contoso.edu`. We'll update you using this email account.
Microsoft reviews every app request to make sure each app meets the following requirements:
-- Apps can be any native Windows app type, such as a Microsoft Store app, Win32 app, `.MSIX`, `.APPX`, and more
+- Apps can be any native Windows app type, such as a Microsoft Store app, `Win32` app, `.MSIX`, `.APPX`, and more
- Apps must be in one of the following app categories:
- Content Filtering apps
- Test Taking solutions
diff --git a/includes/licensing/_edition-requirements.md b/includes/licensing/_edition-requirements.md
index 517cf27df5..b7a06b9836 100644
--- a/includes/licensing/_edition-requirements.md
+++ b/includes/licensing/_edition-requirements.md
@@ -44,11 +44,11 @@ ms.topic: include
|**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|Yes|Yes|Yes|Yes|
|**[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)**|Yes|Yes|Yes|Yes|
|**[Microsoft Pluton](/windows/security/hardware-security/pluton/microsoft-pluton-security-processor)**|Yes|Yes|Yes|Yes|
-|**Microsoft Security Development Lifecycle (SDL)**|Yes|Yes|Yes|Yes|
+|**[Microsoft Security Development Lifecycle (SDL)](/windows/security/security-foundations/msft-security-dev-lifecycle)**|Yes|Yes|Yes|Yes|
|**[Microsoft vulnerable driver blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes|
|**[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)**|Yes|Yes|Yes|Yes|
|**[Modern device management through (MDM)](/windows/client-management/mdm-overview)**|Yes|Yes|Yes|Yes|
-|**OneFuzz service**|Yes|Yes|Yes|Yes|
+|**[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)**|Yes|Yes|Yes|Yes|
|**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|
|**[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)**|❌|Yes|❌|Yes|
|**Privacy Resource Usage**|Yes|Yes|Yes|Yes|
diff --git a/includes/licensing/_licensing-requirements.md b/includes/licensing/_licensing-requirements.md
index 305a28bba1..0021be3c39 100644
--- a/includes/licensing/_licensing-requirements.md
+++ b/includes/licensing/_licensing-requirements.md
@@ -44,11 +44,11 @@ ms.topic: include
|**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|❌|❌|Yes|❌|Yes|
|**[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)**|Yes|Yes|Yes|Yes|Yes|
|**[Microsoft Pluton](/windows/security/hardware-security/pluton/microsoft-pluton-security-processor)**|Yes|Yes|Yes|Yes|Yes|
-|**Microsoft Security Development Lifecycle (SDL)**|Yes|Yes|Yes|Yes|Yes|
+|**[Microsoft Security Development Lifecycle (SDL)](/windows/security/security-foundations/msft-security-dev-lifecycle)**|Yes|Yes|Yes|Yes|Yes|
|**[Microsoft vulnerable driver blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes|Yes|
|**[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)**|Yes|Yes|Yes|Yes|Yes|
|**[Modern device management through (MDM)](/windows/client-management/mdm-overview)**|Yes|Yes|Yes|Yes|Yes|
-|**OneFuzz service**|Yes|Yes|Yes|Yes|Yes|
+|**[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)**|Yes|Yes|Yes|Yes|Yes|
|**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|Yes|
|**[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)**|❌|Yes|Yes|Yes|Yes|
|**Privacy Resource Usage**|Yes|Yes|Yes|Yes|Yes|
diff --git a/includes/licensing/federated-sign-in.md b/includes/licensing/federated-sign-in.md
index 6050205a6c..0d01c1968f 100644
--- a/includes/licensing/federated-sign-in.md
+++ b/includes/licensing/federated-sign-in.md
@@ -15,8 +15,8 @@ The following table lists the Windows editions that support Federated sign-in:
Federated sign-in license entitlements are granted by the following licenses:
-|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|Windows Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:|
-|No|No|No|Yes|Yes|
+|Yes|No|No|Yes|Yes|
For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md
index e54211075c..30bd681931 100644
--- a/windows/application-management/apps-in-windows-10.md
+++ b/windows/application-management/apps-in-windows-10.md
@@ -45,14 +45,15 @@ There are different types of apps that can run on your Windows client devices. T
- **Windows Presentation Foundation (WPF)**: Using .NET, you can create a WPF desktop app that runs on the device, or create a WPF web app. This app is commonly used by organizations that create line of business (LOB) desktop apps. For more information, see [WPF Application Development](/dotnet/desktop/wpf/app-development).
- **Windows Forms (WinForm)**: Using .NET, you can create a Windows Forms desktop app that runs on the device, and doesn't require a web browser or internet access. Just like Win32 apps, WinForm apps can access the local hardware and file system of the computer where the app is running. For more information, see [Desktop Guide (Windows Forms .NET)](/dotnet/desktop/winforms/overview).
-- **Windows apps**:
+- **Windows apps**:
> [!TIP]
> Starting with Windows 10, you can use the **Windows UI Library (WinUI 3)** to create .NET, Win32 desktop, and UWP apps. This library includes native Windows UI controls and other user interface elements familiar to Windows users. For more information, see [Windows UI Library (WinUI)](/windows/apps/winui/).
- **Apps**: All apps installed in `C:\Program Files\WindowsApps`. There are two classes of apps:
- - **Provisioned**: Installed in user account the first time you sign in with a new user account. For a list of some common provisioned apps, see [Provisioned apps installed with the Windows client OS](provisioned-apps-windows-client-os.md).
+ - **Provisioned**: Installed in user account the first time you sign in with a new user account. To get a list of all the provisioned apps, use Windows PowerShell: `Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName` The output lists all the provisioned apps, and their package names. For more information, see [Get-AppxProvisionedPackage](/powershell/module/dism/get-appxprovisionedpackage).
+
- **Installed**: Installed as part of the OS.
- **Universal Windows Platform (UWP) apps**: These apps run and can be installed on many Windows platforms, including tablets, Microsoft HoloLens, Xbox, and more. All UWP apps are Windows apps. Not all Windows apps are UWP apps.
@@ -63,7 +64,7 @@ There are different types of apps that can run on your Windows client devices. T
For more information, see [Get started developing apps for Windows desktop](/windows/apps/get-started) and [Make your apps great on Windows 11](/windows/apps/get-started/make-apps-great-for-windows).
- - **System apps**: Apps installed in the `C:\Windows\` directory. These apps are part of the Windows OS. For a list of some common system apps, see [System apps installed with the Windows client OS](system-apps-windows-client-os.md).
+ - **System apps**: Apps installed in the `C:\Windows\` directory. These apps are part of the Windows OS. To get a list of all the system apps, use Windows PowerShell: `Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation` The output lists all the system apps, and their installation location. For more information, see [Get-AppxPackage](/powershell/module/appx/get-appxpackage).
- **Web apps** and **Progressive web apps (PWA)**: These apps run on a server, and don't run on the end user device. To use these apps, users must use a web browser and have internet access. **Progressive web apps** are designed to work for all users, work with any browser, and work on any platform.
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index 47a17a6165..b17f2fc049 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the Defender CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 07/06/2023
+ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -34,7 +34,9 @@ The following list shows the Defender configuration service provider nodes:
- [ASROnlyPerRuleExclusions](#configurationasronlyperruleexclusions)
- [DataDuplicationDirectory](#configurationdataduplicationdirectory)
- [DataDuplicationLocalRetentionPeriod](#configurationdataduplicationlocalretentionperiod)
+ - [DataDuplicationMaximumQuota](#configurationdataduplicationmaximumquota)
- [DataDuplicationRemoteLocation](#configurationdataduplicationremotelocation)
+ - [DaysUntilAggressiveCatchupQuickScan](#configurationdaysuntilaggressivecatchupquickscan)
- [DefaultEnforcement](#configurationdefaultenforcement)
- [DeviceControl](#configurationdevicecontrol)
- [PolicyGroups](#configurationdevicecontrolpolicygroups)
@@ -44,6 +46,7 @@ The following list shows the Defender configuration service provider nodes:
- [{RuleId}](#configurationdevicecontrolpolicyrulesruleid)
- [RuleData](#configurationdevicecontrolpolicyrulesruleidruledata)
- [DeviceControlEnabled](#configurationdevicecontrolenabled)
+ - [DisableCacheMaintenance](#configurationdisablecachemaintenance)
- [DisableCpuThrottleOnIdleScans](#configurationdisablecputhrottleonidlescans)
- [DisableDatagramProcessing](#configurationdisabledatagramprocessing)
- [DisableDnsOverTcpParsing](#configurationdisablednsovertcpparsing)
@@ -58,20 +61,24 @@ The following list shows the Defender configuration service provider nodes:
- [DisableSmtpParsing](#configurationdisablesmtpparsing)
- [DisableSshParsing](#configurationdisablesshparsing)
- [DisableTlsParsing](#configurationdisabletlsparsing)
+ - [EnableConvertWarnToBlock](#configurationenableconvertwarntoblock)
- [EnableDnsSinkhole](#configurationenablednssinkhole)
- [EnableFileHashComputation](#configurationenablefilehashcomputation)
- [EngineUpdatesChannel](#configurationengineupdateschannel)
+ - [ExcludedIpAddresses](#configurationexcludedipaddresses)
- [HideExclusionsFromLocalAdmins](#configurationhideexclusionsfromlocaladmins)
- [HideExclusionsFromLocalUsers](#configurationhideexclusionsfromlocalusers)
- [IntelTDTEnabled](#configurationinteltdtenabled)
- [MeteredConnectionUpdates](#configurationmeteredconnectionupdates)
- [OobeEnableRtpAndSigUpdate](#configurationoobeenablertpandsigupdate)
- [PassiveRemediation](#configurationpassiveremediation)
+ - [PerformanceModeStatus](#configurationperformancemodestatus)
- [PlatformUpdatesChannel](#configurationplatformupdateschannel)
- [RandomizeScheduleTaskTimes](#configurationrandomizescheduletasktimes)
- [ScanOnlyIfIdleEnabled](#configurationscanonlyifidleenabled)
- [SchedulerRandomizationTime](#configurationschedulerrandomizationtime)
- [SecuredDevicesConfiguration](#configurationsecureddevicesconfiguration)
+ - [SecurityIntelligenceLocationUpdateAtScheduledTimeOnly](#configurationsecurityintelligencelocationupdateatscheduledtimeonly)
- [SecurityIntelligenceUpdatesChannel](#configurationsecurityintelligenceupdateschannel)
- [SupportLogLocation](#configurationsupportloglocation)
- [TamperProtection](#configurationtamperprotection)
@@ -306,7 +313,7 @@ This settings controls whether Network Protection is allowed to be configured in
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
@@ -468,6 +475,45 @@ Define the retention period in days of how much time the evidence data will be k
+
+### Configuration/DataDuplicationMaximumQuota
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DataDuplicationMaximumQuota
+```
+
+
+
+
+Defines the maximum data duplication quota in MB that can be collected. When the quota is reached the filter will stop duplicating any data until the service manages to dispatch the existing collected data, thus decreasing the quota again below the maximum.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
### Configuration/DataDuplicationRemoteLocation
@@ -507,6 +553,47 @@ Define data duplication remote location for device control.
+
+### Configuration/DaysUntilAggressiveCatchupQuickScan
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DaysUntilAggressiveCatchupQuickScan
+```
+
+
+
+
+Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If set to 0, aggressive quick scans will be disabled. By default, the value is set to 25 days.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0,7-60]` |
+| Default Value | 25 |
+
+
+
+
+
+
+
+
### Configuration/DefaultEnforcement
@@ -873,6 +960,45 @@ Control Device Control feature.
+
+### Configuration/DisableCacheMaintenance
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DisableCacheMaintenance
+```
+
+
+
+
+Defines whether the cache maintenance idle task will perform the cache maintenance or not.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
### Configuration/DisableCpuThrottleOnIdleScans
@@ -928,7 +1054,7 @@ Indicates whether the CPU will be throttled for scheduled scans while the device
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
@@ -1282,7 +1408,7 @@ This setting disables Inbound connection filtering for Network Protection.
-When this value is set to false, it allows a local admin the ability to specify some settings for complex list type that will then merge /override the Preference settings with the Policy settings.
+When this value is set to no, it allows a local admin the ability to specify some settings for complex list type that will then merge /override the Preference settings with the Policy settings.
@@ -1304,8 +1430,8 @@ When this value is set to false, it allows a local admin the ability to specify
| Value | Description |
|:--|:--|
-| 1 | Disable Local Admin Merge. |
-| 0 (Default) | Enable Local Admin Merge. |
+| 1 | Yes. |
+| 0 (Default) | No. |
@@ -1559,6 +1685,55 @@ This setting disables TLS Parsing for Network Protection.
+
+### Configuration/EnableConvertWarnToBlock
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/EnableConvertWarnToBlock
+```
+
+
+
+
+This setting controls whether network protection blocks network traffic instead of displaying a warning.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | Warn verdicts are converted to block. |
+| 0 (Default) | Warn verdicts aren't converted to block. |
+
+
+
+
+
+
+
+
### Configuration/EnableDnsSinkhole
@@ -1710,6 +1885,45 @@ Enable this policy to specify when devices receive Microsoft Defender engine upd
+
+### Configuration/ExcludedIpAddresses
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/ExcludedIpAddresses
+```
+
+
+
+
+Allows an administrator to explicitly disable network packet inspection made by wdnisdrv on a particular set of IP addresses.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
### Configuration/HideExclusionsFromLocalAdmins
@@ -2008,6 +2222,55 @@ Setting to control automatic remediation for Sense scans.
+
+### Configuration/PerformanceModeStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/PerformanceModeStatus
+```
+
+
+
+
+This setting allows IT admins to configure performance mode in either enabled or disabled mode for managed devices.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Performance mode is enabled (default). A service restart is required after changing this value. |
+| 1 | Performance mode is disabled. A service restart is required after changing this value. |
+
+
+
+
+
+
+
+
### Configuration/PlatformUpdatesChannel
@@ -2101,7 +2364,7 @@ In Microsoft Defender Antivirus, randomize the start time of the scan to any int
| Value | Description |
|:--|:--|
| 1 (Default) | Widen or narrow the randomization period for scheduled scans. Specify a randomization window of between 1 and 23 hours by using the setting SchedulerRandomizationTime. |
-| 0 | Scheduled tasks will begin at a random time within 4 hours after the time specified in Task Scheduler. |
+| 0 | Scheduled tasks won't be randomized. |
@@ -2239,6 +2502,55 @@ Defines what are the devices primary ids that should be secured by Defender Devi
+
+### Configuration/SecurityIntelligenceLocationUpdateAtScheduledTimeOnly
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/SecurityIntelligenceLocationUpdateAtScheduledTimeOnly
+```
+
+
+
+
+This setting allows you to configure security intelligence updates according to the scheduler for VDI-configured computers. It's used together with the shared security intelligence location (SecurityIntelligenceLocation).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | If you enable this setting and configure SecurityIntelligenceLocation, updates from the configured location occur only at the previously configured scheduled update time. |
+| 0 (Default) | If you either disable or don't configure this setting, updates occur whenever a new security intelligence update is detected at the location that's specified by SecurityIntelligenceLocation. |
+
+
+
+
+
+
+
+
### Configuration/SecurityIntelligenceUpdatesChannel
diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md
index 4cbf11c824..00b7d76777 100644
--- a/windows/client-management/mdm/defender-ddf.md
+++ b/windows/client-management/mdm/defender-ddf.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 07/06/2023
+ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -1033,6 +1033,36 @@ The following XML file contains the device description framework (DDF) for the D
+
+ ExcludedIpAddresses
+
+
+
+
+
+
+
+ Allows an administrator to explicitly disable network packet inspection made by wdnisdrv on a particular set of IP addresses.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+
+
+
AllowNetworkProtectionOnWinServer
@@ -1121,7 +1151,7 @@ The following XML file contains the device description framework (DDF) for the D
0
- When this value is set to false, it allows a local admin the ability to specify some settings for complex list type that will then merge /override the Preference settings with the Policy settings
+ When this value is set to no, it allows a local admin the ability to specify some settings for complex list type that will then merge /override the Preference settings with the Policy settings
@@ -1141,11 +1171,11 @@ The following XML file contains the device description framework (DDF) for the D
1
- Disable Local Admin Merge
+ Yes
0
- Enable Local Admin Merge
+ No
@@ -1827,7 +1857,7 @@ The following XML file contains the device description framework (DDF) for the D
- 10.0.14393
+ 10.0.16299
1.3
@@ -1842,6 +1872,45 @@ The following XML file contains the device description framework (DDF) for the D
+
+ EnableConvertWarnToBlock
+
+
+
+
+
+
+
+ 0
+ This setting controls whether network protection blocks network traffic instead of displaying a warning
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.16299
+ 1.3
+
+
+
+ 1
+ Warn verdicts are converted to block
+
+
+ 0
+ Warn verdicts are not converted to block
+
+
+
+
DisableNetworkProtectionPerfTelemetry
@@ -1998,6 +2067,84 @@ The following XML file contains the device description framework (DDF) for the D
+
+ PerformanceModeStatus
+
+
+
+
+
+
+
+ 0
+ This setting allows IT admins to configure performance mode in either enabled or disabled mode for managed devices.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.3
+
+
+
+ 0
+ Performance mode is enabled (default). A service restart is required after changing this value.
+
+
+ 1
+ Performance mode is disabled. A service restart is required after changing this value.
+
+
+
+
+
+ SecurityIntelligenceLocationUpdateAtScheduledTimeOnly
+
+
+
+
+
+
+
+ 0
+ This setting allows you to configure security intelligence updates according to the scheduler for VDI-configured computers. It is used together with the shared security intelligence location (SecurityIntelligenceLocation).
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.18362
+ 1.3
+
+
+
+ 1
+ If you enable this setting and configure SecurityIntelligenceLocation, updates from the configured location occur only at the previously configured scheduled update time.
+
+
+ 0
+ If you either disable or do not configure this setting, updates occur whenever a new security intelligence update is detected at the location that is specified by SecurityIntelligenceLocation.
+
+
+
+
ThrottleForScheduledScanOnly
@@ -2037,6 +2184,38 @@ The following XML file contains the device description framework (DDF) for the D
+
+ DaysUntilAggressiveCatchupQuickScan
+
+
+
+
+
+
+
+ 25
+ Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If set to 0, aggressive quick scans will be disabled. By default, the value is set to 25 days.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+ [0,7-60]
+
+
+
ASROnlyPerRuleExclusions
@@ -2157,6 +2336,36 @@ The following XML file contains the device description framework (DDF) for the D
+
+ DataDuplicationMaximumQuota
+
+
+
+
+
+
+
+ Defines the maximum data duplication quota in MB that can be collected. When the quota is reached the filter will stop duplicating any data until the service manages to dispatch the existing collected data, thus decreasing the quota again below the maximum.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17763
+ 1.3
+
+
+
+
+
DataDuplicationLocalRetentionPeriod
@@ -2418,7 +2627,7 @@ The following XML file contains the device description framework (DDF) for the D
- 10.0.14393
+ 10.0.16299
1.3
@@ -2467,7 +2676,7 @@ The following XML file contains the device description framework (DDF) for the D
0
- Scheduled tasks will begin at a random time within 4 hours after the time specified in Task Scheduler.
+ Scheduled tasks will not be randomized.
@@ -2511,6 +2720,36 @@ The following XML file contains the device description framework (DDF) for the D
+
+ DisableCacheMaintenance
+
+
+
+
+
+
+
+ Defines whether the cache maintenance idle task will perform the cache maintenance or not.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17763
+ 1.3
+
+
+
+
+
Scan
diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md
index c89f214241..a5974a3137 100644
--- a/windows/client-management/mdm/firewall-csp.md
+++ b/windows/client-management/mdm/firewall-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the Firewall CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 05/15/2023
+ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -16,6 +16,8 @@ ms.topic: reference
# Firewall CSP
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network.
@@ -3061,7 +3063,7 @@ This value configures the security association idle time, in seconds. Security a
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
@@ -3100,7 +3102,7 @@ A list of rules controlling traffic through the Windows Firewall for Hyper-V con
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
@@ -3142,7 +3144,7 @@ Unique alpha numeric identifier for the rule. The rule name mustn't include a fo
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
@@ -3194,7 +3196,7 @@ Specifies the action the rule enforces:
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
@@ -3249,7 +3251,7 @@ If not specified the default is OUT.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
@@ -3299,7 +3301,7 @@ If not specified - a new rule is disabled by default.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
@@ -3351,7 +3353,7 @@ An IPv6 address range in the format of "start address - end address" with no spa
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
@@ -3391,7 +3393,7 @@ Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
@@ -3430,7 +3432,7 @@ Specifies the friendly name of the Hyper-V Firewall rule.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
@@ -3470,7 +3472,7 @@ This value represents the order of rule enforcement. A lower priority rule is ev
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
@@ -3520,7 +3522,7 @@ Specifies the profiles to which the rule belongs: Domain, Private, Public. See [
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
@@ -3560,7 +3562,7 @@ Specifies the profiles to which the rule belongs: Domain, Private, Public. See [
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
@@ -3610,7 +3612,7 @@ An IPv6 address range in the format of "start address - end address" with no spa
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
@@ -3650,7 +3652,7 @@ Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
@@ -3689,7 +3691,7 @@ Provides information about the specific version of the rule in deployment for mo
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
@@ -3729,7 +3731,7 @@ This field specifies the VM Creator ID that this rule is applicable to. A NULL G
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
@@ -3768,7 +3770,7 @@ Settings for the Windows Firewall for Hyper-V containers. Each setting applies o
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
@@ -3810,7 +3812,7 @@ VM Creator ID that these settings apply to. Valid format is a GUID.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
@@ -3859,7 +3861,7 @@ This value is used as an on/off switch. If this value is true, applicable host f
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
@@ -3909,7 +3911,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
@@ -3959,7 +3961,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
@@ -3997,7 +3999,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
@@ -4047,7 +4049,7 @@ This value is used as an on/off switch. If this value is false, Hyper-V Firewall
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
@@ -4097,7 +4099,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
@@ -4147,7 +4149,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
@@ -4196,7 +4198,7 @@ This value is an on/off switch for the Hyper-V Firewall enforcement.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
@@ -4245,7 +4247,7 @@ This value is an on/off switch for the Hyper-V Firewall. This value controls the
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
@@ -4294,7 +4296,7 @@ This value is an on/off switch for loopback traffic. This determines if this VM
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
@@ -4332,7 +4334,7 @@ This value is an on/off switch for loopback traffic. This determines if this VM
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
@@ -4382,7 +4384,7 @@ This value is used as an on/off switch. If this value is false, Hyper-V Firewall
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
@@ -4432,7 +4434,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
@@ -4482,7 +4484,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
@@ -4531,7 +4533,7 @@ This value is an on/off switch for the Hyper-V Firewall enforcement.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
@@ -4569,7 +4571,7 @@ This value is an on/off switch for the Hyper-V Firewall enforcement.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
@@ -4619,7 +4621,7 @@ This value is used as an on/off switch. If this value is false, Hyper-V Firewall
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
@@ -4669,7 +4671,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
@@ -4719,7 +4721,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md
index 333baf09d9..8a398f09ae 100644
--- a/windows/client-management/mdm/firewall-ddf-file.md
+++ b/windows/client-management/mdm/firewall-ddf-file.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 06/02/2023
+ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -2815,6 +2815,10 @@ The following XML file contains the device description framework (DDF) for the F
+
+ 10.0.22621
+ 1.0
+
@@ -3025,6 +3029,10 @@ The following XML file contains the device description framework (DDF) for the F
+
+ 10.0.25398
+ 1.0
+
false
@@ -3055,6 +3063,10 @@ The following XML file contains the device description framework (DDF) for the F
+
+ 10.0.25398
+ 1.0
+
EnableFirewall
@@ -3244,6 +3256,10 @@ The following XML file contains the device description framework (DDF) for the F
+
+ 10.0.25398
+ 1.0
+
EnableFirewall
@@ -3433,6 +3449,10 @@ The following XML file contains the device description framework (DDF) for the F
+
+ 10.0.25398
+ 1.0
+
EnableFirewall
@@ -4424,6 +4444,10 @@ This is a string in Security Descriptor Definition Language (SDDL) format..
+
+ 10.0.22621
+ 1.0
+
@@ -4808,6 +4832,10 @@ If not specified - a new rule is disabled by default.
+
+ 10.0.25398
+ 1.0
+
0x1
diff --git a/windows/client-management/mdm/laps-csp.md b/windows/client-management/mdm/laps-csp.md
index 21eb2d1b73..40cba72f64 100644
--- a/windows/client-management/mdm/laps-csp.md
+++ b/windows/client-management/mdm/laps-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the LAPS CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 05/11/2023
+ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -16,6 +16,8 @@ ms.topic: reference
# LAPS CSP
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
The Local Administrator Password Solution (LAPS) configuration service provider (CSP) is used by the enterprise to manage back up of local administrator account passwords. Windows supports a LAPS Group Policy Object that is entirely separate from the LAPS CSP. Many of the various settings are common across both the LAPS GPO and CSP (GPO does not support any of the Action-related settings). As long as at least one LAPS setting is configured via CSP, any GPO-configured settings will be ignored. Also see [Configure policy settings for Windows LAPS](/windows-server/identity/laps/laps-management-policy-settings).
@@ -54,7 +56,7 @@ The following list shows the LAPS configuration service provider nodes:
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ [10.0.20348.1663] and later
✅ [10.0.25145] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ [10.0.20348.1663] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later
✅ Windows Insider Preview [10.0.25145] |
@@ -93,7 +95,7 @@ Defines the parent interior node for all action-related settings in the LAPS CSP
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ [10.0.20348.1663] and later
✅ [10.0.25145] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ [10.0.20348.1663] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later
✅ Windows Insider Preview [10.0.25145] |
@@ -133,7 +135,7 @@ This action invokes an immediate reset of the local administrator account passwo
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ [10.0.20348.1663] and later
✅ [10.0.25145] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ [10.0.20348.1663] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later
✅ Windows Insider Preview [10.0.25145] |
@@ -178,7 +180,7 @@ The value returned is an HRESULT code:
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ [10.0.20348.1663] and later
✅ [10.0.25145] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ [10.0.20348.1663] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later
✅ Windows Insider Preview [10.0.25145] |
@@ -218,7 +220,7 @@ Root node for LAPS policies.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ [10.0.20348.1663] and later
✅ [10.0.25145] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ [10.0.20348.1663] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later
✅ Windows Insider Preview [10.0.25145] |
@@ -268,7 +270,7 @@ This setting has a maximum allowed value of 12 passwords.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ [10.0.20348.1663] and later
✅ [10.0.25145] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ [10.0.20348.1663] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later
✅ Windows Insider Preview [10.0.25145] |
@@ -313,7 +315,7 @@ Note if a custom managed local administrator account name is specified in this s
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ [10.0.20348.1663] and later
✅ [10.0.25145] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ [10.0.20348.1663] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later
✅ Windows Insider Preview [10.0.25145] |
@@ -375,7 +377,7 @@ If not specified, this setting defaults to True.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ [10.0.20348.1663] and later
✅ [10.0.25145] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ [10.0.20348.1663] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later
✅ Windows Insider Preview [10.0.25145] |
@@ -431,7 +433,7 @@ If the specified user or group account is invalid the device will fallback to us
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ [10.0.20348.1663] and later
✅ [10.0.25145] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ [10.0.20348.1663] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later
✅ Windows Insider Preview [10.0.25145] |
@@ -489,7 +491,7 @@ If not specified, this setting will default to 0.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ [10.0.20348.1663] and later
✅ [10.0.25145] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ [10.0.20348.1663] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later
✅ Windows Insider Preview [10.0.25145] |
@@ -537,7 +539,7 @@ This setting has a maximum allowed value of 365 days.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ [10.0.20348.1663] and later
✅ [10.0.25145] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ [10.0.20348.1663] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later
✅ Windows Insider Preview [10.0.25145] |
@@ -599,7 +601,7 @@ If not specified, this setting will default to 4.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ [10.0.20348.1663] and later
✅ [10.0.25145] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ [10.0.20348.1663] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later
✅ Windows Insider Preview [10.0.25145] |
@@ -655,7 +657,7 @@ If not specified, this setting defaults to True.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ [10.0.20348.1663] and later
✅ [10.0.25145] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ [10.0.20348.1663] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later
✅ Windows Insider Preview [10.0.25145] |
@@ -702,7 +704,7 @@ This setting has a maximum allowed value of 64 characters.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ [10.0.20348.1663] and later
✅ [10.0.25145] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ [10.0.20348.1663] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later
✅ Windows Insider Preview [10.0.25145] |
@@ -759,7 +761,7 @@ If not specified, this setting will default to 3 (Reset the password and logoff
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ [10.0.20348.1663] and later
✅ [10.0.25145] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ [10.0.20348.1663] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later
✅ Windows Insider Preview [10.0.25145] |
diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md
index a325b44c94..153a0b2f95 100644
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the PassportForWork CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 05/11/2023
+ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -34,6 +34,7 @@ The following list shows the PassportForWork configuration service provider node
- [Policies](#devicetenantidpolicies)
- [DisablePostLogonProvisioning](#devicetenantidpoliciesdisablepostlogonprovisioning)
- [EnablePinRecovery](#devicetenantidpoliciesenablepinrecovery)
+ - [EnableWindowsHelloProvisioningForSecurityKeys](#devicetenantidpoliciesenablewindowshelloprovisioningforsecuritykeys)
- [ExcludeSecurityDevices](#devicetenantidpoliciesexcludesecuritydevices)
- [TPM12](#devicetenantidpoliciesexcludesecuritydevicestpm12)
- [PINComplexity](#devicetenantidpoliciespincomplexity)
@@ -265,6 +266,55 @@ If the user forgets their PIN, it can be changed to a new PIN using the Windows
+
+#### Device/{TenantId}/Policies/EnableWindowsHelloProvisioningForSecurityKeys
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/EnableWindowsHelloProvisioningForSecurityKeys
+```
+
+
+
+
+Enable Windows Hello provisioning if users sign-in to their devices with FIDO2 security keys.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `bool` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | False |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disabled. |
+| true | Enabled. |
+
+
+
+
+
+
+
+
#### Device/{TenantId}/Policies/ExcludeSecurityDevices
diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md
index 3e17cfe42d..8a2ac551bc 100644
--- a/windows/client-management/mdm/passportforwork-ddf.md
+++ b/windows/client-management/mdm/passportforwork-ddf.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 06/02/2023
+ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -814,6 +814,45 @@ If you disable or do not configure this policy setting, the PIN recovery secret
+
+ EnableWindowsHelloProvisioningForSecurityKeys
+
+
+
+
+
+
+
+ False
+ Enable Windows Hello provisioning if users sign-in to their devices with FIDO2 security keys.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 99.9.99999
+ 1.6
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
DisablePostLogonProvisioning
diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
index 404381b85a..b1d980b61f 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
@@ -4,7 +4,7 @@ description: Learn about the ADMX-backed policies in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 05/01/2023
+ms.date: 08/07/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -64,8 +64,6 @@ This article lists the ADMX-backed policies in Policy CSP.
## ADMX_AppXRuntime
-- [AppxRuntimeBlockFileElevation](policy-csp-admx-appxruntime.md)
-- [AppxRuntimeBlockProtocolElevation](policy-csp-admx-appxruntime.md)
- [AppxRuntimeBlockFileElevation](policy-csp-admx-appxruntime.md)
- [AppxRuntimeBlockProtocolElevation](policy-csp-admx-appxruntime.md)
- [AppxRuntimeBlockHostedAppAccessWinRT](policy-csp-admx-appxruntime.md)
@@ -141,7 +139,6 @@ This article lists the ADMX-backed policies in Policy CSP.
- [CPL_Personalization_PersonalColors](policy-csp-admx-controlpaneldisplay.md)
- [CPL_Personalization_ForceDefaultLockScreen](policy-csp-admx-controlpaneldisplay.md)
- [CPL_Personalization_StartBackground](policy-csp-admx-controlpaneldisplay.md)
-- [CPL_Personalization_SetTheme](policy-csp-admx-controlpaneldisplay.md)
- [CPL_Personalization_NoChangingLockScreen](policy-csp-admx-controlpaneldisplay.md)
- [CPL_Personalization_NoChangingStartMenuBackground](policy-csp-admx-controlpaneldisplay.md)
@@ -221,7 +218,6 @@ This article lists the ADMX-backed policies in Policy CSP.
- [NoRecycleBinIcon](policy-csp-admx-desktop.md)
- [NoDesktopCleanupWizard](policy-csp-admx-desktop.md)
- [NoWindowMinimizingShortcuts](policy-csp-admx-desktop.md)
-- [NoDesktop](policy-csp-admx-desktop.md)
## ADMX_DeviceCompat
@@ -542,7 +538,6 @@ This article lists the ADMX-backed policies in Policy CSP.
- [DisableAOACProcessing](policy-csp-admx-grouppolicy.md)
- [DisableLGPOProcessing](policy-csp-admx-grouppolicy.md)
- [RSoPLogging](policy-csp-admx-grouppolicy.md)
-- [ProcessMitigationOptions](policy-csp-admx-grouppolicy.md)
- [FontMitigation](policy-csp-admx-grouppolicy.md)
## ADMX_Help
@@ -1163,10 +1158,6 @@ This article lists the ADMX-backed policies in Policy CSP.
## ADMX_PowerShellExecutionPolicy
-- [EnableUpdateHelpDefaultSourcePath](policy-csp-admx-powershellexecutionpolicy.md)
-- [EnableModuleLogging](policy-csp-admx-powershellexecutionpolicy.md)
-- [EnableTranscripting](policy-csp-admx-powershellexecutionpolicy.md)
-- [EnableScripts](policy-csp-admx-powershellexecutionpolicy.md)
- [EnableUpdateHelpDefaultSourcePath](policy-csp-admx-powershellexecutionpolicy.md)
- [EnableModuleLogging](policy-csp-admx-powershellexecutionpolicy.md)
- [EnableTranscripting](policy-csp-admx-powershellexecutionpolicy.md)
@@ -1339,7 +1330,6 @@ This article lists the ADMX-backed policies in Policy CSP.
- [Run_Logon_Script_Sync_2](policy-csp-admx-scripts.md)
- [Run_Startup_Script_Sync](policy-csp-admx-scripts.md)
- [Run_Computer_PS_Scripts_First](policy-csp-admx-scripts.md)
-- [Run_User_PS_Scripts_First](policy-csp-admx-scripts.md)
- [MaxGPOScriptWaitPolicy](policy-csp-admx-scripts.md)
## ADMX_sdiageng
@@ -1509,14 +1499,7 @@ This article lists the ADMX-backed policies in Policy CSP.
- [NoAutoTrayNotify](policy-csp-admx-startmenu.md)
- [Intellimenus](policy-csp-admx-startmenu.md)
- [NoInstrumentation](policy-csp-admx-startmenu.md)
-- [StartPinAppsWhenInstalled](policy-csp-admx-startmenu.md)
-- [NoSetTaskbar](policy-csp-admx-startmenu.md)
-- [NoChangeStartMenu](policy-csp-admx-startmenu.md)
-- [NoUninstallFromStart](policy-csp-admx-startmenu.md)
-- [NoTrayContextMenu](policy-csp-admx-startmenu.md)
-- [NoMoreProgramsList](policy-csp-admx-startmenu.md)
- [HidePowerOptions](policy-csp-admx-startmenu.md)
-- [NoRun](policy-csp-admx-startmenu.md)
## ADMX_SystemRestore
@@ -1590,8 +1573,6 @@ This article lists the ADMX-backed policies in Policy CSP.
- [NoSystraySystemPromotion](policy-csp-admx-taskbar.md)
- [NoBalloonFeatureAdvertisements](policy-csp-admx-taskbar.md)
- [TaskbarNoThumbnail](policy-csp-admx-taskbar.md)
-- [DisableNotificationCenter](policy-csp-admx-taskbar.md)
-- [TaskbarNoPinnedList](policy-csp-admx-taskbar.md)
## ADMX_tcpip
@@ -1849,132 +1830,13 @@ This article lists the ADMX-backed policies in Policy CSP.
- [Travel](policy-csp-admx-userexperiencevirtualization.md)
- [Video](policy-csp-admx-userexperiencevirtualization.md)
- [Weather](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2013AccessBackup](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2016AccessBackup](policy-csp-admx-userexperiencevirtualization.md)
-- [Calculator](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2013CommonBackup](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2016CommonBackup](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2013ExcelBackup](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2016ExcelBackup](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2013InfoPathBackup](policy-csp-admx-userexperiencevirtualization.md)
-- [InternetExplorer10](policy-csp-admx-userexperiencevirtualization.md)
-- [InternetExplorer11](policy-csp-admx-userexperiencevirtualization.md)
-- [InternetExplorer8](policy-csp-admx-userexperiencevirtualization.md)
-- [InternetExplorer9](policy-csp-admx-userexperiencevirtualization.md)
-- [InternetExplorerCommon](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2013LyncBackup](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2016LyncBackup](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2010Access](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2013Access](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2016Access](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2010Excel](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2013Excel](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2016Excel](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2010InfoPath](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2013InfoPath](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2010Lync](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2013Lync](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2016Lync](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2010Common](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2013Common](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2013UploadCenter](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2016Common](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2016UploadCenter](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice365Access2013](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice365Access2016](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice365Common2013](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice365Common2016](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice365Excel2013](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice365Excel2016](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice365InfoPath2013](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice365Lync2013](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice365Lync2016](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice365OneNote2013](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice365OneNote2016](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice365Outlook2013](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice365Outlook2016](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice365PowerPoint2013](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice365PowerPoint2016](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice365Project2013](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice365Project2016](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice365Publisher2013](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice365Publisher2016](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice365SharePointDesigner2013](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice365Visio2013](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice365Visio2016](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice365Word2013](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice365Word2016](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2013OneDriveForBusiness](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2016OneDriveForBusiness](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2010OneNote](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2013OneNote](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2016OneNote](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2010Outlook](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2013Outlook](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2016Outlook](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2010PowerPoint](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2013PowerPoint](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2016PowerPoint](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2010Project](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2013Project](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2016Project](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2010Publisher](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2013Publisher](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2016Publisher](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2010SharePointDesigner](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2013SharePointDesigner](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2010SharePointWorkspace](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2010Visio](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2013Visio](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2016Visio](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2010Word](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2013Word](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2016Word](policy-csp-admx-userexperiencevirtualization.md)
-- [Notepad](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2013OneNoteBackup](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2016OneNoteBackup](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2013OutlookBackup](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2016OutlookBackup](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2013PowerPointBackup](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2016PowerPointBackup](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2013ProjectBackup](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2016ProjectBackup](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2013PublisherBackup](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2016PublisherBackup](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2013SharePointDesignerBackup](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2013VisioBackup](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2016VisioBackup](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2013WordBackup](policy-csp-admx-userexperiencevirtualization.md)
-- [MicrosoftOffice2016WordBackup](policy-csp-admx-userexperiencevirtualization.md)
-- [Wordpad](policy-csp-admx-userexperiencevirtualization.md)
-- [ConfigureSyncMethod](policy-csp-admx-userexperiencevirtualization.md)
- [ContactITDescription](policy-csp-admx-userexperiencevirtualization.md)
- [ContactITUrl](policy-csp-admx-userexperiencevirtualization.md)
-- [DisableWin8Sync](policy-csp-admx-userexperiencevirtualization.md)
- [EnableUEV](policy-csp-admx-userexperiencevirtualization.md)
- [FirstUseNotificationEnabled](policy-csp-admx-userexperiencevirtualization.md)
-- [SyncProviderPingEnabled](policy-csp-admx-userexperiencevirtualization.md)
-- [MaxPackageSizeInBytes](policy-csp-admx-userexperiencevirtualization.md)
-- [SettingsStoragePath](policy-csp-admx-userexperiencevirtualization.md)
- [SettingsTemplateCatalogPath](policy-csp-admx-userexperiencevirtualization.md)
-- [SyncOverMeteredNetwork](policy-csp-admx-userexperiencevirtualization.md)
-- [SyncOverMeteredNetworkWhenRoaming](policy-csp-admx-userexperiencevirtualization.md)
- [SyncUnlistedWindows8Apps](policy-csp-admx-userexperiencevirtualization.md)
-- [RepositoryTimeout](policy-csp-admx-userexperiencevirtualization.md)
-- [DisableWindowsOSSettings](policy-csp-admx-userexperiencevirtualization.md)
- [TrayIconEnabled](policy-csp-admx-userexperiencevirtualization.md)
-- [SyncEnabled](policy-csp-admx-userexperiencevirtualization.md)
-- [ConfigureVdi](policy-csp-admx-userexperiencevirtualization.md)
-- [Finance](policy-csp-admx-userexperiencevirtualization.md)
-- [Games](policy-csp-admx-userexperiencevirtualization.md)
-- [Maps](policy-csp-admx-userexperiencevirtualization.md)
-- [Music](policy-csp-admx-userexperiencevirtualization.md)
-- [News](policy-csp-admx-userexperiencevirtualization.md)
-- [Reader](policy-csp-admx-userexperiencevirtualization.md)
-- [Sports](policy-csp-admx-userexperiencevirtualization.md)
-- [Travel](policy-csp-admx-userexperiencevirtualization.md)
-- [Video](policy-csp-admx-userexperiencevirtualization.md)
-- [Weather](policy-csp-admx-userexperiencevirtualization.md)
## ADMX_UserProfiles
@@ -2089,35 +1951,11 @@ This article lists the ADMX-backed policies in Policy CSP.
- [IZ_Policy_OpenSearchPreview_Trusted](policy-csp-admx-windowsexplorer.md)
- [EnableShellShortcutIconRemotePath](policy-csp-admx-windowsexplorer.md)
- [EnableSmartScreen](policy-csp-admx-windowsexplorer.md)
-- [DisableBindDirectlyToPropertySetStorage](policy-csp-admx-windowsexplorer.md)
- [NoNewAppAlert](policy-csp-admx-windowsexplorer.md)
-- [DefaultLibrariesLocation](policy-csp-admx-windowsexplorer.md)
- [ShowHibernateOption](policy-csp-admx-windowsexplorer.md)
- [ShowSleepOption](policy-csp-admx-windowsexplorer.md)
-- [ExplorerRibbonStartsMinimized](policy-csp-admx-windowsexplorer.md)
-- [NoStrCmpLogical](policy-csp-admx-windowsexplorer.md)
- [ShellProtocolProtectedModeTitle_2](policy-csp-admx-windowsexplorer.md)
- [CheckSameSourceAndTargetForFRAndDFS](policy-csp-admx-windowsexplorer.md)
-- [IZ_Policy_OpenSearchQuery_Internet](policy-csp-admx-windowsexplorer.md)
-- [IZ_Policy_OpenSearchPreview_Internet](policy-csp-admx-windowsexplorer.md)
-- [IZ_Policy_OpenSearchQuery_Intranet](policy-csp-admx-windowsexplorer.md)
-- [IZ_Policy_OpenSearchPreview_Intranet](policy-csp-admx-windowsexplorer.md)
-- [IZ_Policy_OpenSearchQuery_LocalMachine](policy-csp-admx-windowsexplorer.md)
-- [IZ_Policy_OpenSearchPreview_LocalMachine](policy-csp-admx-windowsexplorer.md)
-- [IZ_Policy_OpenSearchQuery_InternetLockdown](policy-csp-admx-windowsexplorer.md)
-- [IZ_Policy_OpenSearchPreview_InternetLockdown](policy-csp-admx-windowsexplorer.md)
-- [IZ_Policy_OpenSearchQuery_IntranetLockdown](policy-csp-admx-windowsexplorer.md)
-- [IZ_Policy_OpenSearchPreview_IntranetLockdown](policy-csp-admx-windowsexplorer.md)
-- [IZ_Policy_OpenSearchQuery_LocalMachineLockdown](policy-csp-admx-windowsexplorer.md)
-- [IZ_Policy_OpenSearchPreview_LocalMachineLockdown](policy-csp-admx-windowsexplorer.md)
-- [IZ_Policy_OpenSearchQuery_RestrictedLockdown](policy-csp-admx-windowsexplorer.md)
-- [IZ_Policy_OpenSearchPreview_RestrictedLockdown](policy-csp-admx-windowsexplorer.md)
-- [IZ_Policy_OpenSearchQuery_TrustedLockdown](policy-csp-admx-windowsexplorer.md)
-- [IZ_Policy_OpenSearchPreview_TrustedLockdown](policy-csp-admx-windowsexplorer.md)
-- [IZ_Policy_OpenSearchQuery_Restricted](policy-csp-admx-windowsexplorer.md)
-- [IZ_Policy_OpenSearchPreview_Restricted](policy-csp-admx-windowsexplorer.md)
-- [IZ_Policy_OpenSearchQuery_Trusted](policy-csp-admx-windowsexplorer.md)
-- [IZ_Policy_OpenSearchPreview_Trusted](policy-csp-admx-windowsexplorer.md)
## ADMX_WindowsMediaDRM
@@ -2174,7 +2012,6 @@ This article lists the ADMX-backed policies in Policy CSP.
- [LogonHoursPolicyDescription](policy-csp-admx-winlogon.md)
- [SoftwareSASGeneration](policy-csp-admx-winlogon.md)
- [DisplayLastLogonInfoDescription](policy-csp-admx-winlogon.md)
-- [ReportCachedLogonPolicyDescription](policy-csp-admx-winlogon.md)
## ADMX_Winsrv
@@ -2204,7 +2041,6 @@ This article lists the ADMX-backed policies in Policy CSP.
- [NoQuietHours](policy-csp-admx-wpn.md)
- [NoToastNotification](policy-csp-admx-wpn.md)
- [NoLockScreenToastNotification](policy-csp-admx-wpn.md)
-- [NoToastNotification](policy-csp-admx-wpn.md)
## AppRuntime
@@ -2249,9 +2085,6 @@ This article lists the ADMX-backed policies in Policy CSP.
## Autoplay
-- [DisallowAutoplayForNonVolumeDevices](policy-csp-autoplay.md)
-- [SetDefaultAutoRunBehavior](policy-csp-autoplay.md)
-- [TurnOffAutoPlay](policy-csp-autoplay.md)
- [DisallowAutoplayForNonVolumeDevices](policy-csp-autoplay.md)
- [SetDefaultAutoRunBehavior](policy-csp-autoplay.md)
- [TurnOffAutoPlay](policy-csp-autoplay.md)
@@ -2279,7 +2112,6 @@ This article lists the ADMX-backed policies in Policy CSP.
## CredentialsUI
-- [DisablePasswordReveal](policy-csp-credentialsui.md)
- [DisablePasswordReveal](policy-csp-credentialsui.md)
- [EnumerateAdministrators](policy-csp-credentialsui.md)
@@ -2608,264 +2440,11 @@ This article lists the ADMX-backed policies in Policy CSP.
- [LockedDownIntranetJavaPermissions](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](policy-csp-internetexplorer.md)
- [DisableHTMLApplication](policy-csp-internetexplorer.md)
-- [AddSearchProvider](policy-csp-internetexplorer.md)
-- [DisableSecondaryHomePageChange](policy-csp-internetexplorer.md)
- [DisableUpdateCheck](policy-csp-internetexplorer.md)
-- [DisableProxyChange](policy-csp-internetexplorer.md)
-- [DisableSearchProviderChange](policy-csp-internetexplorer.md)
-- [DisableCustomerExperienceImprovementProgramParticipation](policy-csp-internetexplorer.md)
-- [AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md)
-- [AllowSuggestedSites](policy-csp-internetexplorer.md)
-- [DisableCompatView](policy-csp-internetexplorer.md)
-- [DisableFeedsBackgroundSync](policy-csp-internetexplorer.md)
-- [DisableFirstRunWizard](policy-csp-internetexplorer.md)
-- [DisableFlipAheadFeature](policy-csp-internetexplorer.md)
-- [DisableGeolocation](policy-csp-internetexplorer.md)
-- [DisableWebAddressAutoComplete](policy-csp-internetexplorer.md)
-- [NewTabDefaultPage](policy-csp-internetexplorer.md)
-- [PreventManagingSmartScreenFilter](policy-csp-internetexplorer.md)
-- [SearchProviderList](policy-csp-internetexplorer.md)
- [DoNotAllowUsersToAddSites](policy-csp-internetexplorer.md)
- [DoNotAllowUsersToChangePolicies](policy-csp-internetexplorer.md)
-- [AllowActiveXFiltering](policy-csp-internetexplorer.md)
-- [AllowEnterpriseModeSiteList](policy-csp-internetexplorer.md)
-- [SendSitesNotInEnterpriseSiteListToEdge](policy-csp-internetexplorer.md)
-- [ConfigureEdgeRedirectChannel](policy-csp-internetexplorer.md)
-- [KeepIntranetSitesInInternetExplorer](policy-csp-internetexplorer.md)
-- [AllowSaveTargetAsInIEMode](policy-csp-internetexplorer.md)
-- [DisableInternetExplorerApp](policy-csp-internetexplorer.md)
-- [EnableExtendedIEModeHotkeys](policy-csp-internetexplorer.md)
-- [ResetZoomForDialogInIEMode](policy-csp-internetexplorer.md)
-- [EnableGlobalWindowListInIEMode](policy-csp-internetexplorer.md)
-- [JScriptReplacement](policy-csp-internetexplorer.md)
-- [AllowInternetExplorerStandardsMode](policy-csp-internetexplorer.md)
-- [AllowInternetExplorer7PolicyList](policy-csp-internetexplorer.md)
-- [DisableEncryptionSupport](policy-csp-internetexplorer.md)
-- [AllowEnhancedProtectedMode](policy-csp-internetexplorer.md)
-- [AllowInternetZoneTemplate](policy-csp-internetexplorer.md)
-- [IncludeAllLocalSites](policy-csp-internetexplorer.md)
-- [IncludeAllNetworkPaths](policy-csp-internetexplorer.md)
-- [AllowIntranetZoneTemplate](policy-csp-internetexplorer.md)
-- [AllowLocalMachineZoneTemplate](policy-csp-internetexplorer.md)
-- [AllowLockedDownInternetZoneTemplate](policy-csp-internetexplorer.md)
-- [AllowLockedDownIntranetZoneTemplate](policy-csp-internetexplorer.md)
-- [AllowLockedDownLocalMachineZoneTemplate](policy-csp-internetexplorer.md)
-- [AllowLockedDownRestrictedSitesZoneTemplate](policy-csp-internetexplorer.md)
-- [AllowsLockedDownTrustedSitesZoneTemplate](policy-csp-internetexplorer.md)
-- [AllowsRestrictedSitesZoneTemplate](policy-csp-internetexplorer.md)
-- [AllowSiteToZoneAssignmentList](policy-csp-internetexplorer.md)
-- [AllowTrustedSitesZoneTemplate](policy-csp-internetexplorer.md)
-- [InternetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
-- [LockedDownInternetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
-- [IntranetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
-- [LockedDownIntranetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
-- [TrustedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
-- [LockedDownTrustedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
-- [LockedDownRestrictedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
-- [LocalMachineZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
-- [LockedDownLocalMachineZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
-- [InternetZoneAllowFontDownloads](policy-csp-internetexplorer.md)
-- [LockedDownInternetZoneAllowFontDownloads](policy-csp-internetexplorer.md)
-- [IntranetZoneAllowFontDownloads](policy-csp-internetexplorer.md)
-- [LockedDownIntranetZoneAllowFontDownloads](policy-csp-internetexplorer.md)
-- [TrustedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md)
-- [LockedDownTrustedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md)
-- [LockedDownRestrictedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md)
-- [LocalMachineZoneAllowFontDownloads](policy-csp-internetexplorer.md)
-- [LockedDownLocalMachineZoneAllowFontDownloads](policy-csp-internetexplorer.md)
-- [InternetZoneAllowScriptlets](policy-csp-internetexplorer.md)
-- [LockedDownInternetZoneAllowScriptlets](policy-csp-internetexplorer.md)
-- [IntranetZoneAllowScriptlets](policy-csp-internetexplorer.md)
-- [LockedDownIntranetZoneAllowScriptlets](policy-csp-internetexplorer.md)
-- [TrustedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md)
-- [LockedDownTrustedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md)
-- [LockedDownRestrictedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md)
-- [LocalMachineZoneAllowScriptlets](policy-csp-internetexplorer.md)
-- [LockedDownLocalMachineZoneAllowScriptlets](policy-csp-internetexplorer.md)
-- [InternetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
-- [LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
-- [IntranetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
-- [LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
-- [TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
-- [LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
-- [LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
-- [LocalMachineZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
-- [LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
-- [InternetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
-- [LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
-- [IntranetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
-- [LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
-- [TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
-- [LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
-- [LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
-- [LocalMachineZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
-- [LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
-- [InternetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
-- [LockedDownInternetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
-- [IntranetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
-- [LockedDownIntranetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
-- [TrustedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
-- [LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
-- [LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
-- [LocalMachineZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
-- [LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
-- [InternetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
-- [LockedDownInternetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
-- [IntranetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
-- [LockedDownIntranetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
-- [TrustedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
-- [LockedDownTrustedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
-- [LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
-- [LocalMachineZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
-- [LockedDownLocalMachineZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
-- [InternetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
-- [LockedDownInternetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
-- [IntranetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
-- [LockedDownIntranetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
-- [TrustedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
-- [LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
-- [LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
-- [LocalMachineZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
-- [LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
-- [InternetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
-- [LockedDownInternetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
-- [IntranetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
-- [LockedDownIntranetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
-- [TrustedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
-- [LockedDownTrustedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
-- [LockedDownRestrictedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
-- [LocalMachineZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
-- [LockedDownLocalMachineZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
-- [InternetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
-- [LockedDownInternetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
-- [IntranetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
-- [LockedDownIntranetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
-- [TrustedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
-- [LockedDownTrustedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
-- [LockedDownRestrictedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
-- [LocalMachineZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
-- [LockedDownLocalMachineZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
-- [InternetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
-- [LockedDownInternetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
-- [IntranetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
-- [LockedDownIntranetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
-- [TrustedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
-- [LockedDownTrustedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
-- [LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
-- [LocalMachineZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
-- [LockedDownLocalMachineZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
-- [AllowAddOnList](policy-csp-internetexplorer.md)
-- [DoNotBlockOutdatedActiveXControls](policy-csp-internetexplorer.md)
-- [DoNotBlockOutdatedActiveXControlsOnSpecificDomains](policy-csp-internetexplorer.md)
-- [DisableEnclosureDownloading](policy-csp-internetexplorer.md)
-- [DisableBypassOfSmartScreenWarnings](policy-csp-internetexplorer.md)
-- [DisableBypassOfSmartScreenWarningsAboutUncommonFiles](policy-csp-internetexplorer.md)
-- [AllowOneWordEntry](policy-csp-internetexplorer.md)
-- [AllowEnterpriseModeFromToolsMenu](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneAllowActiveScripting](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneAllowBinaryAndScriptBehaviors](policy-csp-internetexplorer.md)
-- [InternetZoneAllowCopyPasteViaScript](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneAllowCopyPasteViaScript](policy-csp-internetexplorer.md)
-- [AllowDeletingBrowsingHistoryOnExit](policy-csp-internetexplorer.md)
-- [InternetZoneAllowDragAndDropCopyAndPasteFiles](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](policy-csp-internetexplorer.md)
- [AllowFallbackToSSL3](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneAllowFileDownloads](policy-csp-internetexplorer.md)
-- [InternetZoneAllowLoadingOfXAMLFiles](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneAllowLoadingOfXAMLFiles](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneAllowMETAREFRESH](policy-csp-internetexplorer.md)
-- [InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](policy-csp-internetexplorer.md)
-- [InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](policy-csp-internetexplorer.md)
-- [InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](policy-csp-internetexplorer.md)
-- [InternetZoneAllowScriptInitiatedWindows](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneAllowScriptInitiatedWindows](policy-csp-internetexplorer.md)
-- [AllowSoftwareWhenSignatureIsInvalid](policy-csp-internetexplorer.md)
-- [InternetZoneAllowUpdatesToStatusBarViaScript](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](policy-csp-internetexplorer.md)
-- [CheckServerCertificateRevocation](policy-csp-internetexplorer.md)
-- [CheckSignaturesOnDownloadedPrograms](policy-csp-internetexplorer.md)
-- [DisableConfiguringHistory](policy-csp-internetexplorer.md)
-- [DoNotAllowActiveXControlsInProtectedMode](policy-csp-internetexplorer.md)
-- [InternetZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md)
-- [IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md)
-- [LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md)
-- [TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md)
-- [InternetZoneDownloadSignedActiveXControls](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneDownloadSignedActiveXControls](policy-csp-internetexplorer.md)
-- [InternetZoneDownloadUnsignedActiveXControls](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneDownloadUnsignedActiveXControls](policy-csp-internetexplorer.md)
-- [InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](policy-csp-internetexplorer.md)
-- [InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](policy-csp-internetexplorer.md)
-- [InternetZoneEnableMIMESniffing](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneEnableMIMESniffing](policy-csp-internetexplorer.md)
-- [InternetZoneIncludeLocalPathWhenUploadingFilesToServer](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](policy-csp-internetexplorer.md)
-- [ConsistentMimeHandlingInternetExplorerProcesses](policy-csp-internetexplorer.md)
-- [MimeSniffingSafetyFeatureInternetExplorerProcesses](policy-csp-internetexplorer.md)
-- [MKProtocolSecurityRestrictionInternetExplorerProcesses](policy-csp-internetexplorer.md)
-- [NotificationBarInternetExplorerProcesses](policy-csp-internetexplorer.md)
-- [ProtectionFromZoneElevationInternetExplorerProcesses](policy-csp-internetexplorer.md)
-- [RestrictActiveXInstallInternetExplorerProcesses](policy-csp-internetexplorer.md)
-- [RestrictFileDownloadInternetExplorerProcesses](policy-csp-internetexplorer.md)
-- [ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](policy-csp-internetexplorer.md)
-- [InternetZoneJavaPermissions](policy-csp-internetexplorer.md)
-- [IntranetZoneJavaPermissions](policy-csp-internetexplorer.md)
-- [LocalMachineZoneJavaPermissions](policy-csp-internetexplorer.md)
-- [LockedDownInternetZoneJavaPermissions](policy-csp-internetexplorer.md)
-- [LockedDownLocalMachineZoneJavaPermissions](policy-csp-internetexplorer.md)
-- [LockedDownRestrictedSitesZoneJavaPermissions](policy-csp-internetexplorer.md)
-- [LockedDownTrustedSitesZoneJavaPermissions](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneJavaPermissions](policy-csp-internetexplorer.md)
-- [TrustedSitesZoneJavaPermissions](policy-csp-internetexplorer.md)
-- [InternetZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md)
-- [InternetZoneLogonOptions](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneLogonOptions](policy-csp-internetexplorer.md)
-- [DisableDeletingUserVisitedWebsites](policy-csp-internetexplorer.md)
-- [DisableIgnoringCertificateErrors](policy-csp-internetexplorer.md)
-- [PreventPerUserInstallationOfActiveXControls](policy-csp-internetexplorer.md)
-- [RemoveRunThisTimeButtonForOutdatedActiveXControls](policy-csp-internetexplorer.md)
-- [InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneRunActiveXControlsAndPlugins](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneScriptingOfJavaApplets](policy-csp-internetexplorer.md)
- [SecurityZonesUseOnlyMachineSettings](policy-csp-internetexplorer.md)
-- [InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](policy-csp-internetexplorer.md)
-- [SpecifyUseOfActiveXInstallerService](policy-csp-internetexplorer.md)
-- [DisableCrashDetection](policy-csp-internetexplorer.md)
-- [DisableInPrivateBrowsing](policy-csp-internetexplorer.md)
-- [DisableSecuritySettingsCheck](policy-csp-internetexplorer.md)
-- [DisableProcessesInEnhancedProtectedMode](policy-csp-internetexplorer.md)
-- [AllowCertificateAddressMismatchWarning](policy-csp-internetexplorer.md)
-- [InternetZoneEnableCrossSiteScriptingFilter](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneEnableCrossSiteScriptingFilter](policy-csp-internetexplorer.md)
-- [InternetZoneEnableProtectedMode](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneTurnOnProtectedMode](policy-csp-internetexplorer.md)
-- [InternetZoneUsePopupBlocker](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneUsePopupBlocker](policy-csp-internetexplorer.md)
-- [InternetZoneAllowVBScriptToRunInInternetExplorer](policy-csp-internetexplorer.md)
-- [LockedDownIntranetJavaPermissions](policy-csp-internetexplorer.md)
-- [RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](policy-csp-internetexplorer.md)
-- [DisableHTMLApplication](policy-csp-internetexplorer.md)
## Kerberos
@@ -3024,7 +2603,6 @@ This article lists the ADMX-backed policies in Policy CSP.
## WindowsPowerShell
-- [TurnOnPowerShellScriptBlockLogging](policy-csp-windowspowershell.md)
- [TurnOnPowerShellScriptBlockLogging](policy-csp-windowspowershell.md)
## Related articles
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
index 9b79c99c4a..af5ce30ee9 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
@@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Group Policy.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 06/02/2023
+ms.date: 08/07/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -40,8 +40,6 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [AllowDeveloperUnlock](policy-csp-applicationmanagement.md)
- [AllowGameDVR](policy-csp-applicationmanagement.md)
- [AllowSharedUserAppData](policy-csp-applicationmanagement.md)
-- [RequirePrivateStoreOnly](policy-csp-applicationmanagement.md)
-- [MSIAlwaysInstallWithElevatedPrivileges](policy-csp-applicationmanagement.md)
- [MSIAllowUserControlOverInstall](policy-csp-applicationmanagement.md)
- [RestrictAppDataToSystemVolume](policy-csp-applicationmanagement.md)
- [RestrictAppToSystemVolume](policy-csp-applicationmanagement.md)
@@ -125,59 +123,6 @@ This article lists the policies in Policy CSP that have a group policy mapping.
## Browser
-- [AllowAddressBarDropdown](policy-csp-browser.md)
-- [AllowAutofill](policy-csp-browser.md)
-- [AllowCookies](policy-csp-browser.md)
-- [AllowDeveloperTools](policy-csp-browser.md)
-- [AllowDoNotTrack](policy-csp-browser.md)
-- [AllowExtensions](policy-csp-browser.md)
-- [AllowFlash](policy-csp-browser.md)
-- [AllowFlashClickToRun](policy-csp-browser.md)
-- [AllowFullScreenMode](policy-csp-browser.md)
-- [AllowInPrivate](policy-csp-browser.md)
-- [AllowMicrosoftCompatibilityList](policy-csp-browser.md)
-- [ConfigureTelemetryForMicrosoft365Analytics](policy-csp-browser.md)
-- [AllowPasswordManager](policy-csp-browser.md)
-- [AllowPopups](policy-csp-browser.md)
-- [AllowPrinting](policy-csp-browser.md)
-- [AllowSavingHistory](policy-csp-browser.md)
-- [AllowSearchEngineCustomization](policy-csp-browser.md)
-- [AllowSearchSuggestionsinAddressBar](policy-csp-browser.md)
-- [AllowSideloadingOfExtensions](policy-csp-browser.md)
-- [AllowSmartScreen](policy-csp-browser.md)
-- [AllowWebContentOnNewTabPage](policy-csp-browser.md)
-- [AlwaysEnableBooksLibrary](policy-csp-browser.md)
-- [ClearBrowsingDataOnExit](policy-csp-browser.md)
-- [ConfigureAdditionalSearchEngines](policy-csp-browser.md)
-- [ConfigureFavoritesBar](policy-csp-browser.md)
-- [ConfigureHomeButton](policy-csp-browser.md)
-- [ConfigureOpenMicrosoftEdgeWith](policy-csp-browser.md)
-- [DisableLockdownOfStartPages](policy-csp-browser.md)
-- [EnableExtendedBooksTelemetry](policy-csp-browser.md)
-- [AllowTabPreloading](policy-csp-browser.md)
-- [AllowPrelaunch](policy-csp-browser.md)
-- [EnterpriseModeSiteList](policy-csp-browser.md)
-- [PreventTurningOffRequiredExtensions](policy-csp-browser.md)
-- [HomePages](policy-csp-browser.md)
-- [LockdownFavorites](policy-csp-browser.md)
-- [ConfigureKioskMode](policy-csp-browser.md)
-- [ConfigureKioskResetAfterIdleTimeout](policy-csp-browser.md)
-- [PreventAccessToAboutFlagsInMicrosoftEdge](policy-csp-browser.md)
-- [PreventFirstRunPage](policy-csp-browser.md)
-- [PreventCertErrorOverrides](policy-csp-browser.md)
-- [PreventSmartScreenPromptOverride](policy-csp-browser.md)
-- [PreventSmartScreenPromptOverrideForFiles](policy-csp-browser.md)
-- [PreventLiveTileDataCollection](policy-csp-browser.md)
-- [PreventUsingLocalHostIPAddressForWebRTC](policy-csp-browser.md)
-- [ProvisionFavorites](policy-csp-browser.md)
-- [SendIntranetTraffictoInternetExplorer](policy-csp-browser.md)
-- [SetDefaultSearchEngine](policy-csp-browser.md)
-- [SetHomeButtonURL](policy-csp-browser.md)
-- [SetNewTabPageURL](policy-csp-browser.md)
-- [ShowMessageWhenOpeningSitesInInternetExplorer](policy-csp-browser.md)
-- [SyncFavoritesBetweenIEAndMicrosoftEdge](policy-csp-browser.md)
-- [UnlockHomeButton](policy-csp-browser.md)
-- [UseSharedFolderForBooks](policy-csp-browser.md)
- [AllowAddressBarDropdown](policy-csp-browser.md)
- [AllowAutofill](policy-csp-browser.md)
- [AllowCookies](policy-csp-browser.md)
@@ -252,6 +197,8 @@ This article lists the policies in Policy CSP that have a group policy mapping.
## Cryptography
- [AllowFipsAlgorithmPolicy](policy-csp-cryptography.md)
+- [TLSCipherSuites](policy-csp-cryptography.md)
+- [ConfigureEllipticCurveCryptography](policy-csp-cryptography.md)
## Defender
@@ -347,7 +294,6 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [EnablePerProcessDpi](policy-csp-display.md)
- [TurnOnGdiDPIScalingForApps](policy-csp-display.md)
- [TurnOffGdiDPIScalingForApps](policy-csp-display.md)
-- [EnablePerProcessDpi](policy-csp-display.md)
- [EnablePerProcessDpiForApps](policy-csp-display.md)
- [DisablePerProcessDpiForApps](policy-csp-display.md)
@@ -630,7 +576,6 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [PublishUserActivities](policy-csp-privacy.md)
- [UploadUserActivities](policy-csp-privacy.md)
- [AllowCrossDeviceClipboard](policy-csp-privacy.md)
-- [DisablePrivacyExperience](policy-csp-privacy.md)
- [LetAppsActivateWithVoice](policy-csp-privacy.md)
- [LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md)
@@ -664,7 +609,6 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [ConfigureTaskbarCalendar](policy-csp-settings.md)
- [PageVisibilityList](policy-csp-settings.md)
-- [PageVisibilityList](policy-csp-settings.md)
- [AllowOnlineTips](policy-csp-settings.md)
## SmartScreen
@@ -691,18 +635,8 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [HideRecommendedPersonalizedSites](policy-csp-start.md)
- [HideTaskViewButton](policy-csp-start.md)
- [DisableControlCenter](policy-csp-start.md)
-- [ForceStartSize](policy-csp-start.md)
-- [DisableContextMenus](policy-csp-start.md)
-- [ShowOrHideMostUsedApps](policy-csp-start.md)
-- [HideFrequentlyUsedApps](policy-csp-start.md)
-- [HideRecentlyAddedApps](policy-csp-start.md)
-- [StartLayout](policy-csp-start.md)
-- [ConfigureStartPins](policy-csp-start.md)
-- [HideRecommendedSection](policy-csp-start.md)
-- [HideRecommendedPersonalizedSites](policy-csp-start.md)
- [SimplifyQuickSettings](policy-csp-start.md)
- [DisableEditingQuickSettings](policy-csp-start.md)
-- [HideTaskViewButton](policy-csp-start.md)
## Storage
@@ -721,7 +655,6 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [AllowBuildPreview](policy-csp-system.md)
- [AllowFontProviders](policy-csp-system.md)
- [AllowLocation](policy-csp-system.md)
-- [AllowTelemetry](policy-csp-system.md)
- [TelemetryProxy](policy-csp-system.md)
- [DisableOneDriveFileSync](policy-csp-system.md)
- [AllowWUfBCloudProcessing](policy-csp-system.md)
@@ -767,7 +700,6 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [RestrictLanguagePacksAndFeaturesInstall](policy-csp-timelanguagesettings.md)
- [BlockCleanupOfUnusedPreinstalledLangPacks](policy-csp-timelanguagesettings.md)
- [MachineUILanguageOverwrite](policy-csp-timelanguagesettings.md)
-- [RestrictLanguagePacksAndFeaturesInstall](policy-csp-timelanguagesettings.md)
## Troubleshooting
@@ -842,6 +774,7 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [ConfigureDeadlineNoAutoReboot](policy-csp-update.md)
- [ConfigureDeadlineNoAutoRebootForFeatureUpdates](policy-csp-update.md)
- [ConfigureDeadlineNoAutoRebootForQualityUpdates](policy-csp-update.md)
+- [AllowOptionalContent](policy-csp-update.md)
## UserRights
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
index 4be961a69f..87431a694c 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
@@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Windows 10 Team
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 05/01/2023
+ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -73,6 +73,12 @@ This article lists the policies in Policy CSP that are applicable for the Surfac
## Cryptography
- [AllowFipsAlgorithmPolicy](policy-csp-cryptography.md#allowfipsalgorithmpolicy)
+- [ConfigureEllipticCurveCryptography](policy-csp-cryptography.md#configureellipticcurvecryptography)
+- [ConfigureSystemCryptographyForceStrongKeyProtection](policy-csp-cryptography.md#configuresystemcryptographyforcestrongkeyprotection)
+- [OverrideMinimumEnabledDTLSVersionClient](policy-csp-cryptography.md#overrideminimumenableddtlsversionclient)
+- [OverrideMinimumEnabledDTLSVersionServer](policy-csp-cryptography.md#overrideminimumenableddtlsversionserver)
+- [OverrideMinimumEnabledTLSVersionClient](policy-csp-cryptography.md#overrideminimumenabledtlsversionclient)
+- [OverrideMinimumEnabledTLSVersionServer](policy-csp-cryptography.md#overrideminimumenabledtlsversionserver)
- [TLSCipherSuites](policy-csp-cryptography.md#tlsciphersuites)
## Defender
@@ -313,6 +319,7 @@ This article lists the policies in Policy CSP that are applicable for the Surfac
- [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](policy-csp-update.md#allowautowindowsupdatedownloadovermeterednetwork)
- [AllowMUUpdateService](policy-csp-update.md#allowmuupdateservice)
- [AllowNonMicrosoftSignedUpdate](policy-csp-update.md#allownonmicrosoftsignedupdate)
+- [AllowOptionalContent](policy-csp-update.md#allowoptionalcontent)
- [AllowTemporaryEnterpriseFeatureControl](policy-csp-update.md#allowtemporaryenterprisefeaturecontrol)
- [AllowUpdateService](policy-csp-update.md#allowupdateservice)
- [BranchReadinessLevel](policy-csp-update.md#branchreadinesslevel)
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 47182cc12f..e675d6434b 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -4,7 +4,7 @@ description: Learn more about the Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 05/10/2023
+ms.date: 08/07/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md
index 06983bfbba..2bdf0cc421 100644
--- a/windows/client-management/mdm/policy-csp-abovelock.md
+++ b/windows/client-management/mdm/policy-csp-abovelock.md
@@ -4,7 +4,7 @@ description: Learn more about the AboveLock Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 05/10/2023
+ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -29,7 +29,7 @@ ms.topic: reference
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md
index 9286bcdf16..dc551ae734 100644
--- a/windows/client-management/mdm/policy-csp-applicationmanagement.md
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@@ -4,7 +4,7 @@ description: Learn more about the ApplicationManagement Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 05/11/2023
+ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -435,7 +435,7 @@ Manages a Windows app's ability to share data between users who have installed t
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
+| ✅ Device
❌ User | ❌ Pro
✅ Enterprise
✅ Education
❌ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
@@ -487,7 +487,7 @@ This policy is deprecated.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index 8baca30d66..ec8c6f1260 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -4,7 +4,7 @@ description: Learn more about the Browser Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 05/11/2023
+ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -185,7 +185,7 @@ To verify AllowAutofill is set to 0 (not allowed):
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
✅ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
+| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
@@ -2720,7 +2720,7 @@ Important. Discontinued in Windows 10, version 1511. Use the Browser/EnterpriseM
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
✅ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
+| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md
index 3901124ada..1433ac91b9 100644
--- a/windows/client-management/mdm/policy-csp-connectivity.md
+++ b/windows/client-management/mdm/policy-csp-connectivity.md
@@ -4,7 +4,7 @@ description: Learn more about the Connectivity Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 06/02/2023
+ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -259,7 +259,7 @@ To validate, the enterprise can confirm by observing the roaming enable switch i
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
@@ -382,7 +382,7 @@ Device that has previously opt-in to MMX will also stop showing on the device li
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md
index 841ae0f1bd..9410f14e41 100644
--- a/windows/client-management/mdm/policy-csp-cryptography.md
+++ b/windows/client-management/mdm/policy-csp-cryptography.md
@@ -4,7 +4,7 @@ description: Learn more about the Cryptography Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 05/10/2023
+ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -16,6 +16,8 @@ ms.topic: reference
# Policy CSP - Cryptography
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
@@ -78,6 +80,283 @@ Allows or disallows the Federal Information Processing Standard (FIPS) policy.
+
+## ConfigureEllipticCurveCryptography
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Cryptography/ConfigureEllipticCurveCryptography
+```
+
+
+
+
+This policy setting determines the priority order of ECC curves used with ECDHE cipher suites.
+
+- If you enable this policy setting, ECC curves are prioritized in the order specified.(Enter one Curve name per line)
+
+- If you disable or don't configure this policy setting, the default ECC curve order is used.
+
+Default Curve Order
+
+curve25519
+NistP256
+NistP384
+
+To See all the curves supported on the system, Use the following command:
+
+CertUtil.exe -DisplayEccCurve.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `;`) |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SSLCurveOrder |
+| Friendly Name | ECC Curve Order |
+| Location | Computer Configuration |
+| Path | Network > SSL Configuration Settings |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002 |
+| ADMX File Name | CipherSuiteOrder.admx |
+
+
+
+
+
+
+
+
+
+## ConfigureSystemCryptographyForceStrongKeyProtection
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Cryptography/ConfigureSystemCryptographyForceStrongKeyProtection
+```
+
+
+
+
+System cryptography: Force strong key protection for user keys stored on the computer. Last write wins.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 2 |
+
+
+
+**Allowed values**:
+
+| Flag | Description |
+|:--|:--|
+| 8 | An app container has accessed a medium key that isn't strongly protected. For example, a key that's for user consent only, or is password or fingerprint protected. |
+| 2 (Default) | Force high protection. |
+| 1 | Display the strong key user interface as needed. |
+
+
+
+
+
+
+
+
+
+## OverrideMinimumEnabledDTLSVersionClient
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Cryptography/OverrideMinimumEnabledDTLSVersionClient
+```
+
+
+
+
+Override minimal enabled TLS version for client role. Last write wins.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1.0 |
+
+
+
+
+
+
+
+
+
+## OverrideMinimumEnabledDTLSVersionServer
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Cryptography/OverrideMinimumEnabledDTLSVersionServer
+```
+
+
+
+
+Override minimal enabled TLS version for server role. Last write wins.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1.0 |
+
+
+
+
+
+
+
+
+
+## OverrideMinimumEnabledTLSVersionClient
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Cryptography/OverrideMinimumEnabledTLSVersionClient
+```
+
+
+
+
+Override minimal enabled TLS version for client role. Last write wins.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1.0 |
+
+
+
+
+
+
+
+
+
+## OverrideMinimumEnabledTLSVersionServer
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Cryptography/OverrideMinimumEnabledTLSVersionServer
+```
+
+
+
+
+Override minimal enabled TLS version for server role. Last write wins.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1.0 |
+
+
+
+
+
+
+
+
## TLSCipherSuites
@@ -94,8 +373,14 @@ Allows or disallows the Federal Information Processing Standard (FIPS) policy.
-
-Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win.
+
+This policy setting determines the cipher suites used by the Secure Socket Layer (SSL).
+
+- If you enable this policy setting, SSL cipher suites are prioritized in the order specified.
+
+- If you disable or don't configure this policy setting, default cipher suite order is used.
+
+Link for all the cipherSuites:
@@ -112,6 +397,19 @@ Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is
| Allowed Values | List (Delimiter: `;`) |
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SSLCipherSuiteOrder |
+| Friendly Name | SSL Cipher Suite Order |
+| Location | Computer Configuration |
+| Path | Network > SSL Configuration Settings |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002 |
+| ADMX File Name | CipherSuiteOrder.admx |
+
+
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index 1eb23bfa94..c98a296a1f 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -4,7 +4,7 @@ description: Learn more about the Defender Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 06/02/2023
+ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -444,6 +444,9 @@ This policy setting allows you to manage whether or not to scan for malicious so
## AllowIntrusionPreventionSystem
+> [!NOTE]
+> This policy is deprecated and may be removed in a future release.
+
| Scope | Editions | Applicable OS |
|:--|:--|:--|
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
index c2c0ede75a..9e30c4c427 100644
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -4,7 +4,7 @@ description: Learn more about the DeviceLock Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 05/10/2023
+ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -121,7 +121,7 @@ Allow Administrator account lockout This security setting determines whether the
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
@@ -789,7 +789,7 @@ On HoloLens, this timeout is controlled by the device's system sleep timeout, re
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md
index 4d115aecee..82305ec038 100644
--- a/windows/client-management/mdm/policy-csp-dmaguard.md
+++ b/windows/client-management/mdm/policy-csp-dmaguard.md
@@ -46,6 +46,8 @@ This policy is intended to provide more security against external DMA capable de
Device memory sandboxing allows the OS to use the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access by the peripheral. In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it.
+This policy requires a system reboot to take effect.
+
This policy only takes effect when Kernel DMA Protection is supported and enabled by the system firmware. Kernel DMA Protection is a platform feature that can't be controlled via policy or by end user. It has to be supported by the system at the time of manufacturing. To check if the system supports Kernel DMA Protection, check the Kernel DMA Protection field in the Summary page of MSINFO32.exe.
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md
index 1cff7177e4..f2cf4e42d2 100644
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@@ -4,7 +4,7 @@ description: Learn more about the Experience Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 07/06/2023
+ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -107,7 +107,7 @@ Policy change takes effect immediately.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
@@ -840,7 +840,7 @@ This policy allows you to prevent Windows from using diagnostic data to provide
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
@@ -956,7 +956,7 @@ Specifies whether to allow app and content suggestions from third-party software
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md
index 6bf3263e8a..be44e6af68 100644
--- a/windows/client-management/mdm/policy-csp-mixedreality.md
+++ b/windows/client-management/mdm/policy-csp-mixedreality.md
@@ -4,7 +4,7 @@ description: Learn more about the MixedReality Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 05/11/2023
+ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -18,6 +18,8 @@ ms.topic: reference
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
These policies are only supported on [Microsoft HoloLens 2](/hololens/hololens2-hardware). They're not supported on HoloLens (first gen) Development Edition or HoloLens (first gen) Commercial Suite devices.
@@ -538,6 +540,153 @@ Windows Network Connectivity Status Indicator may get a false positive internet-
+
+## EnableStartMenuSingleHandGesture
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/MixedReality/EnableStartMenuSingleHandGesture
+```
+
+
+
+
+This policy setting controls if pinching your thumb and index finger, while looking at the Start icon on your wrist, to open the Start menu is enabled or not.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Don't allow pinching your thumb and index finger, while looking at the Start icon on your wrist, to open the Start menu. |
+| 1 (Default) | Allow pinching your thumb and index finger, while looking at the Start icon on your wrist, to open the Start menu. |
+
+
+
+
+
+
+
+
+
+## EnableStartMenuVoiceCommand
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/MixedReality/EnableStartMenuVoiceCommand
+```
+
+
+
+
+This policy setting controls if using voice commands to open the Start menu is enabled or not.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Using voice commands to open the Start menu is disabled. |
+| 1 (Default) | Using voice commands to open the Start menu is enabled. |
+
+
+
+
+
+
+
+
+
+## EnableStartMenuWristTap
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/MixedReality/EnableStartMenuWristTap
+```
+
+
+
+
+This policy setting controls if tapping the Star icon on your wrist to open the Start menu is enabled or not.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Don't allow tapping the Start icon on your wrist to open the Start menu. |
+| 1 (Default) | Allow tapping the Start icon on your wrist to open the Start menu. |
+
+
+
+
+
+
+
+
## EyeTrackingCalibrationPrompt
@@ -852,6 +1001,153 @@ The following example XML string shows the value to enable this policy:
+
+## PreferLogonAsOtherUser
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/MixedReality/PreferLogonAsOtherUser
+```
+
+
+
+
+This policy configures whether the Sign-In App should prefer showing Other User panel to user.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled. |
+| 1 | Enabled. |
+
+
+
+
+
+
+
+
+
+## RequireStartIconHold
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/MixedReality/RequireStartIconHold
+```
+
+
+
+
+This policy setting controls if it's require that the Start icon to be pressed for 2 seconds to open the Start menu.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Don't require the Start icon to be pressed for 2 seconds. |
+| 1 | Require the Start icon to be pressed for 2 seconds. |
+
+
+
+
+
+
+
+
+
+## RequireStartIconVisible
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/MixedReality/RequireStartIconVisible
+```
+
+
+
+
+This policy setting controls if it's required that the Start icon to be looked at when you tap it to open the Start menu.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Don't require the Start icon to be looked at when you tap it. |
+| 1 | Require the Start icon to be looked at when you tap it. |
+
+
+
+
+
+
+
+
## SkipCalibrationDuringSetup
diff --git a/windows/client-management/mdm/policy-csp-networklistmanager.md b/windows/client-management/mdm/policy-csp-networklistmanager.md
index d911d882c5..5587e7c36e 100644
--- a/windows/client-management/mdm/policy-csp-networklistmanager.md
+++ b/windows/client-management/mdm/policy-csp-networklistmanager.md
@@ -4,7 +4,7 @@ description: Learn more about the NetworkListManager Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 05/10/2023
+ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -37,7 +37,7 @@ ms.topic: reference
-List of URLs (seperated by Unicode character 0xF000) to endpoints accessible only within an enterprise's network. If any of the URLs can be resolved over HTTPS, the network would be considered authenticated.
+List of URLs (separated by Unicode character 0xF000) to endpoints accessible only within an enterprise's network. If any of the URLs can be resolved over HTTPS, the network would be considered authenticated.
diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md
index 28175d1f22..0fe4605294 100644
--- a/windows/client-management/mdm/policy-csp-privacy.md
+++ b/windows/client-management/mdm/policy-csp-privacy.md
@@ -4,7 +4,7 @@ description: Learn more about the Privacy Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 05/11/2023
+ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -16,6 +16,8 @@ ms.topic: reference
# Policy CSP - Privacy
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
@@ -2934,7 +2936,7 @@ If an app is open when this Group Policy object is applied on a device, employee
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ [10.0.25000] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows Insider Preview [10.0.25000] |
@@ -2994,7 +2996,7 @@ This policy setting specifies whether Windows apps can access the human presence
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ [10.0.25000] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows Insider Preview [10.0.25000] |
@@ -3044,7 +3046,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ [10.0.25000] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows Insider Preview [10.0.25000] |
@@ -3094,7 +3096,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ [10.0.25000] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows Insider Preview [10.0.25000] |
diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md
index 550fbeae03..1ec7fb4c22 100644
--- a/windows/client-management/mdm/policy-csp-search.md
+++ b/windows/client-management/mdm/policy-csp-search.md
@@ -4,7 +4,7 @@ description: Learn more about the Search Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 05/11/2023
+ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -1123,7 +1123,7 @@ If enabled, clients will be unable to query this computer's index remotely. Thus
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md
index e4f0dfb401..2fc3142188 100644
--- a/windows/client-management/mdm/policy-csp-security.md
+++ b/windows/client-management/mdm/policy-csp-security.md
@@ -4,7 +4,7 @@ description: Learn more about the Security Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 05/10/2023
+ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -78,7 +78,7 @@ Specifies whether to allow the runtime configuration agent to install provisioni
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
@@ -179,7 +179,7 @@ Specifies whether to allow the runtime configuration agent to remove provisionin
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md
index a4e21ea68d..0559e8b5ec 100644
--- a/windows/client-management/mdm/policy-csp-start.md
+++ b/windows/client-management/mdm/policy-csp-start.md
@@ -4,7 +4,7 @@ description: Learn more about the Start Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 05/11/2023
+ms.date: 08/07/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
index 1243feb131..0ecd29cb56 100644
--- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md
+++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
@@ -4,7 +4,7 @@ description: Learn more about the TimeLanguageSettings Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 05/10/2023
+ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -29,7 +29,7 @@ ms.topic: reference
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE | ✅ Windows 10, version 1703 [10.0.15063] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1703 [10.0.15063] and later |
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 5796782a5f..9a753d25ea 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -4,7 +4,7 @@ description: Learn more about the Update Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 05/11/2023
+ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -25,6 +25,7 @@ ms.topic: reference
Update CSP policies are listed below based on the group policy area:
- [Windows Insider Preview](#windows-insider-preview)
+ - [AllowOptionalContent](#allowoptionalcontent)
- [ConfigureDeadlineNoAutoRebootForFeatureUpdates](#configuredeadlinenoautorebootforfeatureupdates)
- [ConfigureDeadlineNoAutoRebootForQualityUpdates](#configuredeadlinenoautorebootforqualityupdates)
- [Manage updates offered from Windows Update](#manage-updates-offered-from-windows-update)
@@ -106,6 +107,65 @@ Update CSP policies are listed below based on the group policy area:
## Windows Insider Preview
+
+### AllowOptionalContent
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Update/AllowOptionalContent
+```
+
+
+
+
+This policy enables devices to get offered optional updates and users interact with the 'Get the latest updates as soon as they're available' toggle on the Windows Update Settings page.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Device doesn't receive optional updates. |
+| 1 | Device receives optional updates and user can install from WU Settings page. |
+| 2 | Device receives optional updates and install them as soon as they're available. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | AllowOptionalContent |
+| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat |
+
+
+
+
+
+
+
+
### ConfigureDeadlineNoAutoRebootForFeatureUpdates
@@ -393,6 +453,7 @@ Pause Updates | To prevent Feature Updates from being offered to the device, you
| 16 (Default) | {0x10} - Semi-annual Channel (Targeted). Device gets all applicable feature updates from Semi-annual Channel (Targeted). |
| 32 | 2 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel. (*Only applicable to releases prior to 1903, for all releases 1903 and after the Semi-annual Channel and Semi-annual Channel (Targeted) into a single Semi-annual Channel with a value of 16). |
| 64 | {0x40} - Release Preview of Quality Updates Only. |
+| 128 | {0x80} - Canary Channel. |
@@ -2079,41 +2140,8 @@ Note that the default max active hours range is 18 hours from the active hours s
-
-Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service.
-
-> [!NOTE]
-> This policy doesn't apply to %WINDOWS_ARM_VERSION_6_2%.
-
-This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
-
-2 = Notify before downloading and installing any updates.
-
-When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
-
-3 = (Default setting) Download the updates automatically and notify when they're ready to be installed.
-
-Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them.
-
-4 = Automatically download updates and install them on the schedule specified below.
-
-When "Automatic" is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)
-
-Specify the schedule using the options in the Group Policy Setting. For version 1709 and above, there is an additional choice of limiting updating to a weekly, bi-weekly, or monthly occurrence. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart).
-
-On %WINDOWS_CLIENT_VERSION_6_2% and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer isn't in use and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
-
-5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option hasn't been carried over to any Win 10 Versions)
-
-With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates.
-
-7 = Notify for install and notify for restart. (Windows Server only)
-
-With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.
-
-If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
-
-If the status is set to Not Configured, use of Automatic Updates isn't specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
+
+Enables the IT admin to manage automatic update behavior to scan, download, and install updates. Important. This option should be used only for systems under regulatory compliance, as you won't get security updates as well. If the policy isn't configured, end-users get the default behavior (Auto install and restart).
@@ -2245,41 +2273,8 @@ This policy is accessible through the Update setting in the user interface or Gr
-
-Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service.
-
-> [!NOTE]
-> This policy doesn't apply to %WINDOWS_ARM_VERSION_6_2%.
-
-This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
-
-2 = Notify before downloading and installing any updates.
-
-When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
-
-3 = (Default setting) Download the updates automatically and notify when they're ready to be installed.
-
-Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them.
-
-4 = Automatically download updates and install them on the schedule specified below.
-
-When "Automatic" is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)
-
-Specify the schedule using the options in the Group Policy Setting. For version 1709 and above, there is an additional choice of limiting updating to a weekly, bi-weekly, or monthly occurrence. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart).
-
-On %WINDOWS_CLIENT_VERSION_6_2% and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer isn't in use and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
-
-5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option hasn't been carried over to any Win 10 Versions)
-
-With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates.
-
-7 = Notify for install and notify for restart. (Windows Server only)
-
-With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.
-
-If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
-
-If the status is set to Not Configured, use of Automatic Updates isn't specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
+
+Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
@@ -2824,41 +2819,8 @@ If you select "Apply only during active hours" in conjunction with Option 1 or 2
-
-Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service.
-
-> [!NOTE]
-> This policy doesn't apply to %WINDOWS_ARM_VERSION_6_2%.
-
-This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
-
-2 = Notify before downloading and installing any updates.
-
-When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
-
-3 = (Default setting) Download the updates automatically and notify when they're ready to be installed.
-
-Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them.
-
-4 = Automatically download updates and install them on the schedule specified below.
-
-When "Automatic" is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)
-
-Specify the schedule using the options in the Group Policy Setting. For version 1709 and above, there is an additional choice of limiting updating to a weekly, bi-weekly, or monthly occurrence. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart).
-
-On %WINDOWS_CLIENT_VERSION_6_2% and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer isn't in use and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
-
-5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option hasn't been carried over to any Win 10 Versions)
-
-With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates.
-
-7 = Notify for install and notify for restart. (Windows Server only)
-
-With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.
-
-If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
-
-If the status is set to Not Configured, use of Automatic Updates isn't specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
+
+Enables the IT admin to schedule the day of the update installation. The data type is a integer.
@@ -2928,41 +2890,8 @@ If the status is set to Not Configured, use of Automatic Updates isn't specified
-
-Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service.
-
-> [!NOTE]
-> This policy doesn't apply to %WINDOWS_ARM_VERSION_6_2%.
-
-This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
-
-2 = Notify before downloading and installing any updates.
-
-When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
-
-3 = (Default setting) Download the updates automatically and notify when they're ready to be installed.
-
-Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them.
-
-4 = Automatically download updates and install them on the schedule specified below.
-
-When "Automatic" is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)
-
-Specify the schedule using the options in the Group Policy Setting. For version 1709 and above, there is an additional choice of limiting updating to a weekly, bi-weekly, or monthly occurrence. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart).
-
-On %WINDOWS_CLIENT_VERSION_6_2% and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer isn't in use and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
-
-5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option hasn't been carried over to any Win 10 Versions)
-
-With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates.
-
-7 = Notify for install and notify for restart. (Windows Server only)
-
-With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.
-
-If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
-
-If the status is set to Not Configured, use of Automatic Updates isn't specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
+
+Enables the IT admin to schedule the update installation on the every week. Value type is integer.
@@ -3026,41 +2955,8 @@ If the status is set to Not Configured, use of Automatic Updates isn't specified
-
-Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service.
-
-> [!NOTE]
-> This policy doesn't apply to %WINDOWS_ARM_VERSION_6_2%.
-
-This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
-
-2 = Notify before downloading and installing any updates.
-
-When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
-
-3 = (Default setting) Download the updates automatically and notify when they're ready to be installed.
-
-Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them.
-
-4 = Automatically download updates and install them on the schedule specified below.
-
-When "Automatic" is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)
-
-Specify the schedule using the options in the Group Policy Setting. For version 1709 and above, there is an additional choice of limiting updating to a weekly, bi-weekly, or monthly occurrence. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart).
-
-On %WINDOWS_CLIENT_VERSION_6_2% and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer isn't in use and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
-
-5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option hasn't been carried over to any Win 10 Versions)
-
-With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates.
-
-7 = Notify for install and notify for restart. (Windows Server only)
-
-With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.
-
-If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
-
-If the status is set to Not Configured, use of Automatic Updates isn't specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
+
+Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer.
@@ -3133,41 +3029,8 @@ These policies are not exclusive and can be used in any combination. Together wi
-
-Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service.
-
-> [!NOTE]
-> This policy doesn't apply to %WINDOWS_ARM_VERSION_6_2%.
-
-This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
-
-2 = Notify before downloading and installing any updates.
-
-When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
-
-3 = (Default setting) Download the updates automatically and notify when they're ready to be installed.
-
-Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them.
-
-4 = Automatically download updates and install them on the schedule specified below.
-
-When "Automatic" is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)
-
-Specify the schedule using the options in the Group Policy Setting. For version 1709 and above, there is an additional choice of limiting updating to a weekly, bi-weekly, or monthly occurrence. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart).
-
-On %WINDOWS_CLIENT_VERSION_6_2% and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer isn't in use and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
-
-5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option hasn't been carried over to any Win 10 Versions)
-
-With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates.
-
-7 = Notify for install and notify for restart. (Windows Server only)
-
-With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.
-
-If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
-
-If the status is set to Not Configured, use of Automatic Updates isn't specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
+
+Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer.
@@ -3240,41 +3103,8 @@ These policies are not exclusive and can be used in any combination. Together wi
-
-Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service.
-
-> [!NOTE]
-> This policy doesn't apply to %WINDOWS_ARM_VERSION_6_2%.
-
-This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
-
-2 = Notify before downloading and installing any updates.
-
-When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
-
-3 = (Default setting) Download the updates automatically and notify when they're ready to be installed.
-
-Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them.
-
-4 = Automatically download updates and install them on the schedule specified below.
-
-When "Automatic" is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)
-
-Specify the schedule using the options in the Group Policy Setting. For version 1709 and above, there is an additional choice of limiting updating to a weekly, bi-weekly, or monthly occurrence. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart).
-
-On %WINDOWS_CLIENT_VERSION_6_2% and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer isn't in use and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
-
-5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option hasn't been carried over to any Win 10 Versions)
-
-With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates.
-
-7 = Notify for install and notify for restart. (Windows Server only)
-
-With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.
-
-If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
-
-If the status is set to Not Configured, use of Automatic Updates isn't specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
+
+Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer.
@@ -3347,41 +3177,8 @@ These policies are not exclusive and can be used in any combination. Together wi
-
-Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service.
-
-> [!NOTE]
-> This policy doesn't apply to %WINDOWS_ARM_VERSION_6_2%.
-
-This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
-
-2 = Notify before downloading and installing any updates.
-
-When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
-
-3 = (Default setting) Download the updates automatically and notify when they're ready to be installed.
-
-Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them.
-
-4 = Automatically download updates and install them on the schedule specified below.
-
-When "Automatic" is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)
-
-Specify the schedule using the options in the Group Policy Setting. For version 1709 and above, there is an additional choice of limiting updating to a weekly, bi-weekly, or monthly occurrence. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart).
-
-On %WINDOWS_CLIENT_VERSION_6_2% and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer isn't in use and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
-
-5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option hasn't been carried over to any Win 10 Versions)
-
-With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates.
-
-7 = Notify for install and notify for restart. (Windows Server only)
-
-With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.
-
-If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
-
-If the status is set to Not Configured, use of Automatic Updates isn't specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
+
+Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer.
@@ -3454,41 +3251,8 @@ These policies are not exclusive and can be used in any combination. Together wi
-
-Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service.
-
-> [!NOTE]
-> This policy doesn't apply to %WINDOWS_ARM_VERSION_6_2%.
-
-This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
-
-2 = Notify before downloading and installing any updates.
-
-When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
-
-3 = (Default setting) Download the updates automatically and notify when they're ready to be installed.
-
-Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them.
-
-4 = Automatically download updates and install them on the schedule specified below.
-
-When "Automatic" is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)
-
-Specify the schedule using the options in the Group Policy Setting. For version 1709 and above, there is an additional choice of limiting updating to a weekly, bi-weekly, or monthly occurrence. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart).
-
-On %WINDOWS_CLIENT_VERSION_6_2% and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer isn't in use and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
-
-5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option hasn't been carried over to any Win 10 Versions)
-
-With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates.
-
-7 = Notify for install and notify for restart. (Windows Server only)
-
-With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.
-
-If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
-
-If the status is set to Not Configured, use of Automatic Updates isn't specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
+
+ the IT admin to schedule the time of the update installation. The data type is a integer. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3.
diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md
index ff0324acd3..d9b5c73c0f 100644
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the VPNv2 CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 07/06/2023
+ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -1792,7 +1792,7 @@ Web Proxy Server IP address if you are redirecting traffic through your intranet
-Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
+Enterprise ID, which is required for connecting this VPN profile with a WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
@@ -3119,7 +3119,7 @@ Type of routing policy.
-Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com.
+Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) separated by commas. For example, server1.example.com,server2.example.com.
@@ -6032,7 +6032,7 @@ Web Proxy Server IP address if you are redirecting traffic through your intranet
-Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
+Enterprise ID, which is required for connecting this VPN profile with a WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
@@ -7359,7 +7359,7 @@ Type of routing policy.
-Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com.
+Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) separated by commas. For example, server1.example.com,server2.example.com.
diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md
index 60dd258bf1..3b74e77e11 100644
--- a/windows/client-management/mdm/windowslicensing-csp.md
+++ b/windows/client-management/mdm/windowslicensing-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the WindowsLicensing CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 05/10/2023
+ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -16,6 +16,8 @@ ms.topic: reference
# WindowsLicensing CSP
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
The WindowsLicensing configuration service provider is designed for licensing related management scenarios.
@@ -161,7 +163,7 @@ Returns TRUE if the entered product key can be used for an edition upgrade of Wi
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE | ✅ Windows 11, version 21H2 [10.0.22000.1165] and later
✅ Windows 11, version 22H2 [10.0.22621] and later |
@@ -200,7 +202,7 @@ Device Based Subscription.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE | ✅ Windows 11, version 21H2 [10.0.22000.1165] and later
✅ Windows 11, version 22H2 [10.0.22621] and later |
@@ -239,7 +241,7 @@ Returns the last error code of Refresh/Remove Device License operation. Value wo
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE | ✅ Windows 11, version 21H2 [10.0.22000.1165] and later
✅ Windows 11, version 22H2 [10.0.22621] and later |
@@ -278,7 +280,7 @@ Returns last error description from Device Licensing. Value would be empty, if e
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE | ✅ Windows 11, version 21H2 [10.0.22000.1165] and later
✅ Windows 11, version 22H2 [10.0.22621] and later |
@@ -317,7 +319,7 @@ Returns the status of Refresh/Remove Device License operation.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE | ✅ Windows 11, version 21H2 [10.0.22000.1165] and later
✅ Windows 11, version 22H2 [10.0.22621] and later |
@@ -795,7 +797,7 @@ This setting is only applicable to devices available in S mode.
-Returns the status of an edition upgrade on Windows 10 desktop and mobile devices. Status: 0 = Failed, 1 = Pending, 2 = In progress, 3 = Completed, 4 = Unknown.
+Returns the status of an edition upgrade on Windows 10 desktop and mobile devices. Status: 0 = Failed, 1 = Pending, 2 = In progress, 3 = Completed, 4 = Unknown.
@@ -997,7 +999,7 @@ Returns the status of the subscription.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE | ✅ Windows Insider Preview |
@@ -1045,7 +1047,7 @@ Disable or Enable subscription activation on a device.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE | ✅ Windows Insider Preview |
@@ -1084,7 +1086,7 @@ Remove subscription uninstall subscription license. It also reset subscription t
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE | ✅ Windows Insider Preview |
@@ -1123,7 +1125,7 @@ Error code of last subscription operation. Value would be empty(0) in absence of
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE | ✅ Windows Insider Preview |
@@ -1162,7 +1164,7 @@ Error description of last subscription operation. Value would be empty, if error
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE | ✅ Windows Insider Preview |
@@ -1201,7 +1203,7 @@ Status of last subscription operation.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE | ✅ Windows Insider Preview |
diff --git a/windows/client-management/mdm/windowslicensing-ddf-file.md b/windows/client-management/mdm/windowslicensing-ddf-file.md
index 97d6ff5d83..2fc871423e 100644
--- a/windows/client-management/mdm/windowslicensing-ddf-file.md
+++ b/windows/client-management/mdm/windowslicensing-ddf-file.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 06/02/2023
+ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -342,6 +342,10 @@ The following XML file contains the device description framework (DDF) for the W
+
+ 99.9.99999
+ 9.9
+
0
@@ -373,6 +377,10 @@ The following XML file contains the device description framework (DDF) for the W
+
+ 99.9.99999
+ 9.9
+
@@ -394,6 +402,10 @@ The following XML file contains the device description framework (DDF) for the W
+
+ 99.9.99999
+ 9.9
+
@@ -415,6 +427,10 @@ The following XML file contains the device description framework (DDF) for the W
+
+ 99.9.99999
+ 9.9
+
@@ -436,6 +452,10 @@ The following XML file contains the device description framework (DDF) for the W
+
+ 99.9.99999
+ 9.9
+
0
@@ -467,6 +487,10 @@ The following XML file contains the device description framework (DDF) for the W
+
+ 99.9.99999
+ 9.9
+
@@ -600,7 +624,7 @@ The following XML file contains the device description framework (DDF) for the W
- 10.0.22621
+ 10.0.22621, 10.0.22000.1165
1.4
diff --git a/windows/deployment/update/wufb-reports-do.md b/windows/deployment/update/wufb-reports-do.md
index da09d3e2d2..ddb2f0861d 100644
--- a/windows/deployment/update/wufb-reports-do.md
+++ b/windows/deployment/update/wufb-reports-do.md
@@ -95,7 +95,7 @@ Each calculated values used in the Delivery Optimization report are listed below
In the **Efficiency By Group** subsection, the **GroupID** is displayed as an encoded SHA256 hash. You can create a mapping of original to encoded GroupIDs using the following PowerShell example:
```powershell
-$text = "" ;
+$text = "`0" ; # The `0 null terminator is required
$hashObj = [System.Security.Cryptography.HashAlgorithm]::Create('sha256') ; $dig = $hashObj.ComputeHash([System.Text.Encoding]::Unicode.GetBytes($text)) ; $digB64 = [System.Convert]::ToBase64String($dig) ; Write-Host "$text ==> $digB64"
```
diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml
index c4991dd0ed..ad017e7f92 100644
--- a/windows/deployment/windows-autopatch/TOC.yml
+++ b/windows/deployment/windows-autopatch/TOC.yml
@@ -76,7 +76,7 @@
href: operate/windows-autopatch-edge.md
- name: Microsoft Teams
href: operate/windows-autopatch-teams.md
- - name: Windows quality and feature update reports
+ - name: Windows quality and feature update reports overview
href: operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md
items:
- name: Windows quality update reports
@@ -107,8 +107,8 @@
href: operate/windows-autopatch-manage-driver-and-firmware-updates.md
- name: Submit a support request
href: operate/windows-autopatch-support-request.md
- - name: Deregister a device
- href: operate/windows-autopatch-deregister-devices.md
+ - name: Exclude a device
+ href: operate/windows-autopatch-exclude-device.md
- name: Unenroll your tenant
href: operate/windows-autopatch-unenroll-tenant.md
- name: References
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md
deleted file mode 100644
index fa0d5b2cae..0000000000
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md
+++ /dev/null
@@ -1,51 +0,0 @@
----
-title: Deregister a device
-description: This article explains how to deregister devices
-ms.date: 06/15/2022
-ms.prod: windows-client
-ms.technology: itpro-updates
-ms.topic: how-to
-ms.localizationpriority: medium
-author: tiaraquan
-ms.author: tiaraquan
-manager: dougeby
-ms.reviewer: andredm7
-ms.collection:
- - tier2
----
-
-# Deregister a device
-
-To avoid end-user disruption, device deregistration in Windows Autopatch only deletes the Windows Autopatch device record itself. Device deregistration can't delete Microsoft Intune and/or the Azure Active Directory device records. Microsoft assumes you'll keep managing those devices yourself in some capacity.
-
-**To deregister a device:**
-
-1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Select **Windows Autopatch** in the left navigation menu.
-1. Select **Devices**.
-1. In either **Ready** or **Not ready** tab, select the device(s) you want to deregister.
-1. Once a device or multiple devices are selected, select **Device actions**, then select **Deregister device**.
-
-> [!WARNING]
-> Removing devices from the Windows Autopatch Device Registration Azure AD group doesn't deregister devices from the Windows Autopatch service.
-
-## Excluded devices
-
-When you deregister a device from the Windows Autopatch service, the device is flagged as "excluded" so Windows Autopatch doesn't try to reregister the device into the service again, since the deregistration command doesn't trigger device membership removal from the **Windows Autopatch Device Registration** Azure Active Directory group.
-
-> [!IMPORTANT]
-> The Azure AD team doesn't recommend appending query statements to remove specific device from a dynamic query due to dynamic query performance issues.
-
-If you want to reregister a device that was previously deregistered from Windows Autopatch, you must [submit a support request](../operate/windows-autopatch-support-request.md) with the Windows Autopatch Service Engineering Team to request the removal of the "excluded" flag set during the deregistration process. After the Windows Autopatch Service Engineering Team removes the flag, you can reregister a device or a group of devices.
-
-## Hiding unregistered devices
-
-You can hide unregistered devices you don't expect to be remediated anytime soon.
-
-**To hide unregistered devices:**
-
-1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Select **Windows Autopatch** in the left navigation menu.
-1. Select **Devices**.
-1. In the **Not ready** tab, select an unregistered device or a group of unregistered devices you want to hide then select **Status == All**.
-1. Unselect the **Registration failed** status checkbox from the list.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md
new file mode 100644
index 0000000000..e3b0793469
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md
@@ -0,0 +1,56 @@
+---
+title: Exclude a device
+description: This article explains how to exclude a device from the Windows Autopatch service
+ms.date: 08/08/2023
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+ms.reviewer: andredm7
+ms.collection:
+ - tier2
+---
+
+# Exclude a device
+
+To avoid end-user disruption, excluding a device in Windows Autopatch only deletes the Windows Autopatch device record itself. Excluding a device can't delete the Microsoft Intune and/or the Azure Active Directory device records. Microsoft assumes you'll keep managing those devices yourself in some capacity.
+
+When you exclude a device from the Windows Autopatch service, the device is flagged as **excluded** so Windows Autopatch doesn't try to restore the device into the service again, since the exclusion command doesn't trigger device membership removal from the **Windows Autopatch Device Registration** group, or any other Azure AD group, used with Autopatch groups.
+
+> [!IMPORTANT]
+> The Azure AD team doesn't recommend appending query statements to remove specific device from a dynamic query due to dynamic query performance issues.
+
+**To exclude a device:**
+
+1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Select **Windows Autopatch** in the left navigation menu.
+1. Select **Devices**.
+1. In either the **Ready** or **Not ready** tab, select the device(s) you want to exclude.
+1. Once a device or multiple devices are selected, select **Device actions**. Then, select **Exclude device**.
+
+> [!WARNING]
+> Excluding devices from the Windows Autopatch Device Registration group, or any other Azure AD group, used with Autopatch groups doesn't exclude devices from the Windows Autopatch service.
+
+## Only view excluded devices
+
+You can view the excluded devices in the **Not registered** tab to make it easier for you to bulk restore devices that were previously excluded from the Windows Autopatch service.
+
+**To view only excluded devices:**
+
+1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Select **Windows Autopatch** in the left navigation menu.
+1. Select **Devices**.
+1. In the **Not registered** tab, select **Excluded** from the filter list. Leave all other filter options unselected.
+
+## Restore a device or multiple devices previously excluded
+
+**To restore a device or multiple devices previously excluded:**
+
+1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Select **Windows Autopatch** in the left navigation menu.
+1. Select **Devices**.
+1. In the **Not registered** tab, select the device(s) you want to restore.
+1. Once a device or multiple devices are selected, select **Device actions**. Then, select **Restore device**.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md
index aca5a1a456..880f821953 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md
@@ -21,9 +21,10 @@ ms.collection:
The Windows quality reports provide you with information about:
-Quality update device readiness
-Device update health
-Device update alerts
+- Quality update device readiness
+- Device update health
+- Device update alerts
+
Together, these reports provide insight into the quality update state and compliance of Windows devices that are enrolled into Windows Autopatch.
The Windows quality report types are organized into the following focus areas:
@@ -106,4 +107,4 @@ Within each 24-hour reporting period, devices that are Not Ready are reevaluated
## Data export
-Select **Export devices** to export data for each report type. Only selected columns will be exported.
+Select **Export devices** to export data for each report type. Only selected columns are exported.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md
index 1269f66d0f..ecc8f356a9 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md
@@ -1,7 +1,7 @@
---
title: Unenroll your tenant
description: This article explains what unenrollment means for your organization and what actions you must take.
-ms.date: 07/27/2022
+ms.date: 08/08/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
@@ -25,7 +25,7 @@ If you're looking to unenroll your tenant from Windows Autopatch, this article d
Unenrolling from Windows Autopatch requires manual actions from both you and from the Windows Autopatch Service Engineering Team. The Windows Autopatch Service Engineering Team will:
- Remove Windows Autopatch access to your tenant.
-- Deregister your devices from the Windows Autopatch service. Deregistering your devices from Windows Autopatch won't remove your devices from Intune, Azure AD or Configuration Manager. The Windows Autopatch Service Engineering Team follows the same process and principles as laid out in [Deregister a device](/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices).
+- Exclude your devices from the Windows Autopatch service. Excluding your devices from Windows Autopatch won't remove your devices from Intune, Azure AD or Configuration Manager. The Windows Autopatch Service Engineering Team follows the same process and principles as laid out in [Exclude a device](../operate/windows-autopatch-exclude-device.md).
- Delete all data that we've stored in the Windows Autopatch data storage.
> [!NOTE]
@@ -36,7 +36,7 @@ Unenrolling from Windows Autopatch requires manual actions from both you and fro
| Responsibility | Description |
| ----- | ----- |
| Windows Autopatch data | Windows Autopatch will delete user data that is within the Windows Autopatch service. We won’t make changes to any other data. For more information about how data is used in Windows Autopatch, see [Privacy](../overview/windows-autopatch-privacy.md). |
-| Deregistering devices | Windows Autopatch will deregister all devices previously registered with the service. Only the Windows Autopatch device record will be deleted. We won't delete Microsoft Intune and/or Azure Active Directory device records. For more information, see [Deregister a device](/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices). |
+| Excluding devices | Windows Autopatch will exclude all devices previously registered with the service. Only the Windows Autopatch device record is deleted. We won't delete Microsoft Intune and/or Azure Active Directory device records. For more information, see [Exclude a device](../operate/windows-autopatch-exclude-device.md). |
## Your responsibilities after unenrolling your tenant
@@ -50,10 +50,10 @@ Unenrolling from Windows Autopatch requires manual actions from both you and fro
**To unenroll from Windows Autopatch:**
-1. [Submit a support request](windows-autopatch-support-request.md) and request to unenroll from the Windows Autopatch service.
-1. The Windows Autopatch Service Engineering Team will communicate with your IT Administrator to confirm your intent to unenroll from the service.
- 1. You'll have 14 days to review and confirm the communication sent by the Windows Autopatch Service Engineering Team.
+1. [Submit a support request](../operate/windows-autopatch-support-request.md) and request to unenroll from the Windows Autopatch service.
+1. The Windows Autopatch Service Engineering Team communicates with your IT Administrator to confirm your intent to unenroll from the service.
+ 1. You have 14 days to review and confirm the communication sent by the Windows Autopatch Service Engineering Team.
2. The Windows Autopatch Service Engineering Team can proceed sooner than 14 days if your confirmation arrives sooner.
-1. The Windows Autopatch Service Engineering Team will proceed with the removal of all items listed under [Microsoft's responsibilities during unenrollment](#microsofts-responsibilities-during-unenrollment).
-1. The Windows Autopatch Service Engineering Team will inform you when unenrollment is complete.
+1. The Windows Autopatch Service Engineering Team proceeds with the removal of all items listed under [Microsoft's responsibilities during unenrollment](#microsofts-responsibilities-during-unenrollment).
+1. The Windows Autopatch Service Engineering Team informs you when unenrollment is complete.
1. You’re responsible for the items listed under [Your responsibilities after unenrolling your tenant](#your-responsibilities-after-unenrolling-your-tenant).
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
index a071f7e68d..62ac288ad4 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
@@ -1,7 +1,7 @@
---
title: What is Windows Autopatch?
description: Details what the service is and shortcuts to articles.
-ms.date: 07/11/2023
+ms.date: 08/08/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
@@ -64,7 +64,7 @@ Microsoft remains committed to the security of your data and the [accessibility]
| ----- | ----- |
| Prepare | The following articles describe the mandatory steps to prepare and enroll your tenant into Windows Autopatch:- [Prerequisites](../prepare/windows-autopatch-prerequisites.md)
- [Configure your network](../prepare/windows-autopatch-configure-network.md)
- [Enroll your tenant](../prepare/windows-autopatch-enroll-tenant.md)
- [Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md)
- [Roles and responsibilities](../overview/windows-autopatch-roles-responsibilities.md)
|
| Deploy | Once you've enrolled your tenant, this section instructs you to:- [Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)
- [Register your devices](../deploy/windows-autopatch-register-devices.md)
- [Manage Windows Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md)
|
-| Operate | This section includes the following information about your day-to-day life with the service:- [Update management](../operate/windows-autopatch-groups-update-management.md)
- [Windows quality and feature update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md)
- [Maintain your Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md)
- [Submit a support request](../operate/windows-autopatch-support-request.md)
- [Deregister a device](../operate/windows-autopatch-deregister-devices.md)
+| Operate | This section includes the following information about your day-to-day life with the service:- [Update management](../operate/windows-autopatch-groups-update-management.md)
- [Windows quality and feature update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md)
- [Maintain your Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md)
- [Submit a support request](../operate/windows-autopatch-support-request.md)
- [Exclude a device](../operate/windows-autopatch-exclude-device.md)
| References | This section includes the following articles:- [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md)
- [Windows update policies](../references/windows-autopatch-windows-update-unsupported-policies.md)
- [Microsoft 365 Apps for enterprise update policies](../references/windows-autopatch-microsoft-365-policies.md)
|
### Have feedback or would like to start a discussion?
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
index 816790a4c7..1a0e660f16 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
@@ -1,7 +1,7 @@
---
title: Roles and responsibilities
description: This article describes the roles and responsibilities provided by Windows Autopatch and what the customer must do
-ms.date: 07/31/2023
+ms.date: 08/08/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
@@ -86,10 +86,10 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
| Maintain existing configurations- Remove your devices from existing and unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies
| :heavy_check_mark: | :x: |
| Understand the health of [Up to date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) devices and investigate devices that are- [Not up to date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices)
- [Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-ready-devices)
- have [Device alerts](../operate/windows-autopatch-device-alerts.md)
| [Raise, manage and resolve a service incident if an update management area isn't meeting the service level objective](windows-autopatch-overview.md#update-management) | :x: | :heavy_check_mark: |
-| [Deregister devices](../operate/windows-autopatch-deregister-devices.md) | :heavy_check_mark: | :x: |
-| [Register a device that was previously deregistered (upon customers request)](../operate/windows-autopatch-deregister-devices.md#excluded-devices) | :x: | :heavy_check_mark: |
+| [Exclude a device](../operate/windows-autopatch-exclude-device.md) | :heavy_check_mark: | :x: |
+| [Register a device that was previously excluded (upon customers request)](../operate/windows-autopatch-exclude-device.md) | :x: | :heavy_check_mark: |
| [Request unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md) | :heavy_check_mark: | :x: |
-| [Remove Windows Autopatch data from the service and deregister devices](../operate/windows-autopatch-unenroll-tenant.md#microsofts-responsibilities-during-unenrollment) | :x: | :heavy_check_mark: |
+| [Remove Windows Autopatch data from the service and exclude devices](../operate/windows-autopatch-unenroll-tenant.md#microsofts-responsibilities-during-unenrollment) | :x: | :heavy_check_mark: |
| [Maintain update configuration & update devices post unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md#your-responsibilities-after-unenrolling-your-tenant) | :heavy_check_mark: | :x: |
| Review and respond to Message Center and Service Health Dashboard notifications- [Windows quality update communications](../operate/windows-autopatch-groups-windows-quality-update-communications.md)
- [Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)
| :heavy_check_mark: | :x: |
| Highlight Windows Autopatch management alerts that require customer action- [Tenant management alerts](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions)
- [Policy health and remediation](../operate/windows-autopatch-policy-health-and-remediation.md)
| :x: | :heavy_check_mark: |
diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
index dbeb0cc232..30b2c45a91 100644
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
@@ -1,7 +1,7 @@
---
title: What's new 2023
description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
-ms.date: 08/01/2023
+ms.date: 08/08/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: whats-new
@@ -27,6 +27,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| Article | Description |
| ----- | ----- |
+| [Exclude a device](../operate/windows-autopatch-exclude-device.md) | Renamed Deregister a device to [Exclude a device](../operate/windows-autopatch-exclude-device.md). Added the [Restore device](../operate/windows-autopatch-exclude-device.md#restore-a-device-or-multiple-devices-previously-excluded) feature |
| [Device alerts](../operate/windows-autopatch-device-alerts.md) | Added `'InstallSetupBlock'` to the [Alert resolutions section](../operate/windows-autopatch-device-alerts.md#alert-resolutions) |
## July 2023
diff --git a/windows/hub/breadcrumb/toc.yml b/windows/hub/breadcrumb/toc.yml
index 66795447f6..b8fb1254fb 100644
--- a/windows/hub/breadcrumb/toc.yml
+++ b/windows/hub/breadcrumb/toc.yml
@@ -37,29 +37,31 @@ items:
tocHref: /windows/security/
topicHref: /windows/security/
items:
+ - name: Hardware security
+ tocHref: /windows/security/hardware-security/
+ topicHref: /windows/security/hardware-security/
+ - name: Operating system security
+ tocHref: /windows/security/operating-system-security/
+ topicHref: /windows/security/operating-system-security/
- name: Identity protection
tocHref: /windows/security/identity-protection/
topicHref: /windows/security/identity-protection/
+ - name: Application security
+ tocHref: /windows/security/application-security/
+ topicHref: /windows/security/application-security/
items:
- - name: Windows Hello for Business
- tocHref: /windows/security/identity-protection/hello-for-business/
- topicHref: /windows/security/identity-protection/hello-for-business
+ - name: Application Control for Windows
+ tocHref: /windows/security/application-security/application-control/windows-defender-application-control/
+ topicHref: /windows/security/application-security/application-control/windows-defender-application-control/
+ - name: Microsoft Defender Application Guard
+ tocHref: /windows/security/application-security/application-isolation/microsoft-defender-application-guard/
+ topicHref: /windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview
+ - name: Security foundations
+ tocHref: /windows/security/security-foundations/
+ topicHref: /windows/security/security-foundations/
- name: Security auditing
tocHref: /windows/security/threat-protection/auditing/
topicHref: /windows/security/threat-protection/auditing/security-auditing-overview
- - name: Microsoft Defender Application Guard
- tocHref: /windows/security/threat-protection/microsoft-defender-application-guard/
- topicHref: /windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview
- name: Security policy settings
tocHref: /windows/security/threat-protection/security-policy-settings/
- topicHref: /windows/security/threat-protection/security-policy-settings/security-policy-settings
- - name: Application Control for Windows
- tocHref: /windows/security/threat-protection/windows-defender-application-control/
- topicHref: /windows/security/threat-protection/windows-defender-application-control/
- - name: OS
- tocHref: /windows/security/operating-system-security/
- topicHref: /windows/security/operating-system-security/
- - name: Windows Defender Firewall
- tocHref: /windows/security/operating-system-security/network-security/windows-firewall/
- topicHref: /windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security
-
+ topicHref: /windows/security/threat-protection/security-policy-settings/security-policy-settings
\ No newline at end of file
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md b/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md
index fd3133539a..7bc080da18 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md
@@ -32,7 +32,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
| **3 Enabled:Audit Mode (Default)** | Instructs WDAC to log information about applications, binaries, and scripts that would have been blocked, if the policy was enforced. You can use this option to identify the potential impact of your WDAC policy, and use the audit events to refine the policy before enforcement. To enforce a WDAC policy, delete this option. | No |
| **4 Disabled:Flight Signing** | If enabled, binaries from Windows Insider builds aren't trusted. This option is useful for organizations that only want to run released binaries, not prerelease Windows builds. | No |
| **5 Enabled:Inherit Default Policy** | This option is reserved for future use and currently has no effect. | Yes |
-| **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and any supplemental policies must also be signed. The certificates that are trusted for future policy updates must be identified in the UpdatePolicySigners section. Certificates that are trusted for supplemental policies must be identified in the SupplementalPolicySigners section. | Yes |
+| **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and any supplemental policies must also be signed. The certificates that are trusted for future policy updates must be identified in the UpdatePolicySigners section. Certificates that are trusted for supplemental policies must be identified in the SupplementalPolicySigners section. | No |
| **7 Allowed:Debug Policy Augmented** | This option isn't currently supported. | Yes |
| **8 Required:EV Signers** | This option isn't currently supported. | No |
| **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. | No |
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index a2c64c37a0..101a50568b 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -1,11 +1,8 @@
---
-ms.date: 12/05/2022
+ms.date: 08/03/2023
title: Local Accounts
description: Learn how to secure and manage access to the resources on a standalone or member server for services or users.
ms.topic: conceptual
-ms.collection:
- - highpri
- - tier2
appliesto:
- ✅ Windows 11
- ✅ Windows 10
@@ -20,7 +17,7 @@ This article describes the default local user accounts for Windows operating sys
## About local user accounts
-Local user accounts are stored locally on the device. These accounts can be assigned rights and permissions on a particular device, but on that device only. Local user accounts are security principals that are used to secure and manage access to the resources on a device, for services or users.
+Local user accounts are defined locally on a device, and can be assigned rights and permissions on the device only. Local user accounts are security principals that are used to secure and manage access to the resources on a device, for services or users.
## Default local user accounts
@@ -30,9 +27,7 @@ Default local user accounts are used to manage access to the local device's reso
Default local user accounts are described in the following sections. Expand each section for more information.
-
-
-Administrator
+### Administrator
The default local Administrator account is a user account for system administration. Every computer has an Administrator account (SID S-1-5-*domain*-500, display name Administrator). The Administrator account is the first account that is created during the Windows installation.
@@ -44,13 +39,13 @@ Windows setup disables the built-in Administrator account and creates another lo
Members of the Administrators groups can run apps with elevated permissions without using the *Run as Administrator* option. Fast User Switching is more secure than using `runas` or different-user elevation.
-**Account group membership**
+#### Account group membership
By default, the Administrator account is a member of the Administrators group. It's a best practice to limit the number of users in the Administrators group because members of the Administrators group have Full Control permissions on the device.
The Administrator account can't be removed from the Administrators group.
-**Security considerations**
+#### Security considerations
Because the Administrator account is known to exist on many versions of the Windows operating system, it's a best practice to disable the Administrator account when possible to make it more difficult for malicious users to gain access to the server or client computer.
@@ -61,51 +56,42 @@ As a security best practice, use your local (non-Administrator) account to sign
Group Policy can be used to control the use of the local Administrators group automatically. For more information about Group Policy, see [Group Policy Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831791(v=ws.11)).
> [!IMPORTANT]
->
-> - Blank passwords are not allowed.
>
-> - Even when the Administrator account has been disabled, it can still be used to gain access to a computer by using safe mode. In the Recovery Console or in safe mode, the Administrator account is automatically enabled. When normal operations are resumed, it is disabled.
+> - Blank passwords are not allowed
+> - Even when the Administrator account is disabled, it can still be used to gain access to a computer by using safe mode. In the Recovery Console or in safe mode, the Administrator account is automatically enabled. When normal operations are resumed, it's disabled.
-
-
-
-Guest
+### Guest
The Guest account lets occasional or one-time users, who don't have an account on the computer, temporarily sign in to the local server or client computer with limited user rights. By default, the Guest account is disabled and has a blank password. Since the Guest account can provide anonymous access, it's considered a security risk. For this reason, it's a best practice to leave the Guest account disabled, unless its use is necessary.
-**Account group membership**
+#### Guest account group membership
-By default, the Guest account is the only member of the default Guests group (SID S-1-5-32-546), which lets a user sign in to a device.
+By default, the Guest account is the only member of the default Guests group `SID S-1-5-32-546`, which lets a user sign in to a device.
-**Security considerations**
+#### Guest account security considerations
When enabling the Guest account, only grant limited rights and permissions. For security reasons, the Guest account shouldn't be used over the network and made accessible to other computers.
In addition, the guest user in the Guest account shouldn't be able to view the event logs. After the Guest account is enabled, it's a best practice to monitor the Guest account frequently to ensure that other users can't use services and other resources. This includes resources that were unintentionally left available by a previous user.
-
-
-
-
-HelpAssistant
+### HelpAssistant
The HelpAssistant account is a default local account that is enabled when a Remote Assistance session is run. This account is automatically disabled when no Remote Assistance requests are pending.
HelpAssistant is the primary account that is used to establish a Remote Assistance session. The Remote Assistance session is used to connect to another computer running the Windows operating system, and it's initiated by invitation. For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance. After the user's invitation for a Remote Assistance session is accepted, the default HelpAssistant account is automatically created to give the person who provides assistance limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service.
-**Security considerations**
+#### HelpAssistant account security considerations
The SIDs that pertain to the default HelpAssistant account include:
-- SID: `S-1-5--13`, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. Note: In Windows Server 2008, Remote Desktop Services is called Terminal Services.
-
-- SID: `S-1-5--14`, display name Remote Interactive Logon. This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.
+- SID: `S-1-5--13`, display name *Terminal Server User*. This group includes all users who sign in to a server with Remote Desktop Services enabled.
+- SID: `S-1-5--14`, display name *Remote Interactive Logon*. This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.
For the Windows Server operating system, Remote Assistance is an optional component that isn't installed by default. You must install Remote Assistance before it can be used.
For details about the HelpAssistant account attributes, see the following table.
-**HelpAssistant account attributes**
+#### HelpAssistant account attributes
|Attribute|Value|
|--- |--- |
@@ -118,15 +104,11 @@ For details about the HelpAssistant account attributes, see the following table.
|Safe to move out of default container?|Can be moved out, but we don't recommend it.|
|Safe to delegate management of this group to non-Service admins?|No|
-
-
-
-
-DefaultAccount
+### DefaultAccount
The DefaultAccount account, also known as the Default System Managed Account (DSMA), is a well-known user account type. DefaultAccount can be used to run processes that are either multi-user aware or user-agnostic.
-The DSMA is disabled by default on the desktop SKUs and on the Server operating systems with the desktop experience.
+The DSMA is disabled by default on the desktop editions and on the Server operating systems with the desktop experience.
The DSMA has a well-known RID of `503`. The security identifier (SID) of the DSMA will thus have a well-known SID in the following format: `S-1-5-21-\-503`.
@@ -135,19 +117,20 @@ The DSMA is a member of the well-known group **System Managed Accounts Group**,
The DSMA alias can be granted access to resources during offline staging even before the account itself has been created. The account and the group are created during first boot of the machine within the Security Accounts Manager (SAM).
#### How Windows uses the DefaultAccount
-From a permission perspective, the DefaultAccount is a standard user account.
-The DefaultAccount is needed to run multi-user-manifested-apps (MUMA apps).
-MUMA apps run all the time and react to users signing in and signing out of the devices.
-Unlike Windows Desktop where apps run in context of the user and get terminated when the user signs off, MUMA apps run by using the DSMA.
-MUMA apps are functional in shared session SKUs such as Xbox. For example, Xbox shell is a MUMA app.
-Today, Xbox automatically signs in as Guest account and all apps run in this context.
-All the apps are multi-user-aware and respond to events fired by user manager.
+From a permission perspective, the DefaultAccount is a standard user account.
+The DefaultAccount is needed to run multi-user-manifested-apps (MUMA apps).
+MUMA apps run all the time and react to users signing in and signing out of the devices.
+Unlike Windows Desktop where apps run in context of the user and get terminated when the user signs off, MUMA apps run by using the DSMA.
+
+MUMA apps are functional in shared session SKUs such as Xbox. For example, Xbox shell is a MUMA app.
+Today, Xbox automatically signs in as Guest account and all apps run in this context.
+All the apps are multi-user-aware and respond to events fired by user manager.
The apps run as the Guest account.
-Similarly, Phone auto logs in as a *DefApps* account, which is akin to the standard user account in Windows but with a few extra privileges. Brokers, some services and apps run as this account.
+Similarly, Phone auto logs in as a *DefApps* account, which is akin to the standard user account in Windows but with a few extra privileges. Brokers, some services and apps run as this account.
-In the converged user model, the multi-user-aware apps and multi-user-aware brokers will need to run in a context different from that of the users.
+In the converged user model, the multi-user-aware apps and multi-user-aware brokers will need to run in a context different from that of the users.
For this purpose, the system creates DSMA.
#### How the DefaultAccount gets created on domain controllers
@@ -158,35 +141,25 @@ If the domain was created with domain controllers running an earlier version of
#### Recommendations for managing the Default Account (DSMA)
Microsoft doesn't recommend changing the default configuration, where the account is disabled. There's no security risk with having the account in the disabled state. Changing the default configuration could hinder future scenarios that rely on this account.
-
## Default local system accounts
-
-
-SYSTEM
+### SYSTEM
-
-The *SYSTEM* account is used by the operating system and by services running under Windows. There are many services and processes in the Windows operating system that need the capability to sign in internally, such as during a Windows installation. The SYSTEM account was designed for that purpose, and Windows manages the SYSTEM account's user rights. It's an internal account that doesn't show up in User Manager, and it can't be added to any groups.
+The *SYSTEM* account is used by the operating system and by services running under Windows. There are many services and processes in the Windows operating system that need the capability to sign in internally, such as during a Windows installation. The SYSTEM account was designed for that purpose, and Windows manages the SYSTEM account's user rights. It's an internal account that doesn't show up in User Manager, and it can't be added to any groups.
On the other hand, the SYSTEM account does appear on an NTFS file system volume in File Manager in the **Permissions** portion of the **Security** menu. By default, the SYSTEM account is granted Full Control permissions to all files on an NTFS volume. Here the SYSTEM account has the same functional rights and permissions as the Administrator account.
> [!NOTE]
> To grant the account Administrators group file permissions does not implicitly give permission to the SYSTEM account. The SYSTEM account's permissions can be removed from a file, but we do not recommend removing them.
-
-
-
-NETWORK SERVICE
+### NETWORK SERVICE
-The NETWORK SERVICE account is a predefined local account used by the service control manager (SCM). A service that runs in the context of the NETWORK SERVICE account presents the computer's credentials to remote servers. For more information, see [NetworkService Account](/windows/desktop/services/networkservice-account).
-
-
-
-LOCAL SERVICE
+The *NETWORK SERVICE* account is a predefined local account used by the service control manager (SCM). A service that runs in the context of the NETWORK SERVICE account presents the computer's credentials to remote servers. For more information, see [NetworkService Account](/windows/desktop/services/networkservice-account).
-The LOCAL SERVICE account is a predefined local account used by the service control manager. It has minimum privileges on the local computer and presents anonymous credentials on the network. For more information, see [LocalService Account](/windows/desktop/services/localservice-account).
-
+### LOCAL SERVICE
+
+The *LOCAL SERVICE* account is a predefined local account used by the service control manager. It has minimum privileges on the local computer and presents anonymous credentials on the network. For more information, see [LocalService Account](/windows/desktop/services/localservice-account).
## How to manage local user accounts
@@ -203,17 +176,15 @@ You can also manage local users by using NET.EXE USER and manage local groups by
### Restrict and protect local accounts with administrative rights
-An administrator can use many approaches to prevent malicious users from using stolen credentials such as a stolen password or password hash, for a local account on one computer from being used to authenticate on another computer with administrative rights. This is also called "lateral movement".
+An administrator can use many approaches to prevent malicious users from using stolen credentials such as a stolen password or password hash, for a local account on one computer from being used to authenticate on another computer with administrative rights. This is also called *lateral movement*.
The simplest approach is to sign in to your computer with a standard user account, instead of using the Administrator account for tasks. For example, use a standard account to browse the Internet, send email, or use a word processor. When you want to perform administrative tasks such as installing a new program or changing a setting that affects other users, you don't have to switch to an Administrator account. You can use User Account Control (UAC) to prompt you for permission or an administrator password before performing the task, as described in the next section.
The other approaches that can be used to restrict and protect user accounts with administrative rights include:
-- Enforce local account restrictions for remote access.
-
-- Deny network logon to all local Administrator accounts.
-
-- Create unique passwords for local accounts with administrative rights.
+- Enforce local account restrictions for remote access
+- Deny network logon to all local Administrator accounts
+- Create unique passwords for local accounts with administrative rights
Each of these approaches is described in the following sections.
@@ -224,7 +195,7 @@ Each of these approaches is described in the following sections.
User Account Control (UAC) is a security feature that informs you when a program makes a change that requires administrative permissions. UAC works by adjusting the permission level of your user account. By default, UAC is set to notify you when applications try to make changes to your computer, but you can change when UAC notifies you.
-UAC makes it possible for an account with administrative rights to be treated as a standard user non-administrator account until full rights, also called elevation, is requested and approved. For example, UAC lets an administrator enter credentials during a non-administrator's user session to perform occasional administrative tasks without having to switch users, sign out, or use the **Run as** command.
+UAC makes it possible for an account with administrative rights to be treated as a standard user non-administrator account until full rights, also called elevation, is requested and approved. For example, UAC lets an administrator enter credentials during a non-administrator's user session to perform occasional administrative tasks without having to switch users, sign out, or use the *Run as* command.
In addition, UAC can require administrators to specifically approve applications that make system-wide changes before those applications are granted permission to run, even in the administrator's user session.
@@ -234,8 +205,6 @@ For more information about UAC, see [User Account Control](/windows/access-prote
The following table shows the Group Policy and registry settings that are used to enforce local account restrictions for remote access.
-
-
|No.|Setting|Detailed Description|
|--- |--- |--- |
||Policy location|Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options|
@@ -251,7 +220,7 @@ The following table shows the Group Policy and registry settings that are used t
> [!NOTE]
> You can also enforce the default for LocalAccountTokenFilterPolicy by using the custom ADMX in Security Templates.
-
+
#### To enforce local account restrictions for remote access
1. Start the **Group Policy Management** Console (GPMC)
@@ -286,6 +255,7 @@ The following table shows the Group Policy and registry settings that are used t
1. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy
1. Create links to all other OUs that contain workstations
1. Create links to all other OUs that contain servers
+
### Deny network logon to all local Administrator accounts
Denying local accounts the ability to perform network logons can help prevent a local account password hash from being reused in a malicious attack. This procedure helps to prevent lateral movement by ensuring that stolen credentials for local accounts from a compromised operating system can't be used to compromise other computers that use the same credentials.
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml
index cfcd88f924..04b493aa73 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml
@@ -8,7 +8,7 @@ metadata:
- highpri
- tier1
ms.topic: faq
- ms.date: 03/09/2023
+ ms.date: 08/03/2023
title: Common questions about Windows Hello for Business
summary: Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This Frequently Asked Questions (FAQ) article is intended to help you learn more about Windows Hello for Business.
diff --git a/windows/security/includes/sections/security-foundations.md b/windows/security/includes/sections/security-foundations.md
index 23533d333f..6cbeb13816 100644
--- a/windows/security/includes/sections/security-foundations.md
+++ b/windows/security/includes/sections/security-foundations.md
@@ -9,9 +9,9 @@ ms.topic: include
| Feature name | Description |
|:---|:---|
-| **Microsoft Security Development Lifecycle (SDL)** | The Microsoft Security Development Lifecycle (SDL) introduces security best practices, tools, and processes throughout all phases of engineering and development. |
-| **OneFuzz service** | A range of tools and techniques - such as threat modeling, static analysis, fuzz testing, and code quality checks - enable continued security value to be embedded into Windows by every engineer on the team from day one. Through the SDL practices, Microsoft engineers are continuously provided with actionable and up-to-date methods to improve development workflows and overall product security before the code has been released. |
-| **[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)** | As part of our secure development process, the Microsoft Windows Insider Preview bounty program invites eligible researchers across the globe to find and submit vulnerabilities that reproduce in the latest Windows Insider Preview (WIP) Dev Channel. The goal of the Windows Insider Preview bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of customers using the latest version of Windows.
Through this collaboration with researchers across the globe, our teams identify critical vulnerabilities that were not previously found during development and quicky fix the issues before releasing the final Windows. |
+| **[Microsoft Security Development Lifecycle (SDL)](/windows/security/security-foundations/msft-security-dev-lifecycle)** | The Microsoft Security Development Lifecycle (SDL) introduces security best practices, tools, and processes throughout all phases of engineering and development. |
+| **[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)** | A range of tools and techniques - such as threat modeling, static analysis, fuzz testing, and code quality checks - enable continued security value to be embedded into Windows by every engineer on the team from day one. Through the SDL practices, Microsoft engineers are continuously provided with actionable and up-to-date methods to improve development workflows and overall product security before the code has been released. |
+| **[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)** | As part of our secure development process, the Microsoft Windows Insider Preview bounty program invites eligible researchers across the globe to find and submit vulnerabilities that reproduce in the latest Windows Insider Preview (WIP) Dev Channel. The goal of the Windows Insider Preview bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of customers using the latest version of Windows.
Through this collaboration with researchers across the globe, our teams identify critical vulnerabilities that were not previously found during development and quickly fix the issues before releasing the final Windows. |
## Certification
diff --git a/windows/security/index.yml b/windows/security/index.yml
index 393a49b66b..e49166e1ef 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -1,162 +1,168 @@
-### YamlMime:Landing
+### YamlMime:Hub
-title: Windows security
-summary: Built with Zero Trust principles at the core to safeguard data and access anywhere, keeping you protected and productive.
+title: Windows client security documentation
+summary: Learn how to secure Windows clients for your organization.
+brand: windows
metadata:
- title: Windows security
- description: Learn about Windows security technologies and how to use them to protect your data and devices.
- ms.topic: landing-page
+ ms.topic: hub-page
ms.prod: windows-client
- ms.technology: itpro-security
ms.collection:
+ - highpri
- tier1
author: paolomatarazzo
ms.author: paoloma
- ms.date: 12/19/2022
+ manager: aaroncz
+ ms.date: 07/28/2023
-# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
+highlightedContent:
+ items:
+ - title: Get started with Windows security
+ itemType: get-started
+ url: introduction.md
+ - title: Windows 11, version 22H2
+ itemType: whats-new
+ url: /windows/whats-new/whats-new-windows-11-version-22H2
+ - title: Windows 11, version 22H2 group policy settings reference
+ itemType: download
+ url: https://www.microsoft.com/en-us/download/details.aspx?id=104594
+ - title: Security features licensing and edition requirements
+ itemType: overview
+ url: /windows/security/licensing-and-edition-requirements
-landingContent:
-# Cards and links should be based on top customer tasks or top subjects
-# Start card title with a verb
- # Card (optional)
- - title: Zero Trust and Windows
- linkLists:
- - linkListType: overview
- links:
- - text: Overview
- url: zero-trust-windows-device-health.md
-# Cards and links should be based on top customer tasks or top subjects
-# Start card title with a verb
- # Card (optional)
- - title: Hardware security
- linkLists:
- - linkListType: overview
- links:
- - text: Overview
- url: hardware.md
- - linkListType: concept
- links:
- - text: Trusted Platform Module
- url: hardware-security/tpm/trusted-platform-module-top-node.md
- - text: Windows Defender System Guard firmware protection
- url: hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md
- - text: System Guard Secure Launch and SMM protection enablement
- url: hardware-security/system-guard-secure-launch-and-smm-protection.md
- - text: Virtualization-based protection of code integrity
- url: hardware-security/enable-virtualization-based-protection-of-code-integrity.md
- - text: Kernel DMA Protection
- url: hardware-security/kernel-dma-protection-for-thunderbolt.md
-# Cards and links should be based on top customer tasks or top subjects
-# Start card title with a verb
- # Card (optional)
- - title: Operating system security
- linkLists:
- - linkListType: overview
- links:
- - text: Overview
- url: operating-system-security/index.md
- - linkListType: concept
- links:
- - text: Trusted boot
- url: operating-system-security\system-security\trusted-boot.md
- - text: Windows security baselines
- url: operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md
- - text: Virtual private network guide
- url: operating-system-security/network-security/vpn/vpn-guide.md
- - text: Windows Defender Firewall
- url: operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security.md
- - text: Virus & threat protection
- url: threat-protection/index.md
-# Cards and links should be based on top customer tasks or top subjects
-# Start card title with a verb
- # Card (optional)
- - title: Application security
- linkLists:
- - linkListType: overview
- links:
- - text: Overview
- url: application-security/index.md
- - linkListType: concept
- links:
- - text: Application Control and virtualization-based protection
- url: application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
- - text: Application Control
- url: application-security/application-control/windows-defender-application-control/wdac.md
- - text: Application Guard
- url: application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md
- - text: Windows Sandbox
- url: application-security\application-isolation\windows-sandbox\windows-sandbox-overview.md
- - text: Microsoft Defender SmartScreen
- url: operating-system-security\virus-and-threat-protection\microsoft-defender-smartscreen\index.md
- - text: S/MIME for Windows
- url: operating-system-security/data-protection/configure-s-mime.md
-# Cards and links should be based on top customer tasks or top subjects
-# Start card title with a verb
- # Card (optional)
- - title: User security and secured identity
- linkLists:
- - linkListType: overview
- links:
- - text: Overview
- url: identity.md
- - linkListType: concept
- links:
- - text: Windows Hello for Business
- url: identity-protection/hello-for-business/index.md
- - text: Protect domain credentials
- url: identity-protection/credential-guard/credential-guard.md
- - text: Windows Defender Credential Guard
- url: identity-protection/credential-guard/credential-guard.md
- - text: Lost or forgotten passwords
- url: identity-protection/password-support-policy.md
- - text: Access control
- url: identity-protection/access-control/access-control.md
- - text: Smart cards
- url: identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
-# Cards and links should be based on top customer tasks or top subjects
-# Start card title with a verb
- # Card (optional)
- - title: Cloud services
- linkLists:
- - linkListType: concept
- links:
- - text: Mobile device management
- url: /windows/client-management/mdm/
- - text: Azure Active Directory
- url: https://www.microsoft.com/security/business/identity-access-management/azure-active-directory
- - text: Your Microsoft Account
- url: identity-protection/access-control/microsoft-accounts.md
- - text: OneDrive
- url: /onedrive/onedrive
- - text: Family safety
- url: operating-system-security\system-security\windows-defender-security-center\wdsc-family-options.md
-# Cards and links should be based on top customer tasks or top subjects
-# Start card title with a verb
- # Card (optional)
- - title: Security foundations
- linkLists:
- - linkListType: overview
- links:
- - text: Overview
- url: security-foundations/index.md
- - linkListType: reference
- links:
- - text: Microsoft Security Development Lifecycle
- url: threat-protection/msft-security-dev-lifecycle.md
- - text: Microsoft Bug Bounty
- url: /microsoft-365/security/intelligence/microsoft-bug-bounty-program
- - text: Common Criteria Certifications
- url: threat-protection/windows-platform-common-criteria.md
- - text: Federal Information Processing Standard (FIPS) 140 Validation
- url: threat-protection/fips-140-validation.md
-# Cards and links should be based on top customer tasks or top subjects
-# Start card title with a verb
- # Card (optional)
- - title: Privacy controls
- linkLists:
- - linkListType: reference
- links:
- - text: Windows and Privacy Compliance
- url: /windows/privacy/windows-10-and-privacy-compliance
+
+productDirectory:
+ title: Get started
+ items:
+
+ - title: Hardware security
+ imageSrc: /media/common/i_usb.svg
+ links:
+ - url: /windows/security/hardware-security/tpm/trusted-platform-module-overview
+ text: Trusted Platform Module
+ - url: /windows/security/hardware-security/pluton/microsoft-pluton-security-processor
+ text: Microsoft Pluton
+ - url: /windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows
+ text: Windows Defender System Guard
+ - url: /windows-hardware/design/device-experiences/oem-vbs
+ text: Virtualization-based security (VBS)
+ - url: /windows-hardware/design/device-experiences/oem-highly-secure-11
+ text: Secured-core PC
+ - url: /windows/security/hardware-security
+ text: Learn more about hardware security >
+
+ - title: OS security
+ imageSrc: /media/common/i_threat-protection.svg
+ links:
+ - url: /windows/security/operating-system-security
+ text: Trusted boot
+ - url: /windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center
+ text: Windows security settings
+ - url: /windows/security/operating-system-security/data-protection/bitlocker/
+ text: BitLocker
+ - url: /windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines
+ text: Windows security baselines
+ - url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/
+ text: MMicrosoft Defender SmartScreen
+ - url: /windows/security/operating-system-security
+ text: Learn more about OS security >
+
+ - title: Identity protection
+ imageSrc: /media/common/i_identity-protection.svg
+ links:
+ - url: /windows/security/identity-protection/hello-for-business
+ text: Windows Hello for Business
+ - url: /windows/security/identity-protection/credential-guard
+ text: Windows Defender Credential Guard
+ - url: /windows-server/identity/laps/laps-overview
+ text: Windows LAPS (Local Administrator Password Solution)
+ - url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection
+ text: Enhanced phishing protection with SmartScreen
+ - url: /education/windows/federated-sign-in
+ text: Federated sign-in (EDU)
+ - url: /windows/security/identity-protection
+ text: Learn more about identity protection >
+
+ - title: Application security
+ imageSrc: /media/common/i_queries.svg
+ links:
+ - url: /windows/security/application-security/application-control/windows-defender-application-control/
+ text: Windows Defender Application Control (WDAC)
+ - url: /windows/security/application-security/application-control/user-account-control
+ text: User Account Control (UAC)
+ - url: /windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules
+ text: Microsoft vulnerable driver blocklist
+ - url: /windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview
+ text: Microsoft Defender Application Guard (MDAG)
+ - url: /windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview
+ text: Windows Sandbox
+ - url: /windows/security/application-security
+ text: Learn more about application security >
+
+ - title: Security foundations
+ imageSrc: /media/common/i_build.svg
+ links:
+ - url: /windows/security/security-foundations/certification/fips-140-validation
+ text: FIPS 140-2 validation
+ - url: /windows/security/security-foundations/certification/windows-platform-common-criteria
+ text: Common Criteria Certifications
+ - url: /windows/security/security-foundations/msft-security-dev-lifecycle
+ text: Microsoft Security Development Lifecycle (SDL)
+ - url: https://www.microsoft.com/msrc/bounty-windows-insider-preview
+ text: Microsoft Windows Insider Preview bounty program
+ - url: https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/
+ text: OneFuzz service
+ - url: /windows/security/security-foundations
+ text: Learn more about security foundations >
+
+ - title: Cloud security
+ imageSrc: /media/common/i_cloud-security.svg
+ links:
+ - url: /mem/intune/protect/security-baselines
+ text: Security baselines with Intune
+ - url: /windows/deployment/windows-autopatch
+ text: Windows Autopatch
+ - url: /windows/deployment/windows-autopilot
+ text: Windows Autopilot
+ - url: /universal-print
+ text: Universal Print
+ - url: /windows/client-management/mdm/remotewipe-csp
+ text: Remote wipe
+ - url: /windows/security/cloud-security
+ text: Learn more about cloud security >
+
+additionalContent:
+ sections:
+ - title: More Windows resources
+ items:
+
+ - title: Windows Server
+ links:
+ - text: Windows Server documentation
+ url: /windows-server
+ - text: What's new in Windows Server 2022?
+ url: /windows-server/get-started/whats-new-in-windows-server-2022
+ - text: Windows Server blog
+ url: https://cloudblogs.microsoft.com/windowsserver/
+
+ - title: Windows product site and blogs
+ links:
+ - text: Find out how Windows enables your business to do more
+ url: https://www.microsoft.com/microsoft-365/windows
+ - text: Windows blogs
+ url: https://blogs.windows.com/
+ - text: Windows IT Pro blog
+ url: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog
+ - text: Microsoft Intune blog
+ url: https://techcommunity.microsoft.com/t5/microsoft-intune-blog/bg-p/MicrosoftEndpointManagerBlog
+ - text: "Windows help & learning: end-user documentation"
+ url: https://support.microsoft.com/windows
+
+ - title: Participate in the community
+ links:
+ - text: Windows community
+ url: https://techcommunity.microsoft.com/t5/windows/ct-p/Windows10
+ - text: Microsoft Intune community
+ url: https://techcommunity.microsoft.com/t5/microsoft-intune/bd-p/Microsoft-Intune
+ - text: Microsoft Support community
+ url: https://answers.microsoft.com/windows/forum
\ No newline at end of file
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/index.md b/windows/security/operating-system-security/data-protection/bitlocker/index.md
index ac2d1d013e..2464ef0104 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/index.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/index.md
@@ -1,21 +1,21 @@
---
title: BitLocker overview
-description: This article provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
+description: Learn about BitLocker requirements, practical applications, and deprecated features.
ms.collection:
- highpri
- tier1
-ms.topic: conceptual
-ms.date: 11/08/2022
+ms.topic: overview
+ms.date: 08/03/2023
---
# BitLocker overview
-Bitlocker is a disk encryption feature included with Windows, designed to protect data by providing encryption for entire volumes.\
+Bitlocker is a Windows disk encryption feature, designed to protect data by providing encryption for entire volumes.\
BitLocker addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices.
-BitLocker provides the maximum protection when used with a Trusted Platform Module (TPM) version 1.2 or later versions. The TPM is a hardware component installed in many devices ant it works with BitLocker to help protect user data and to ensure that a computer hasn't been tampered with while the system is offline.
+BitLocker provides maximum protection when used with a Trusted Platform Module (TPM). A TPM is a hardware component installed in many devices ant it works with BitLocker to help protect user data and to ensure that a computer hasn't been tampered with while the system is offline.
-On computers that don't have a TPM, BitLocker can still be used to encrypt the Windows operating system drive. However, this implementation requires the user to insert a USB startup key to start the device or resume from hibernation. An operating system volume password can be used to protect the operating system volume on a computer without TPM. Both options don't provide the pre-startup system integrity verification offered by BitLocker with a TPM.
+On devices that don't have a TPM, BitLocker can still be used to encrypt the Windows operating system drive. However, this implementation requires the user to insert a USB startup key to start the device or resume from hibernation. An operating system volume password can be used to protect the operating system volume on a computer without TPM. Both options don't provide the pre-startup system integrity verification offered by BitLocker with a TPM.
In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device (such as a USB flash drive) that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer won't start or resume from hibernation until the correct PIN or startup key is presented.
@@ -27,30 +27,25 @@ Data on a lost or stolen device is vulnerable to unauthorized access, either by
BitLocker has the following hardware requirements:
-For BitLocker to use the system integrity check provided by a TPM, the computer must have TPM 1.2 or later versions. If a computer doesn't have a TPM, saving a startup key on a removable drive, such as a USB flash drive, becomes mandatory when enabling BitLocker.
+- For BitLocker to use the system integrity check provided by a TPM, the computer must have TPM 1.2 or later versions. If a computer doesn't have a TPM, saving a startup key on a removable drive, such as a USB flash drive, becomes mandatory when enabling BitLocker
+- A device with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM doesn't require TCG-compliant firmware
+- The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment
-A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM doesn't require TCG-compliant firmware.
+ > [!NOTE]
+ > TPM 2.0 is not supported in Legacy and Compatibility Support Module (CSM) modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled. For added security, enable the secure boot feature.
+ >
+ > Installed Operating System on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode, which prepares the OS and the disk to support UEFI.
-The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment.
-
-> [!IMPORTANT]
-> From Windows 7, an OS drive can be encrypted without a TPM and USB flash drive. For this procedure, see [Tip of the Day: Bitlocker without TPM or USB](https://social.technet.microsoft.com/Forums/en-US/eac2cc67-8442-42db-abad-2ed173879751/bitlocker-without-tpm?forum=win10itprosetup).
-
-> [!NOTE]
-> TPM 2.0 is not supported in Legacy and Compatibility Support Module (CSM) modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled. For added security, enable the secure boot feature.
-
-> Installed Operating System on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode, which prepares the OS and the disk to support UEFI.
-
-The hard disk must be partitioned with at least two drives:
-
-- The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system.
-- The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker isn't enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. It's recommended that the system drive be approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space.
-
-When installed on a new computer, Windows automatically creates the partitions that are required for BitLocker.
+- The hard disk must be partitioned with at least two drives:
+ - The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system
+ - The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker isn't enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. It's recommended that the system drive be approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space
> [!IMPORTANT]
+> When installed on a new device, Windows automatically creates the partitions that are required for BitLocker.
+>
> An encrypted partition can't be marked as active.
-When installing the BitLocker optional component on a server, the Enhanced Storage feature also needs to be installed. The Enhanced Storage feature is used to support hardware encrypted drives.
+> [!NOTE]
+> When installing the BitLocker optional component on a server, the Enhanced Storage feature also needs to be installed. The Enhanced Storage feature is used to support hardware encrypted drives.
[!INCLUDE [bitlocker](../../../../../includes/licensing/bitlocker-enablement.md)]
diff --git a/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
index 809b88492a..d87edf7174 100644
--- a/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
+++ b/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
@@ -1,7 +1,7 @@
---
title: How to configure cryptographic settings for IKEv2 VPN connections
description: Learn how to update the IKEv2 cryptographic settings of VPN servers and clients by running VPN cmdlets to secure connections.
-ms.date: 06/28/2023
+ms.date: 08/03/2023
ms.topic: how-to
---
@@ -9,8 +9,8 @@ ms.topic: how-to
In IKEv2 VPN connections, the default setting for IKEv2 cryptographic settings are:
-- Encryption Algorithm : DES3
-- Integrity, Hash Algorithm : SHA1
+- Encryption Algorithm: DES3
+- Integrity, Hash Algorithm: SHA1
- Diffie Hellman Group (Key Size): DH2
These settings aren't secure for IKE exchanges.
@@ -31,9 +31,9 @@ On an earlier version of Windows Server, run [Set-VpnServerIPsecConfiguration](/
Set-VpnServerIPsecConfiguration -CustomPolicy
```
-## VPN client
+## VPN client
-For VPN client, you need to configure each VPN connection.
+For VPN client, you need to configure each VPN connection.
For example, run [Set-VpnConnectionIPsecConfiguration (version 4.0)](/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps&preserve-view=true) and specify the name of the connection:
```powershell
@@ -44,8 +44,8 @@ Set-VpnConnectionIPsecConfiguration -ConnectionName
The following commands configure the IKEv2 cryptographic settings to:
-- Encryption Algorithm : AES128
-- Integrity, Hash Algorithm : SHA256
+- Encryption Algorithm: AES128
+- Integrity, Hash Algorithm: SHA256
- Diffie Hellman Group (Key Size): DH14
### IKEv2 VPN Server
diff --git a/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
index 08b4c532c8..ae9673a74d 100644
--- a/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+++ b/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
@@ -1,13 +1,13 @@
---
title: How to use Single Sign-On (SSO) over VPN and Wi-Fi connections
description: Explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections.
-ms.date: 12/28/2022
+ms.date: 08/03/2023
ms.topic: how-to
---
# How to use Single Sign-On (SSO) over VPN and Wi-Fi connections
-This article explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections. The following scenarios are typically used:
+This article explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over Wi-Fi or VPN connections. The following scenarios are typically used:
- Connecting to a network using Wi-Fi or VPN
- Use credentials for Wi-Fi or VPN authentication to also authenticate requests to access domain resources, without being prompted for domain credentials
@@ -17,15 +17,15 @@ For example, you want to connect to a corporate network and access an internal w
The credentials that are used for the connection authentication are placed in *Credential Manager* as the default credentials for the **logon session**. Credential Manager stores credentials that can be used for specific domain resources. These are based on the target name of the resource:
- For VPN, the VPN stack saves its credential as the **session default**
-- For WiFi, Extensible Authentication Protocol (EAP) provides support
+- For Wi-Fi, Extensible Authentication Protocol (EAP) provides support
The credentials are placed in Credential Manager as a *session credential*:
- A *session credential* implies that it is valid for the current user session
-- The credentials are cleaned up when the WiFi or VPN connection is disconnected
+- The credentials are cleaned up when the Wi-Fi or VPN connection is disconnected
> [!NOTE]
-> In Windows 10, version 21H2 and later, the *session credential* is not visible in Credential Manager.
+> In Windows 10, version 21H2 and later, the *session credential* isn't visible in Credential Manager.
For example, if someone using Microsoft Edge tries to access a domain resource, Microsoft Edge has the right Enterprise Authentication capability. This allows [WinInet](/windows/win32/wininet/wininet-reference) to release the credentials that it gets from Credential Manager to the SSP that is requesting it.
For more information about the Enterprise Authentication capability, see [App capability declarations](/windows/uwp/packaging/app-capability-declarations).
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
index 5b8c8be320..b79e1c9335 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
@@ -1,7 +1,7 @@
---
title: VPN authentication options
description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
-ms.date: 06/20/2023
+ms.date: 08/03/2023
ms.topic: conceptual
---
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md b/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
index 9af27f73a3..eb532bf8d6 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
@@ -1,7 +1,7 @@
---
title: VPN auto-triggered profile options
description: With auto-triggered VPN profile options, Windows can automatically establish a VPN connection based on IT admin-defined rules. Learn about the types of auto-trigger rules that you can create for VPN connections.
-ms.date: 05/24/2023
+ms.date: 08/03/2023
ms.topic: conceptual
---
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
index 85ac1b4e02..26738c946b 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
@@ -1,7 +1,7 @@
---
title: VPN and conditional access
description: Learn how to integrate the VPN client with the Conditional Access platform, and how to create access rules for Azure Active Directory (Azure AD) connected apps.
-ms.date: 05/23/2023
+ms.date: 08/03/2023
ms.topic: conceptual
---
@@ -17,10 +17,10 @@ Conditional Access Platform components used for Device Compliance include the fo
- [Conditional Access Framework](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn)
- [Azure AD Connect Health](/azure/active-directory/connect-health/active-directory-aadconnect-health)
- [Windows Health Attestation Service](../../system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) (optional)
-- Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA.
+- Azure AD Certificate Authority - It's a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA can't be configured as part of an on-premises Enterprise CA.
See also [Always On VPN deployment for Windows Server and Windows 10](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy).
- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Azure AD for health validation before a new certificate is issued.
-- [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started) - Cloud-based device compliance leverages Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.
+- [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started): Cloud-based device compliance uses Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.
- Antivirus status
- Auto-update status and update compliance
- Password policy compliance
@@ -35,7 +35,7 @@ The following client-side components are also required:
## VPN device compliance
-At this time, the Azure AD certificates issued to users do not contain a CRL Distribution Point (CDP) and are not suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the <SSO> section.
+At this time, the Azure AD certificates issued to users don't contain a CRL Distribution Point (CDP) and aren't suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the <SSO> section.
Server-side infrastructure requirements to support VPN device compliance include:
@@ -91,7 +91,7 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4)
-## Related topics
+## Related articles
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md b/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
index 686ae5380b..3f71587ce8 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
@@ -1,7 +1,7 @@
---
-title: VPN connection types (Windows 10 and Windows 11)
+title: VPN connection types
description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured.
-ms.date: 05/24/2022
+ms.date: 08/03/2023
ms.topic: conceptual
---
@@ -16,6 +16,7 @@ There are many options for VPN clients. In Windows, the built-in plug-in and the
## Built-in VPN client
Tunneling protocols:
+
- [Internet Key Exchange version 2 (IKEv2)](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff687731(v=ws.10)): configure the IPsec/IKE tunnel cryptographic properties using the **Cryptography Suite** setting in the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp).
- [L2TP](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff687761(v=ws.10)): L2TP with pre-shared key (PSK) authentication can be configured using the **L2tpPsk** setting in the [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp).
- [PPTP](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff687676(v=ws.10))
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-guide.md b/windows/security/operating-system-security/network-security/vpn/vpn-guide.md
index 66e09e5a4c..cd91bd8540 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-guide.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-guide.md
@@ -1,7 +1,7 @@
---
title: Windows VPN technical guide
description: Learn how to plan and configure Windows devices for your organization's VPN solution.
-ms.date: 05/24/2023
+ms.date: 08/03/2023
ms.topic: conceptual
---
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md b/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md
index 406f11946c..e727022c01 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md
@@ -1,7 +1,7 @@
---
title: VPN name resolution
description: Learn how name resolution works when using a VPN connection.
-ms.date: 05/24/2023
+ms.date: 08/03/2023
ms.topic: conceptual
---
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md b/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
index 4ff6994bfc..5aae45f5c3 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
@@ -2,7 +2,7 @@
title: Optimize Microsoft 365 traffic for remote workers with the Windows VPN client
description: Learn how to optimize Microsoft 365 traffic for remote workers with the Windows VPN client
ms.topic: article
-ms.date: 05/24/2023
+ms.date: 08/03/2023
---
# Optimize Microsoft 365 traffic for remote workers with the Windows VPN client
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md b/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
index 5c344676b6..f7974cce7c 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
@@ -1,22 +1,22 @@
---
title: VPN profile options
description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.
-ms.date: 05/17/2018
+ms.date: 08/03/2023
ms.topic: conceptual
---
# VPN profile options
-Most of the VPN settings in Windows 10 and Windows 11 can be configured in VPN profiles using Microsoft Intune or Microsoft Configuration Manager. All VPN settings in Windows 10 and Windows 11 can be configured using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](/windows/client-management/mdm/vpnv2-csp).
+Most of the VPN settings in Windows can be configured in VPN profiles using Microsoft Intune or Microsoft Configuration Manager. VPN settings can be configured using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](/windows/client-management/mdm/vpnv2-csp).
>[!NOTE]
>If you're not familiar with CSPs, read [Introduction to configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) first.
The following table lists the VPN settings and whether the setting can be configured in Intune and Configuration Manager, or can only be configured using **ProfileXML**.
-| Profile setting | Can be configured in Intune and Configuration Manager |
-| --- | --- |
-| Connection type | Yes |
+| Profile setting | Can be configured in Intune and Configuration Manager |
+| --- | --- |
+| Connection type | Yes |
| Routing: split-tunnel routes | Yes, except exclusion routes |
| Routing: forced-tunnel | Yes |
| Authentication (EAP) | Yes, if connection type is built in |
@@ -33,15 +33,14 @@ The following table lists the VPN settings and whether the setting can be config
| Traffic filters | Yes |
| Proxy settings | Yes, by PAC/WPAD file or server and port |
-> [!NOTE]
+> [!NOTE]
> VPN proxy settings are only used on Force Tunnel Connections. On Split Tunnel Connections, the general proxy settings are used.
The ProfileXML node was added to the VPNv2 CSP to allow users to deploy VPN profile as a single blob. This node is useful for deploying profiles with features that aren't yet supported by MDMs. You can get more examples in the [ProfileXML XSD](/windows/client-management/mdm/vpnv2-profile-xsd) article.
-
## Sample Native VPN profile
-The following sample is a sample Native VPN profile. This blob would fall under the ProfileXML node.
+The following sample is a sample Native VPN profile. This blob would fall under the ProfileXML node.
```xml
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-routing.md b/windows/security/operating-system-security/network-security/vpn/vpn-routing.md
index 6931f683fd..85d884162a 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-routing.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-routing.md
@@ -1,5 +1,5 @@
---
-ms.date: 05/24/2023
+ms.date: 08/03/2023
title: VPN routing decisions
description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations.
ms.topic: conceptual
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md b/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
index 4c7d2f87b4..c07cabae8d 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
@@ -1,7 +1,7 @@
---
title: VPN security features
description: Learn about security features for VPN, including LockDown VPN and traffic filters.
-ms.date: 05/24/2023
+ms.date: 08/03/2023
ms.topic: conceptual
---
diff --git a/windows/security/security-foundations/toc.yml b/windows/security/security-foundations/toc.yml
index 9a34209d14..0741c7a555 100644
--- a/windows/security/security-foundations/toc.yml
+++ b/windows/security/security-foundations/toc.yml
@@ -3,7 +3,13 @@ items:
href: index.md
- name: Zero Trust and Windows
href: zero-trust-windows-device-health.md
-- name: Microsoft Security Development Lifecycle
- href: msft-security-dev-lifecycle.md
+- name: Offensive research
+ items:
+ - name: Microsoft Security Development Lifecycle
+ href: msft-security-dev-lifecycle.md
+ - name: OneFuzz service
+ href: https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/
+ - name: Microsoft Windows Insider Preview bounty program 🔗
+ href: https://www.microsoft.com/msrc/bounty-windows-insider-preview
- name: Certification
- href: certification/toc.yml
+ href: certification/toc.yml
\ No newline at end of file
diff --git a/windows/security/toc.yml b/windows/security/toc.yml
index 1234cb6efc..74469d7972 100644
--- a/windows/security/toc.yml
+++ b/windows/security/toc.yml
@@ -1,6 +1,4 @@
items:
-- name: Windows security
- href: index.yml
- name: Introduction to Windows security
href: introduction.md
- name: Security features licensing and edition requirements