deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into release-intune-admincenter

Browse Source
This commit is contained in:
Alma Jenks 2023-02-16 11:56:15 -08:00
commit bf858e3d32
24 changed files with 155 additions and 1511 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.openpublishing.redirection.json
View File

@ -20519,6 +20519,11 @@
"source_path": "windows/client-management/mdm/policy-ddf-file.md",
"redirect_url": "/windows/client-management/mdm/configuration-service-provider-ddf",
"redirect_document_id": true
},
{
"source_path": "windows/security/identity-protection/credential-guard/dg-readiness-tool.md",
"redirect_url": "/windows/security/identity-protection/credential-guard/credential-guard",
"redirect_document_id": true
}
]
}

4
windows/client-management/administrative-tools-in-windows-10.md
View File

@ -8,7 +8,9 @@ manager: aaroncz
ms.localizationpriority: medium
ms.date: 03/28/2022
ms.topic: article
ms.collection: highpri
ms.collection:
- highpri
- tier2
ms.technology: itpro-manage
---

18
windows/client-management/azure-active-directory-integration-with-mdm.md
View File

@ -1,14 +1,16 @@
---
title: Azure Active Directory integration with MDM
description: Azure Active Directory is the world's largest enterprise cloud identity management service.
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.collection: highpri
ms.collection:
- highpri
- tier2
ms.date: 12/31/2017
---
@ -46,7 +48,7 @@ Azure AD Join also enables company owned devices to be automatically enrolled in
> [!IMPORTANT]
> Every user enabled for automatic MDM enrollment with Azure AD Join must be assigned a valid [Azure Active Directory Premium](/previous-versions/azure/dn499825(v=azure.100)) license.
### BYOD scenario
Windows 10 also introduces a simpler way to configure personal devices to access work apps and resources. Users can add their Microsoft work account to Windows and enjoy simpler and safer access to the apps and resources of the organization. During this process, Azure AD detects if the organization has configured an MDM. If thats the case, Windows attempts to enroll the device in MDM as part of the “add account” flow. In the BYOD case, users can reject the MDM Terms of Use. The device isn't enrolled in MDM and access to organization resources is typically restricted.
@ -70,7 +72,7 @@ Once a user has an Azure AD account added to Windows and enrolled in MDM, the en
> [!NOTE]
> Users can't remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account.
### MDM endpoints involved in Azure ADintegrated enrollment
Azure AD MDM enrollment is a two-step process:
@ -187,7 +189,7 @@ The following image show how MDM applications show up in the Azure app gallery.
### Add cloud-based MDM to the app gallery
> [!NOTE]
> You should work with the Azure AD engineering team if your MDM application is cloud-based and needs to be enabled as a multi-tenant MDM application
> You should work with the Azure AD engineering team if your MDM application is cloud-based and needs to be enabled as a multi-tenant MDM application
The following table shows the required information to create an entry in the Azure AD app gallery.
@ -200,7 +202,7 @@ The following table shows the required information to create an entry in the Azu
|**Icons**|A set of logo icons for the MDM app. Dimensions: 45 X 45, 150 X 122, 214 X 215|
### Add on-premises MDM to the app gallery
There are no special requirements for adding on-premises MDM to the app gallery. There's a generic entry for administrators to add an app to their tenant.
@ -232,7 +234,7 @@ An MDM page must adhere to a predefined theme depending on the scenario that is
|--- |--- |--- |--- |--- |
|FRX|OOBE|Dark theme + blue background color|Filename: Ui-dark.css|Filename: oobe-dekstop.css|
|MOSET|Settings/Post OOBE|Light theme|Filename: Ui-light.css|Filename: settings-desktop.css|
## Terms of Use protocol semantics
The Terms of Use endpoint is hosted by the MDM server. During the Azure AD Join protocol flow, Windows does a full-page redirect to this endpoint. This redirect enables the MDM to display the terms and conditions that apply. It allows the user to accept or reject the terms associated with enrollment. After the user accepts the terms, the MDM redirects back to Windows for the enrollment process to continue.
@ -332,7 +334,7 @@ The following table shows the error codes.
|Azure AD token validation failed|302|unauthorized_client|unauthorized_client|
|internal service error|302|server_error|internal service error|
## Enrollment protocol with Azure AD
With Azure integrated MDM enrollment, there's no discovery phase and the discovery URL is directly passed down to the system from Azure. The following table shows the comparison between the traditional and Azure enrollments.

18
windows/client-management/connect-to-remote-aadj-pc.md
View File

@ -6,10 +6,12 @@ author: vinaypamnani-msft
ms.localizationpriority: medium
ms.author: vinpa
ms.date: 01/18/2022
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.topic: article
ms.collection: highpri
ms.collection:
- highpri
- tier2
ms.technology: itpro-manage
---
@ -29,23 +31,23 @@ From its release, Windows 10 has supported remote connections to PCs joined to A
## Set up
- Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 aren't supported.
- Your local PC (where you're connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device aren't supported.
- The local PC and remote PC must be in the same Azure AD tenant. Azure AD B2B guests aren't supported for Remote desktop.
- Your local PC (where you're connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device aren't supported.
- The local PC and remote PC must be in the same Azure AD tenant. Azure AD B2B guests aren't supported for Remote desktop.
Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC you're using to connect to the remote PC.
- On the PC you want to connect to:
1. Open system properties for the remote PC.
2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**.
![Allow remote connections to this computer.](images/allow-rdp.png)
3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no other configuration is needed. To allow more users or groups to connect to the PC, you must allow remote connections for the specified users or groups. Users can be added either manually or through MDM policies:
- Adding users manually
You can specify individual Azure AD accounts for remote connections by running the following PowerShell cmdlet:
```powershell
net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user"
@ -62,7 +64,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu
> Starting in Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there's a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices.
- Adding users using policy
Starting in Windows 10, version 2004, you can add users to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD-joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview).
> [!TIP]

6
windows/client-management/device-update-management.md
View File

@ -1,7 +1,7 @@
---
title: Mobile device management MDM for device updates
description: Windows 10 provides several APIs to help mobile device management (MDM) solutions manage updates. Learn how to use these APIs to implement update management.
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@ -9,7 +9,9 @@ ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 11/15/2017
ms.collection: highpri
ms.collection:
- highpri
- tier2
---
# Mobile device management (MDM) for device updates

6
windows/client-management/diagnose-mdm-failures-in-windows-10.md
View File

@ -1,7 +1,7 @@
---
title: Diagnose MDM failures in Windows 10
description: Learn how to collect MDM logs. Examining these logs can help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server.
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@ -9,7 +9,9 @@ ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 06/25/2018
ms.collection: highpri
ms.collection:
- highpri
- tier2
---
# Diagnose MDM failures in Windows 10

18
windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
View File

@ -7,9 +7,11 @@ ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 04/30/2022
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.collection: highpri
ms.collection:
- highpri
- tier2
---
# Enroll a Windows 10 device automatically using Group Policy
@ -188,19 +190,19 @@ Requirements:
- 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495)
- 1909 --> [Administrative Templates (.admx) for Windows 10 November 2019 Update (1909)](https://www.microsoft.com/download/confirmation.aspx?id=100591)
- 2004 --> [Administrative Templates (.admx) for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/confirmation.aspx?id=101445)
- 20H2 --> [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157)
- 21H1 --> [Administrative Templates (.admx) for Windows 10 May 2021 Update (21H1)](https://www.microsoft.com/download/details.aspx?id=103124)
- 21H2 --> [Administrative Templates (.admx) for Windows 10 November 2021 Update (21H2)-v2.0](https://www.microsoft.com/download/details.aspx?id=104042)
- 22H2 --> [Administrative Templates (.admx) for Windows 10 October 2022 Update (22H2)](https://www.microsoft.com/download/104677)
- 22H2 --> [Administrative Templates (.admx) for Windows 11 2022 September Update (22H2)](https://www.microsoft.com/download/details.aspx?id=104593)
2. Install the package on the Domain Controller.
3. Navigate, depending on the version to the folder:
@ -214,13 +216,13 @@ Requirements:
- 1909 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2019 Update (1909)**
- 2004 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2020 Update (2004)**
- 20H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2020 Update (20H2)**
- 21H1 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2021 Update (21H1)**
- 21H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2021 Update V2 (21H2)**
- 22H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2022 Update (22H2)**
- 22H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 11 September 2022 Update (22H2)**

1
windows/client-management/index.yml
View File

@ -11,6 +11,7 @@ metadata:
ms.technology: itpro-manage
ms.collection:
- highpri
- tier1
author: aczechowski
ms.author: aaroncz
manager: dougeby

8
windows/client-management/mandatory-user-profile.md
View File

@ -5,10 +5,12 @@ ms.prod: windows-client
author: vinaypamnani-msft
ms.author: vinpa
ms.date: 09/14/2021
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.topic: article
ms.collection: highpri
ms.collection:
- highpri
- tier2
ms.technology: itpro-manage
---
@ -51,7 +53,7 @@ First, you create a default user profile with the customizations that you want,
1. Sign in to a computer running Windows 10 as a member of the local Administrator group. Do not use a domain account.
> [!NOTE]
> Use a lab or extra computer running a clean installation of Windows 10 to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders.
> Use a lab or extra computer running a clean installation of Windows 10 to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders.
1. Configure the computer settings that you want to include in the user profile. For example, you can configure settings for the desktop background, uninstall default apps, install line-of-business apps, and so on.

28
windows/client-management/mdm-enrollment-of-windows-devices.md
View File

@ -1,17 +1,19 @@
---
title: MDM enrollment of Windows 10-based devices
description: Learn about mobile device management (MDM) enrollment of Windows 10-based devices to simplify access to your organizations resources.
MS-HAID:
MS-HAID:
- 'p\_phdevicemgmt.enrollment\_ui'
- 'p\_phDeviceMgmt.mdm\_enrollment\_of\_windows\_devices'
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.collection: highpri
ms.collection:
- highpri
- tier2
ms.date: 12/31/2017
---
@ -35,7 +37,7 @@ Devices running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Educatio
> [!NOTE]
> Mobile devices can't be connected to an Active Directory domain.
### Out-of-box-experience
### Out-of-box-experience
Joining your device to an Active Directory domain during the out-of-box-experience (OOBE) isn't supported. To join a domain:
@ -90,7 +92,7 @@ There are a few instances where your device can't be connected to an Active Dire
| You're logged in as a standard user. | Your device can only be connected to an Azure AD domain if you're logged in as an administrative user. Youll need to switch to an administrator account to continue. |
| Your device is running Windows 10 Home. | This feature isn't available on Windows 10 Home, so you'll be unable to connect to an Active Directory domain. You'll need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. |
### Connect your device to an Azure AD domain (join Azure AD)
@ -167,9 +169,9 @@ There are a few instances where your device can't be connected to an Azure AD do
| Your device is already managed by MDM. | The connect to Azure AD flow will attempt to enroll your device into MDM if your Azure AD tenant has a preconfigured MDM endpoint. Your device must be unenrolled from MDM to be able to connect to Azure AD in this case. |
| Your device is running Windows 10 Home. | This feature isn't available on Windows 10 Home, so you'll be unable to connect to an Azure AD domain. You'll need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. |
## Connect personally owned devices
## Connect personally owned devices
Personally owned devices, also known as bring your own device (BYOD), can be connected to a work or school account, or to MDM. Windows 10 doesn't require a personal Microsoft account on devices to connect to work or school.
@ -247,7 +249,7 @@ To create a local account and connect the device:
![screen to set up your device](images/unifiedenrollment-rs1-33-b.png)
After you complete the flow, your device will be connected to your organizations MDM.
### Help with connecting personally owned devices
There are a few instances where your device may not be able to connect to work.
@ -260,7 +262,7 @@ There are a few instances where your device may not be able to connect to work.
| You dont have the right privileges to perform this operation. Talk to your admin. | You can't enroll your device into MDM as a standard user. You must be on an administrator account. |
| We couldnt auto-discover a management endpoint matching the username entered. Check your username and try again. If you know the URL to your management endpoint, enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered. |
## Connect your Windows 10-based device to work using a deep link
@ -283,13 +285,13 @@ The deep link used for connecting your device to work will always use the follow
| ownership | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to determine whether the device is BYOD or Corp Owned. Added in Windows 10, version 1703. | 1, 2, or 3. Where "1" means ownership is unknown, "2" means the device is personally owned, and "3" means the device is corporate-owned |
> [!NOTE]
> AWA and Azure Active Directory-joined values for mode are only supported on Windows 10, version 1709 and later.
> AWA and Azure Active Directory-joined values for mode are only supported on Windows 10, version 1709 and later.
### Connect to MDM using a deep link
> [!NOTE]
> Deep links only work with Internet Explorer or Microsoft Edge browsers. Examples of URI's that may be used to connect to MDM using a deep link:
>
>
> - **ms-device-enrollment:?mode=mdm**
> - **ms-device-enrollment:?mode=mdm&username=`someone@example.com`&servername=`https://example.server.com`**
@ -342,7 +344,7 @@ Starting in Windows 10, version 1709, selecting the **Info** button will show a
![work or school info.](images/unifiedenrollment-rs1-35-b.png)
> [!NOTE]
> Starting in Windows 10, version 1709, the **Manage** button is no longer available.
> Starting in Windows 10, version 1709, the **Manage** button is no longer available.
### Disconnect
@ -363,7 +365,7 @@ Starting in Windows 10, version 1709, you can get the advanced diagnostic report
![collecting enrollment management log files.](images/unifiedenrollment-rs1-37-c.png)

4
windows/client-management/mdm-overview.md
View File

@ -9,7 +9,9 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
ms.author: vinpa
manager: aaroncz
ms.collection: highpri
ms.collection:
- highpri
- tier2
---
# Mobile Device Management overview

4
windows/client-management/mdm/configuration-service-provider-ddf.md
View File

@ -9,7 +9,9 @@ ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 09/18/2020
ms.collection: highpri
ms.collection:
- highpri
- tier2
---
# Configuration service provider DDF files

6
windows/client-management/mdm/configuration-service-provider-support.md
View File

@ -1,7 +1,7 @@
---
title: Configuration service provider support
description: Learn more about configuration service provider (CSP) supported scenarios.
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@ -9,7 +9,9 @@ ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 09/18/2020
ms.collection: highpri
ms.collection:
- highpri
- tier2
---
# Configuration service provider support

6
windows/client-management/mdm/dynamicmanagement-csp.md
View File

@ -7,9 +7,11 @@ ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 06/26/2017
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.collection: highpri
ms.collection:
- highpri
- tier2
---
# DynamicManagement CSP

1
windows/client-management/mdm/index.yml
View File

@ -11,6 +11,7 @@ metadata:
ms.prod: windows-client
ms.collection:
- highpri
- tier1
ms.custom: intro-hub-or-landing
author: vinaypamnani-msft
ms.author: vinpa

2
windows/client-management/mdm/policy-csp-restrictedgroups.md
View File

@ -150,7 +150,7 @@ Descriptions of the properties:
**Policy timeline**:
The behavior of this policy setting differs in different Windows 10 versions. For Windows 10, version 1809 through version 1909, you can use name in `<accessgroup dec>` and SID in `<member name>`. For Windows 10, version 2004, you can use name or SID for both the elements, as described in the example.
The behavior of this policy setting differs in different Windows 10 versions. For Windows 10, version 1809 through version 1909, you can use name in `<accessgroup desc>` and SID in `<member name>`. For Windows 10, version 2004, you can use name or SID for both the elements, as described in the example.
The following table describes how this policy setting behaves in different Windows 10 versions:

6
windows/client-management/mobile-device-enrollment.md
View File

@ -1,7 +1,7 @@
---
title: Mobile device enrollment
description: Learn how mobile device enrollment verifies that only authenticated and authorized devices can be managed by their enterprise.
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@ -9,7 +9,9 @@ ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 08/11/2017
ms.collection: highpri
ms.collection:
- highpri
- tier2
---
# Mobile device enrollment

4
windows/client-management/quick-assist.md
View File

@ -9,7 +9,9 @@ author: vinaypamnani-msft
ms.author: vinpa
manager: aaroncz
ms.reviewer: pmadrigal
ms.collection: highpri
ms.collection:
- highpri
- tier1
ms.date: 08/26/2022
---

2
windows/deployment/update/wufb-reports-overview.md
View File

@ -16,7 +16,7 @@ ms.technology: itpro-updates
Windows Update for Business reports is a cloud-based solution that provides information about your Azure Active Directory-joined devices' compliance with Windows updates. Windows Update for Business reports is offered through the [Azure portal](https://portal.azure.com), and it's included as part of the Windows 10 or Windows 11 prerequisite licenses. Windows Update for Business reports helps you:
- Monitor security, quality, and feature updates for Windows 11 and Windows 10 devices
- Monitor security, quality, driver, and feature updates for Windows 11 and Windows 10 devices
- Report on devices with update compliance issues
- Analyze and display your data in multiple ways

2
windows/security/TOC.yml
View File

@ -328,8 +328,6 @@
href: identity-protection/credential-guard/credential-guard-requirements.md
- name: Manage Credential Guard
href: identity-protection/credential-guard/credential-guard-manage.md
- name: Hardware readiness tool
href: identity-protection/credential-guard/dg-readiness-tool.md
- name: Credential Guard protection limits
href: identity-protection/credential-guard/credential-guard-protection-limits.md
- name: Considerations when using Credential Guard

28
windows/security/identity-protection/credential-guard/credential-guard-manage.md
View File

@ -1,6 +1,6 @@
---
title: Manage Windows Defender Credential Guard (Windows)
description: Learn how to deploy and manage Windows Defender Credential Guard using Group Policy, the registry, or hardware readiness tools.
description: Learn how to deploy and manage Windows Defender Credential Guard using Group Policy or the registry.
ms.date: 11/23/2022
ms.collection:
- highpri
@ -38,7 +38,7 @@ Windows Defender Credential Guard will be enabled by default when a PC meets the
## Enable Windows Defender Credential Guard
Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the [Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard hardware readiness tool](#enable-windows-defender-credential-guard-by-using-the-hvci-and-windows-defender-credential-guard-hardware-readiness-tool). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy) or the [registry](#enable-windows-defender-credential-guard-by-using-the-registry). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines.
> [!NOTE]
@ -151,19 +151,6 @@ To enable, use the Control Panel or the Deployment Image Servicing and Managemen
> [!NOTE]
> You can also enable Windows Defender Credential Guard by setting the registry entries in the [FirstLogonCommands](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-firstlogoncommands) unattend setting.
### Enable Windows Defender Credential Guard by using the HVCI and Windows Defender Credential Guard hardware readiness tool
You can also enable Windows Defender Credential Guard by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
```cmd
DG_Readiness_Tool.ps1 -Enable -AutoReboot
```
> [!IMPORTANT]
> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
>
> This is a known issue.
### Review Windows Defender Credential Guard performance
#### Is Windows Defender Credential Guard running?
@ -178,17 +165,6 @@ You can view System Information to check that Windows Defender Credential Guard
:::image type="content" source="images/credguard-msinfo32.png" alt-text="The 'Virtualization-based security Services Running' entry lists Credential Guard in System Information (msinfo32.exe).":::
You can also check that Windows Defender Credential Guard is running by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
```cmd
DG_Readiness_Tool_v3.6.ps1 -Ready
```
> [!IMPORTANT]
> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
>
> This is a known issue.
> [!NOTE]
> For client machines that are running Windows 10 1703, LsaIso.exe is running whenever virtualization-based security is enabled for other features.

1381
windows/security/identity-protection/credential-guard/dg-readiness-tool.md
View File

File diff suppressed because one or more lines are too long

2
windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
View File

@ -112,4 +112,4 @@ The use of ALT key character combinations may greatly enhance the complexity of
## Related articles
- [Password Policy](password-policy.md)
- [Password Policy](/microsoft-365/admin/misc/password-policy-recommendations)

106
windows/whats-new/windows-11-requirements.md
View File

@ -1,16 +1,15 @@
---
title: Windows 11 requirements
description: Hardware requirements to deploy Windows 11
description: Hardware requirements to deploy Windows 11.
manager: aaroncz
author: mestew
ms.author: mstewart
ms.prod: windows-client
ms.localizationpriority: medium
ms.topic: article
ms.custom: seo-marvel-apr2020
ms.collection: highpri
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
ms.date: 02/13/2023
---
# Windows 11 requirements
@ -19,51 +18,60 @@ ms.date: 12/31/2017
- Windows 11
This article lists the system requirements for Windows 11. Windows 11 is also [supported on a virtual machine (VM)](#virtual-machine-support).
This article lists the system requirements for Windows 11. Windows 11 is also [supported on a virtual machine (VM)](#virtual-machine-support).
## Hardware requirements
To install or upgrade to Windows 11, devices must meet the following minimum hardware requirements:
- Processor: 1 gigahertz (GHz) or faster with two or more cores on a [compatible 64-bit processor](https://aka.ms/CPUlist) or system on a chip (SoC).
- RAM: 4 gigabytes (GB) or greater.
- Storage: 64 GB\* or greater available storage is required to install Windows 11.
- Extra storage space might be required to download updates and enable specific features.
- Graphics card: Compatible with DirectX 12 or later, with a WDDM 2.0 driver.
- System firmware: UEFI, Secure Boot capable.
- TPM: [Trusted Platform Module](/windows/security/information-protection/tpm/trusted-platform-module-overview) (TPM) version 2.0.
- Display: High definition (720p) display, 9" or greater monitor, 8 bits per color channel.
- Internet connection: Internet connectivity is necessary to perform updates, and to download and use some features.
- Windows 11 Home edition requires an Internet connection and a Microsoft Account to complete device setup on first use.
\* There might be more requirements over time for updates, and to enable specific features within the operating system. For more information, see [Windows 11 specifications](https://www.microsoft.com/windows/windows-11-specifications).
- **Processor**: 1 gigahertz (GHz) or faster with two or more cores on a [compatible 64-bit processor](/windows-hardware/design/minimum/windows-processor-requirements) or system on a chip (SoC).
Also see [Update on Windows 11 minimum system requirements](https://blogs.windows.com/windows-insider/2021/06/28/update-on-windows-11-minimum-system-requirements/).
- **Memory**: 4 gigabytes (GB) or greater.
For information about tools to evaluate readiness, see [Determine eligibility](windows-11-plan.md#determine-eligibility).
- **Storage**: 64 GB or greater available disk space.
## Operating system requirements
> [!NOTE]
> There might be more storage requirements over time for updates, and to enable specific features within the OS. For more information, see [Windows 11 specifications](https://www.microsoft.com/windows/windows-11-specifications).
- **Graphics card**: Compatible with DirectX 12 or later, with a WDDM 2.0 driver.
- **System firmware**: UEFI, Secure Boot capable.
- **TPM**: [Trusted Platform Module](/windows/security/information-protection/tpm/trusted-platform-module-overview) (TPM) version 2.0.
- **Display**: High definition (720p) display, 9" or greater monitor, 8 bits per color channel.
- **Internet connection**: Internet connectivity is necessary to perform updates, and to download and use some features.
- Windows 11 Home edition requires an internet connection and a Microsoft Account to complete device setup on first use.
For more information, see the following Windows Insider blog post: [Update on Windows 11 minimum system requirements](https://blogs.windows.com/windows-insider/2021/06/28/update-on-windows-11-minimum-system-requirements/).
For more information about tools to evaluate readiness, see [Determine eligibility](windows-11-plan.md#determine-eligibility).
## OS requirements
Eligible Windows 10 devices must be on version 2004 or later, and have installed the September 14, 2021 security update or later, to upgrade directly to Windows 11.
> [!NOTE]
> S mode is only supported on the Home edition of Windows 11.
> If you are running a different edition of Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading.<br>&nbsp;<br>
> Switching a device out of Windows 10 in S mode also requires internet connectivity. If you switch out of S mode, you cannot switch back to S mode later.
>
> - S mode is only supported on the Home edition of Windows 11.
> - If you're running a different edition of Windows in S mode, before upgrading to Windows 11, first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode).
> - To switch a device out of Windows 10 in S mode also requires internet connectivity. If you switch out of S mode, you can't switch back to S mode later.
## Feature-specific requirements
Some features in Windows 11 have requirements beyond those requirements listed above. See the following list of features and associated requirements.
Some features in Windows 11 have requirements beyond the minimum [hardware requirements](#hardware-requirements).
- **5G support**: requires 5G capable modem.
- **Auto HDR**: requires an HDR monitor.
- **BitLocker to Go**: requires a USB flash drive. This feature is available in Windows Pro and above editions.
- **Client Hyper-V**: requires a processor with second-level address translation (SLAT) capabilities. This feature is available in Windows Pro editions and above.
- **BitLocker to Go**: requires a USB flash drive. This feature is available in Windows Pro and above editions.
- **Client Hyper-V**: requires a processor with second-level address translation (SLAT) capabilities. This feature is available in Windows Pro editions and greater.
- **Cortana**: requires a microphone and speaker and is currently available on Windows 11 for Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, Mexico, Spain, United Kingdom, and United States.
- **DirectStorage**: requires an NVMe SSD to store and run games that use the Standard NVM Express Controller driver and a DirectX12 GPU with Shader Model 6.0 support.
- **DirectX 12 Ultimate**: available with supported games and graphics chips.
- **Presence**: requires sensor that can detect human distance from device or intent to interact with device.
- **Intelligent Video Conferencing**: requires video camera, microphone, and speaker (audio output)
- **Intelligent Video Conferencing**: requires video camera, microphone, and speaker (audio output).
- **Multiple Voice Assistant**: requires a microphone and speaker.
- **Snap**: three-column layouts require a screen that is 1920 effective pixels or greater in width.
- **Mute** and **unmute**: from Taskbar requires video camera, microphone, and speaker (audio output). App must be compatible with feature to enable global mute/unmute.
@ -76,35 +84,43 @@ Some features in Windows 11 have requirements beyond those requirements listed a
- **Wi-Fi 6E**: requires new WLAN IHV hardware and driver and a Wi-Fi 6E capable AP/router.
- **Windows Hello**: requires a camera configured for near infrared (IR) imaging or fingerprint reader for biometric authentication. Devices without biometric sensors can use Windows Hello with a PIN or portable Microsoft compatible security key. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103).
- **Windows Projection**: requires a display adapter that supports Windows Display Driver Model (WDDM) 2.0 and a Wi-Fi adapter that supports Wi-Fi Direct.
- **Xbox app**: requires an Xbox Live account, which isn't available in all regions. Go to the Xbox Live Countries and Regions page for the most up-to-date information on availability. Some features in the Xbox app will require an active [Xbox Game Pass](https://www.xbox.com/xbox-game-pass) subscription.
- **Xbox app**: requires an Xbox Live account, which isn't available in all regions. Go to the Xbox Live *Countries and Regions* page for the most up-to-date information on availability. Some features in the Xbox app require an active [Xbox Game Pass](https://www.xbox.com/xbox-game-pass) subscription.
## Virtual machine support
The following configuration requirements apply to VMs running Windows 11.
The following configuration requirements apply to VMs running Windows 11.
- Generation: 2<b> \*</b>
- Storage: 64 GB or greater
- Security:
- Azure: [Trusted launch](/azure/virtual-machines/trusted-launch) with vTPM enabled
- Hyper-V: [Secure boot and TPM enabled](/windows-server/virtualization/hyper-v/learn-more/Generation-2-virtual-machine-security-settings-for-Hyper-V#secure-boot-setting-in-hyper-v-manager)
- General settings: Secure boot capable, virtual TPM enabled
- Memory: 4 GB or greater
- Processor: Two or more virtual processors
- **Generation**: 2
The VM host CPU must also meet Windows 11 [processor requirements](/windows-hardware/design/minimum/windows-processor-requirements).
> [!NOTE]
> In-place upgrade of existing generation 1 VMs to Windows 11 isn't possible.
<b>\*</b> In-place upgrade of existing generation 1 VMs to Windows 11 isn't possible.
- **Storage**: 64 GB or greater disk space.
> [!NOTE]
> Procedures to configure required VM settings depend on the VM host type. For example, VM hosts running Hyper-V, virtualization (VT-x, VT-d) must be enabled in BIOS. Virtual TPM 2.0 is emulated in the guest VM independent of the Hyper-V host TPM presence or version.
- **Security**:
- **Azure**: [Trusted launch](/azure/virtual-machines/trusted-launch) with vTPM enabled.
- **Hyper-V**: [Secure boot and TPM enabled](/windows-server/virtualization/hyper-v/learn-more/Generation-2-virtual-machine-security-settings-for-Hyper-V#secure-boot-setting-in-hyper-v-manager).
- General settings: Secure boot capable, virtual TPM enabled.
- **Memory**: 4 GB or greater.
- **Processor**: Two or more virtual processors.
- The VM host processor must also meet Windows 11 [processor requirements](/windows-hardware/design/minimum/windows-processor-requirements).
> [!NOTE]
> There may be some instances where this requirement for the VM host doesn't apply. For more information, see [Options for using Windows 11 with Mac computers](https://support.microsoft.com/topic/cd15fd62-9b34-4b78-b0bc-121baa3c568c).<!-- 7600331 -->
- Procedures to configure required VM settings depend on the VM host type. For example, VM hosts running Hyper-V, virtualization (VT-x, VT-d) must be enabled in the BIOS. Virtual TPM 2.0 is emulated in the guest VM independent of the Hyper-V host TPM presence or version.
## Next steps
[Plan for Windows 11](windows-11-plan.md)<br>
[Prepare for Windows 11](windows-11-prepare.md)
- [Plan for Windows 11](windows-11-plan.md)
- [Prepare for Windows 11](windows-11-prepare.md)
## See also
[Windows minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview)<br>
[What's new in Windows 11 overview](/windows/whats-new/windows-11-overview)
- [Windows minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview)
- [What's new in Windows 11 overview](/windows/whats-new/windows-11-overview)