diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md
index 964efc7788..4af32aae83 100644
--- a/store-for-business/whats-new-microsoft-store-business-education.md
+++ b/store-for-business/whats-new-microsoft-store-business-education.md
@@ -8,18 +8,20 @@ ms.author: cmcatee
author: cmcatee-MSFT
manager: scotv
ms.topic: conceptual
-ms.date: 01/11/2024
+ms.date: 06/21/2024
ms.reviewer:
---
# What's new in Microsoft Store for Business and Education
-> [!IMPORTANT]
->
-> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
-
## Latest updates for Store for Business and Education
+**June 2024**
+
+The Microsoft Store for Business and Microsoft Store for Education portals will retire on August 15, 2024. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-intune-integration-with-the-microsoft-store-on-windows/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). If you are using offline licensing, you can use the [WinGet Download command](/windows/package-manager/winget/download) to continue to access offline apps and license files.
+
+## Previous releases and updates
+
**January 2024**
**Removal of private store capability from Microsoft Store for Business and Education**
@@ -28,8 +30,6 @@ The private store tab and associated functionality was removed from the Microsof
We recommend customers use the [Private app repository, Windows Package Manager, and Company Portal app](/windows/application-management/private-app-repository-mdm-company-portal-windows-11) to provide a private app repository within their organization.
-## Previous releases and updates
-
[May 2023](release-history-microsoft-store-business-education.md#may-2023)
- Tab removed from Microsoft Store apps on Windows 10 PCs.
diff --git a/windows/client-management/mdm/activesync-ddf-file.md b/windows/client-management/mdm/activesync-ddf-file.md
index b48213ce4d..e3debc8c7e 100644
--- a/windows/client-management/mdm/activesync-ddf-file.md
+++ b/windows/client-management/mdm/activesync-ddf-file.md
@@ -1,7 +1,7 @@
---
title: ActiveSync DDF file
description: View the XML file containing the device description framework (DDF) for the ActiveSync configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the A
10.0.10240
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/applicationcontrol-csp-ddf.md b/windows/client-management/mdm/applicationcontrol-csp-ddf.md
index 6b5054eb37..e701a8b0ec 100644
--- a/windows/client-management/mdm/applicationcontrol-csp-ddf.md
+++ b/windows/client-management/mdm/applicationcontrol-csp-ddf.md
@@ -1,7 +1,7 @@
---
title: ApplicationControl DDF file
description: View the XML file containing the device description framework (DDF) for the ApplicationControl configuration service provider.
-ms.date: 01/31/2024
+ms.date: 06/19/2024
---
@@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the A
10.0.18362
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/applocker-ddf-file.md b/windows/client-management/mdm/applocker-ddf-file.md
index f712663818..c8d03d6d27 100644
--- a/windows/client-management/mdm/applocker-ddf-file.md
+++ b/windows/client-management/mdm/applocker-ddf-file.md
@@ -1,7 +1,7 @@
---
title: AppLocker DDF file
description: View the XML file containing the device description framework (DDF) for the AppLocker configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the A
10.0.10586
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md
index 5b113fb30f..8bc008e978 100644
--- a/windows/client-management/mdm/assignedaccess-ddf.md
+++ b/windows/client-management/mdm/assignedaccess-ddf.md
@@ -1,7 +1,7 @@
---
title: AssignedAccess DDF file
description: View the XML file containing the device description framework (DDF) for the AssignedAccess configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the A
10.0.10240
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md
index 738dea71d0..6015905cf3 100644
--- a/windows/client-management/mdm/bitlocker-ddf-file.md
+++ b/windows/client-management/mdm/bitlocker-ddf-file.md
@@ -1,7 +1,7 @@
---
title: BitLocker DDF file
description: View the XML file containing the device description framework (DDF) for the BitLocker configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -39,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the B
10.0.15063
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/certificatestore-ddf-file.md b/windows/client-management/mdm/certificatestore-ddf-file.md
index 34d7637fbe..8ab2380099 100644
--- a/windows/client-management/mdm/certificatestore-ddf-file.md
+++ b/windows/client-management/mdm/certificatestore-ddf-file.md
@@ -1,7 +1,7 @@
---
title: CertificateStore DDF file
description: View the XML file containing the device description framework (DDF) for the CertificateStore configuration service provider.
-ms.date: 01/31/2024
+ms.date: 06/19/2024
---
@@ -42,7 +42,7 @@ The following XML file contains the device description framework (DDF) for the C
10.0.10586
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md
index 2d9b0700a3..c77ddb1695 100644
--- a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md
+++ b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md
@@ -1,7 +1,7 @@
---
title: ClientCertificateInstall DDF file
description: View the XML file containing the device description framework (DDF) for the ClientCertificateInstall configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -39,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the C
10.0.10586
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
@@ -1162,7 +1162,7 @@ Valid values are:
10.0.10586
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/clouddesktop-csp.md b/windows/client-management/mdm/clouddesktop-csp.md
index e249d20ca8..400b655707 100644
--- a/windows/client-management/mdm/clouddesktop-csp.md
+++ b/windows/client-management/mdm/clouddesktop-csp.md
@@ -1,7 +1,7 @@
---
title: CloudDesktop CSP
description: Learn more about the CloudDesktop CSP.
-ms.date: 03/05/2024
+ms.date: 06/19/2024
---
@@ -19,12 +19,14 @@ ms.date: 03/05/2024
The following list shows the CloudDesktop configuration service provider nodes:
- ./Device/Vendor/MSFT/CloudDesktop
- - [BootToCloudPCEnhanced](#boottocloudpcenhanced)
- - [EnableBootToCloudSharedPCMode](#enableboottocloudsharedpcmode)
+ - [BootToCloudPCEnhanced](#deviceboottocloudpcenhanced)
+ - [EnableBootToCloudSharedPCMode](#deviceenableboottocloudsharedpcmode)
+- ./User/Vendor/MSFT/CloudDesktop
+ - [EnablePhysicalDeviceAccess](#userenablephysicaldeviceaccess)
-## BootToCloudPCEnhanced
+## Device/BootToCloudPCEnhanced
| Scope | Editions | Applicable OS |
@@ -76,7 +78,7 @@ This node allows to configure different kinds of Boot to Cloud mode. Boot to clo
-## EnableBootToCloudSharedPCMode
+## Device/EnableBootToCloudSharedPCMode
> [!NOTE]
> This policy is deprecated and may be removed in a future release.
@@ -129,6 +131,55 @@ Setting this node to "true" configures boot to cloud for Shared PC mode. Boot to
+
+## User/EnablePhysicalDeviceAccess
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ❌ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```User
+./User/Vendor/MSFT/CloudDesktop/EnablePhysicalDeviceAccess
+```
+
+
+
+
+Configuring this node gives access to the physical devices used to boot to Cloud PCs from the Ctrl+Alt+Del page for specified users. This node supports these options: 0. Not enabled 1. Enabled.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `bool` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | false |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Access to physical device disabled. |
+| true | Access to physical device enabled. |
+
+
+
+
+
+
+
+
## BootToCloudPCEnhanced technical reference
diff --git a/windows/client-management/mdm/clouddesktop-ddf-file.md b/windows/client-management/mdm/clouddesktop-ddf-file.md
index 98427f9e32..6efe3ed695 100644
--- a/windows/client-management/mdm/clouddesktop-ddf-file.md
+++ b/windows/client-management/mdm/clouddesktop-ddf-file.md
@@ -1,7 +1,7 @@
---
title: CloudDesktop DDF file
description: View the XML file containing the device description framework (DDF) for the CloudDesktop configuration service provider.
-ms.date: 03/05/2024
+ms.date: 06/19/2024
---
@@ -17,6 +17,69 @@ The following XML file contains the device description framework (DDF) for the C
1.2
+
+ CloudDesktop
+ ./User/Vendor/MSFT
+
+
+
+
+ The CloudDesktop configuration service provider is used to configure different Cloud PC related scenarios.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 99.9.99999
+ 2.0
+ 0x4;0x30;0x31;0x7E;0x87;0x88;0x88*;0xA1;0xA2;0xA4;0xA5;0xB4;0xBC;0xBD;0xBF;
+
+
+
+ EnablePhysicalDeviceAccess
+
+
+
+
+
+
+
+ false
+ Configuring this node gives access to the physical devices used to boot to Cloud PCs from the Ctrl+Alt+Del page for specified users. This node supports these options: 0. Not enabled 1. Enabled.
+
+
+
+
+
+
+
+
+
+ Enable access to physical device
+
+
+
+
+
+ false
+ Access to physical device disabled
+
+
+ true
+ Access to physical device enabled
+
+
+
+
+
CloudDesktop
./Device/Vendor/MSFT
diff --git a/windows/client-management/mdm/declaredconfiguration-ddf-file.md b/windows/client-management/mdm/declaredconfiguration-ddf-file.md
index 95751f45be..031be873a8 100644
--- a/windows/client-management/mdm/declaredconfiguration-ddf-file.md
+++ b/windows/client-management/mdm/declaredconfiguration-ddf-file.md
@@ -1,7 +1,7 @@
---
title: DeclaredConfiguration DDF file
description: View the XML file containing the device description framework (DDF) for the DeclaredConfiguration configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the D
99.9.99999
9.9
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index bd54fa0edc..198570987e 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -1,7 +1,7 @@
---
title: Defender CSP
description: Learn more about the Defender CSP.
-ms.date: 05/20/2024
+ms.date: 06/21/2024
---
@@ -33,6 +33,9 @@ The following list shows the Defender configuration service provider nodes:
- [BruteForceProtectionConfiguredState](#configurationbehavioralnetworkblocksbruteforceprotectionbruteforceprotectionconfiguredstate)
- [BruteForceProtectionExclusions](#configurationbehavioralnetworkblocksbruteforceprotectionbruteforceprotectionexclusions)
- [BruteForceProtectionMaxBlockTime](#configurationbehavioralnetworkblocksbruteforceprotectionbruteforceprotectionmaxblocktime)
+ - [BruteForceProtectionPlugins](#configurationbehavioralnetworkblocksbruteforceprotectionbruteforceprotectionplugins)
+ - [BruteForceProtectionLocalNetworkBlocking](#configurationbehavioralnetworkblocksbruteforceprotectionbruteforceprotectionpluginsbruteforceprotectionlocalnetworkblocking)
+ - [BruteForceProtectionSkipLearningPeriod](#configurationbehavioralnetworkblocksbruteforceprotectionbruteforceprotectionpluginsbruteforceprotectionskiplearningperiod)
- [RemoteEncryptionProtection](#configurationbehavioralnetworkblocksremoteencryptionprotection)
- [RemoteEncryptionProtectionAggressiveness](#configurationbehavioralnetworkblocksremoteencryptionprotectionremoteencryptionprotectionaggressiveness)
- [RemoteEncryptionProtectionConfiguredState](#configurationbehavioralnetworkblocksremoteencryptionprotectionremoteencryptionprotectionconfiguredstate)
@@ -752,6 +755,142 @@ Set the maximum time an IP address is blocked by Brute-Force Protection. After t
+
+##### Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionPlugins
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionPlugins
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionPlugins/BruteForceProtectionLocalNetworkBlocking
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionPlugins/BruteForceProtectionLocalNetworkBlocking
+```
+
+
+
+
+Extend brute-force protection coverage in Microsoft Defender Antivirus to block local network addresses.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Brute-force protection won't block local network addresses. |
+| 1 | Brute-force protection will block local network addresses. |
+
+
+
+
+
+
+
+
+
+###### Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionPlugins/BruteForceProtectionSkipLearningPeriod
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionPlugins/BruteForceProtectionSkipLearningPeriod
+```
+
+
+
+
+Skip the 2-week initial learning period, so brute-force protection in Microsoft Defender Antivirus can start blocking immediately.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Brute-force protection blocks threats only after completing a 2-week learning period. |
+| 1 | Brute-force protection starts blocking threats immediately. |
+
+
+
+
+
+
+
+
#### Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection
diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md
index a7f5fe4029..e5da0f2590 100644
--- a/windows/client-management/mdm/defender-ddf.md
+++ b/windows/client-management/mdm/defender-ddf.md
@@ -1,7 +1,7 @@
---
title: Defender DDF file
description: View the XML file containing the device description framework (DDF) for the Defender configuration service provider.
-ms.date: 05/20/2024
+ms.date: 06/19/2024
---
@@ -39,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the D
10.0.10586
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
@@ -3596,6 +3596,104 @@ The following XML file contains the device description framework (DDF) for the D
+
+ BruteForceProtectionPlugins
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ BruteForceProtectionLocalNetworkBlocking
+
+
+
+
+
+
+
+ 0
+ Extend brute-force protection coverage in Microsoft Defender Antivirus to block local network addresses.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.16299
+ 1.3
+
+
+
+ 0
+ Brute-force protection will not block local network addresses
+
+
+ 1
+ Brute-force protection will block local network addresses
+
+
+
+
+
+ BruteForceProtectionSkipLearningPeriod
+
+
+
+
+
+
+
+ 0
+ Skip the 2-week initial learning period, so brute-force protection in Microsoft Defender Antivirus can start blocking immediately.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.16299
+ 1.3
+
+
+
+ 0
+ Brute-force protection blocks threats only after completing a 2-week learning period
+
+
+ 1
+ Brute-force protection starts blocking threats immediately
+
+
+
+
+
BruteForceProtectionExclusions
diff --git a/windows/client-management/mdm/devdetail-ddf-file.md b/windows/client-management/mdm/devdetail-ddf-file.md
index 6f562d58b4..8e200f88b4 100644
--- a/windows/client-management/mdm/devdetail-ddf-file.md
+++ b/windows/client-management/mdm/devdetail-ddf-file.md
@@ -1,7 +1,7 @@
---
title: DevDetail DDF file
description: View the XML file containing the device description framework (DDF) for the DevDetail configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the D
10.0.10586
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/devicemanageability-ddf.md b/windows/client-management/mdm/devicemanageability-ddf.md
index cecd7dd921..59cd0e48a0 100644
--- a/windows/client-management/mdm/devicemanageability-ddf.md
+++ b/windows/client-management/mdm/devicemanageability-ddf.md
@@ -1,7 +1,7 @@
---
title: DeviceManageability DDF file
description: View the XML file containing the device description framework (DDF) for the DeviceManageability configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -42,7 +42,7 @@ The following XML file contains the device description framework (DDF) for the D
10.0.14393
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/devicepreparation-ddf-file.md b/windows/client-management/mdm/devicepreparation-ddf-file.md
index 06ec069113..be9a944b76 100644
--- a/windows/client-management/mdm/devicepreparation-ddf-file.md
+++ b/windows/client-management/mdm/devicepreparation-ddf-file.md
@@ -1,7 +1,7 @@
---
title: DevicePreparation DDF file
description: View the XML file containing the device description framework (DDF) for the DevicePreparation configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the D
99.9.99999
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/devicestatus-ddf.md b/windows/client-management/mdm/devicestatus-ddf.md
index 2eaff3d375..ae20b8e258 100644
--- a/windows/client-management/mdm/devicestatus-ddf.md
+++ b/windows/client-management/mdm/devicestatus-ddf.md
@@ -1,7 +1,7 @@
---
title: DeviceStatus DDF file
description: View the XML file containing the device description framework (DDF) for the DeviceStatus configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -39,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the D
10.0.10586
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/devinfo-ddf-file.md b/windows/client-management/mdm/devinfo-ddf-file.md
index ff9195ba0d..b2d6f8ed7f 100644
--- a/windows/client-management/mdm/devinfo-ddf-file.md
+++ b/windows/client-management/mdm/devinfo-ddf-file.md
@@ -1,7 +1,7 @@
---
title: DevInfo DDF file
description: View the XML file containing the device description framework (DDF) for the DevInfo configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -41,7 +41,7 @@ The following XML file contains the device description framework (DDF) for the D
10.0.10586
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/diagnosticlog-ddf.md b/windows/client-management/mdm/diagnosticlog-ddf.md
index 9603fc932a..eef6af498d 100644
--- a/windows/client-management/mdm/diagnosticlog-ddf.md
+++ b/windows/client-management/mdm/diagnosticlog-ddf.md
@@ -1,7 +1,7 @@
---
title: DiagnosticLog DDF file
description: View the XML file containing the device description framework (DDF) for the DiagnosticLog configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -39,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the D
10.0.10586
1.2
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/dmacc-ddf-file.md b/windows/client-management/mdm/dmacc-ddf-file.md
index 331ce57c5d..a0fee28b12 100644
--- a/windows/client-management/mdm/dmacc-ddf-file.md
+++ b/windows/client-management/mdm/dmacc-ddf-file.md
@@ -1,7 +1,7 @@
---
title: DMAcc DDF file
description: View the XML file containing the device description framework (DDF) for the DMAcc configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the D
10.0.10586
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md
index dd09a2d66f..c30288ba23 100644
--- a/windows/client-management/mdm/dmclient-ddf-file.md
+++ b/windows/client-management/mdm/dmclient-ddf-file.md
@@ -1,7 +1,7 @@
---
title: DMClient DDF file
description: View the XML file containing the device description framework (DDF) for the DMClient configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the D
10.0.10240
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
@@ -477,7 +477,7 @@ The following XML file contains the device description framework (DDF) for the D
10.0.10240
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/email2-ddf-file.md b/windows/client-management/mdm/email2-ddf-file.md
index 04e33d681e..a770191467 100644
--- a/windows/client-management/mdm/email2-ddf-file.md
+++ b/windows/client-management/mdm/email2-ddf-file.md
@@ -1,7 +1,7 @@
---
title: EMAIL2 DDF file
description: View the XML file containing the device description framework (DDF) for the EMAIL2 configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the E
10.0.10240
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md b/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md
index 3d361ec180..c3304851f0 100644
--- a/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md
+++ b/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md
@@ -1,7 +1,7 @@
---
title: EnterpriseDesktopAppManagement DDF file
description: View the XML file containing the device description framework (DDF) for the EnterpriseDesktopAppManagement configuration service provider.
-ms.date: 05/20/2024
+ms.date: 06/19/2024
---
@@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the E
10.0.10586
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
@@ -401,7 +401,7 @@ The following XML file contains the device description framework (DDF) for the E
10.0.10586
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
index e60f2f2868..5b6b0433ae 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
@@ -1,7 +1,7 @@
---
title: EnterpriseModernAppManagement DDF file
description: View the XML file containing the device description framework (DDF) for the EnterpriseModernAppManagement configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -39,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the E
10.0.10586
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
@@ -2587,7 +2587,7 @@ The following XML file contains the device description framework (DDF) for the E
10.0.10586
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/euiccs-ddf-file.md b/windows/client-management/mdm/euiccs-ddf-file.md
index 36803e6131..09e6e5f725 100644
--- a/windows/client-management/mdm/euiccs-ddf-file.md
+++ b/windows/client-management/mdm/euiccs-ddf-file.md
@@ -1,7 +1,7 @@
---
title: eUICCs DDF file
description: View the XML file containing the device description framework (DDF) for the eUICCs configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -43,7 +43,7 @@ The following XML file contains the device description framework (DDF) for the e
10.0.16299
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md
index 53b060e0f5..549c2cbc81 100644
--- a/windows/client-management/mdm/firewall-csp.md
+++ b/windows/client-management/mdm/firewall-csp.md
@@ -1,7 +1,7 @@
---
title: Firewall CSP
description: Learn more about the Firewall CSP.
-ms.date: 01/18/2024
+ms.date: 06/21/2024
---
@@ -9,8 +9,6 @@ ms.date: 01/18/2024
# Firewall CSP
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network.
@@ -3465,7 +3463,7 @@ This value represents the order of rule enforcement. A lower priority rule is ev
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25398] and later
✅ Windows 11, version 22H2 [10.0.22621.2352] and later |
@@ -3805,7 +3803,7 @@ VM Creator ID that these settings apply to. Valid format is a GUID.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25398] and later
✅ Windows 11, version 22H2 [10.0.22621.2352] and later |
@@ -3954,7 +3952,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25398] and later
✅ Windows 11, version 22H2 [10.0.22621.2352] and later |
@@ -3992,7 +3990,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25398] and later
✅ Windows 11, version 22H2 [10.0.22621.2352] and later |
@@ -4042,7 +4040,7 @@ This value is used as an on/off switch. If this value is false, Hyper-V Firewall
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25398] and later
✅ Windows 11, version 22H2 [10.0.22621.2352] and later |
@@ -4092,7 +4090,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25398] and later
✅ Windows 11, version 22H2 [10.0.22621.2352] and later |
@@ -4142,7 +4140,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25398] and later
✅ Windows 11, version 22H2 [10.0.22621.2352] and later |
@@ -4289,7 +4287,7 @@ This value is an on/off switch for loopback traffic. This determines if this VM
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25398] and later
✅ Windows 11, version 22H2 [10.0.22621.2352] and later |
@@ -4327,7 +4325,7 @@ This value is an on/off switch for loopback traffic. This determines if this VM
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25398] and later
✅ Windows 11, version 22H2 [10.0.22621.2352] and later |
@@ -4377,7 +4375,7 @@ This value is used as an on/off switch. If this value is false, Hyper-V Firewall
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25398] and later
✅ Windows 11, version 22H2 [10.0.22621.2352] and later |
@@ -4427,7 +4425,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25398] and later
✅ Windows 11, version 22H2 [10.0.22621.2352] and later |
@@ -4477,7 +4475,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25398] and later
✅ Windows 11, version 22H2 [10.0.22621.2352] and later |
@@ -4526,7 +4524,7 @@ This value is an on/off switch for the Hyper-V Firewall enforcement.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25398] and later
✅ Windows 11, version 22H2 [10.0.22621.2352] and later |
@@ -4564,7 +4562,7 @@ This value is an on/off switch for the Hyper-V Firewall enforcement.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25398] and later
✅ Windows 11, version 22H2 [10.0.22621.2352] and later |
@@ -4614,7 +4612,7 @@ This value is used as an on/off switch. If this value is false, Hyper-V Firewall
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25398] and later
✅ Windows 11, version 22H2 [10.0.22621.2352] and later |
@@ -4664,7 +4662,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25398] and later
✅ Windows 11, version 22H2 [10.0.22621.2352] and later |
@@ -4714,7 +4712,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25398] and later
✅ Windows 11, version 22H2 [10.0.22621.2352] and later |
diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md
index 453ee21804..2fd47c663c 100644
--- a/windows/client-management/mdm/firewall-ddf-file.md
+++ b/windows/client-management/mdm/firewall-ddf-file.md
@@ -1,7 +1,7 @@
---
title: Firewall DDF file
description: View the XML file containing the device description framework (DDF) for the Firewall configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the F
10.0.16299
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/healthattestation-ddf.md b/windows/client-management/mdm/healthattestation-ddf.md
index d68e4952d2..3b2c4265ae 100644
--- a/windows/client-management/mdm/healthattestation-ddf.md
+++ b/windows/client-management/mdm/healthattestation-ddf.md
@@ -1,7 +1,7 @@
---
title: HealthAttestation DDF file
description: View the XML file containing the device description framework (DDF) for the HealthAttestation configuration service provider.
-ms.date: 01/31/2024
+ms.date: 06/19/2024
---
@@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the H
10.0.10586
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/language-pack-management-ddf-file.md b/windows/client-management/mdm/language-pack-management-ddf-file.md
index af5086a30c..0d5661484f 100644
--- a/windows/client-management/mdm/language-pack-management-ddf-file.md
+++ b/windows/client-management/mdm/language-pack-management-ddf-file.md
@@ -1,7 +1,7 @@
---
title: LanguagePackManagement DDF file
description: View the XML file containing the device description framework (DDF) for the LanguagePackManagement configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -42,7 +42,7 @@ The following XML file contains the device description framework (DDF) for the L
99.9.9999
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/laps-csp.md b/windows/client-management/mdm/laps-csp.md
index e48b4b6d54..0e5e7d5b2d 100644
--- a/windows/client-management/mdm/laps-csp.md
+++ b/windows/client-management/mdm/laps-csp.md
@@ -1,7 +1,7 @@
---
title: LAPS CSP
description: Learn more about the LAPS CSP.
-ms.date: 05/20/2024
+ms.date: 06/21/2024
---
@@ -55,7 +55,7 @@ The following list shows the LAPS configuration service provider nodes:
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later
✅ Windows Insider Preview [10.0.25145] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
✅ [10.0.25145] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
@@ -94,7 +94,7 @@ Defines the parent interior node for all action-related settings in the LAPS CSP
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later
✅ Windows Insider Preview [10.0.25145] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
✅ [10.0.25145] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
@@ -134,7 +134,7 @@ This action invokes an immediate reset of the local administrator account passwo
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later
✅ Windows Insider Preview [10.0.25145] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
✅ [10.0.25145] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
@@ -179,7 +179,7 @@ The value returned is an HRESULT code:
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later
✅ Windows Insider Preview [10.0.25145] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
✅ [10.0.25145] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
@@ -219,7 +219,7 @@ Root node for LAPS policies.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later
✅ Windows Insider Preview [10.0.25145] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
✅ [10.0.25145] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
@@ -269,7 +269,7 @@ This setting has a maximum allowed value of 12 passwords.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later
✅ Windows Insider Preview [10.0.25145] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
✅ [10.0.25145] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
@@ -314,7 +314,7 @@ Note if a custom managed local administrator account name is specified in this s
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later
✅ Windows Insider Preview [10.0.25145] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
✅ [10.0.25145] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
@@ -376,7 +376,7 @@ If not specified, this setting defaults to True.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later
✅ Windows Insider Preview [10.0.25145] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
✅ [10.0.25145] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
@@ -701,7 +701,7 @@ If not specified, this setting will default to 1.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later
✅ Windows Insider Preview [10.0.25145] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
✅ [10.0.25145] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
@@ -807,7 +807,7 @@ This setting has a maximum allowed value of 10 words.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later
✅ Windows Insider Preview [10.0.25145] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
✅ [10.0.25145] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
@@ -855,7 +855,7 @@ This setting has a maximum allowed value of 365 days.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later
✅ Windows Insider Preview [10.0.25145] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
✅ [10.0.25145] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
@@ -927,7 +927,7 @@ Passphrase list taken from "Deep Dive: EFF's New Wordlists for Random Passphrase
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later
✅ Windows Insider Preview [10.0.25145] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
✅ [10.0.25145] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
@@ -983,7 +983,7 @@ If not specified, this setting defaults to True.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later
✅ Windows Insider Preview [10.0.25145] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
✅ [10.0.25145] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
@@ -1031,7 +1031,7 @@ This setting has a maximum allowed value of 64 characters.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later
✅ Windows Insider Preview [10.0.25145] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
✅ [10.0.25145] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
@@ -1089,7 +1089,7 @@ If not specified, this setting will default to 3 (Reset the password and logoff
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later
✅ Windows Insider Preview [10.0.25145] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
✅ [10.0.25145] and later
✅ Windows 10, version 1809 [10.0.17763.4244] and later
✅ Windows 10, version 2004 [10.0.19041.2784] and later
✅ Windows 11, version 21H2 [10.0.22000.1754] and later
✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
diff --git a/windows/client-management/mdm/laps-ddf-file.md b/windows/client-management/mdm/laps-ddf-file.md
index 8ed3954967..075ff51663 100644
--- a/windows/client-management/mdm/laps-ddf-file.md
+++ b/windows/client-management/mdm/laps-ddf-file.md
@@ -1,7 +1,7 @@
---
title: LAPS DDF file
description: View the XML file containing the device description framework (DDF) for the LAPS configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the L
10.0.25145, 10.0.22621.1480, 10.0.22000.1754, 10.0.20348.1663, 10.0.19041.2784, 10.0.17763.4244
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/networkproxy-ddf.md b/windows/client-management/mdm/networkproxy-ddf.md
index 77e03cd531..41f2ea80ba 100644
--- a/windows/client-management/mdm/networkproxy-ddf.md
+++ b/windows/client-management/mdm/networkproxy-ddf.md
@@ -1,7 +1,7 @@
---
title: NetworkProxy DDF file
description: View the XML file containing the device description framework (DDF) for the NetworkProxy configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the N
10.0.15063
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/networkqospolicy-ddf.md b/windows/client-management/mdm/networkqospolicy-ddf.md
index 0a77596722..abcaba4547 100644
--- a/windows/client-management/mdm/networkqospolicy-ddf.md
+++ b/windows/client-management/mdm/networkqospolicy-ddf.md
@@ -1,7 +1,7 @@
---
title: NetworkQoSPolicy DDF file
description: View the XML file containing the device description framework (DDF) for the NetworkQoSPolicy configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the N
10.0.19042
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/nodecache-ddf-file.md b/windows/client-management/mdm/nodecache-ddf-file.md
index 80a2ad5119..996cc4512c 100644
--- a/windows/client-management/mdm/nodecache-ddf-file.md
+++ b/windows/client-management/mdm/nodecache-ddf-file.md
@@ -1,7 +1,7 @@
---
title: NodeCache DDF file
description: View the XML file containing the device description framework (DDF) for the NodeCache configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the N
10.0.15063
1.1
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
@@ -294,7 +294,7 @@ The following XML file contains the device description framework (DDF) for the N
10.0.10586
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/office-ddf.md b/windows/client-management/mdm/office-ddf.md
index 7714d02e5e..d9dd3ecaa7 100644
--- a/windows/client-management/mdm/office-ddf.md
+++ b/windows/client-management/mdm/office-ddf.md
@@ -1,7 +1,7 @@
---
title: Office DDF file
description: View the XML file containing the device description framework (DDF) for the Office configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the O
10.0.15063
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
@@ -211,7 +211,7 @@ The following XML file contains the device description framework (DDF) for the O
10.0.15063
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md
index d9bd9dba10..fe7da7ac06 100644
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@@ -1,7 +1,7 @@
---
title: PassportForWork CSP
description: Learn more about the PassportForWork CSP.
-ms.date: 04/10/2024
+ms.date: 06/21/2024
---
@@ -25,7 +25,6 @@ The following list shows the PassportForWork configuration service provider node
- ./Device/Vendor/MSFT/PassportForWork
- [{TenantId}](#devicetenantid)
- [Policies](#devicetenantidpolicies)
- - [DisablePostLogonCredentialCaching](#devicetenantidpoliciesdisablepostlogoncredentialcaching)
- [DisablePostLogonProvisioning](#devicetenantidpoliciesdisablepostlogonprovisioning)
- [EnablePinRecovery](#devicetenantidpoliciesenablepinrecovery)
- [EnableWindowsHelloProvisioningForSecurityKeys](#devicetenantidpoliciesenablewindowshelloprovisioningforsecuritykeys)
@@ -158,62 +157,13 @@ Root node for policies.
-
-#### Device/{TenantId}/Policies/DisablePostLogonCredentialCaching
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
-
-
-
-```Device
-./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/DisablePostLogonCredentialCaching
-```
-
-
-
-
-Disable caching of the Windows Hello for Business credential after sign-in.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | `bool` |
-| Access Type | Add, Delete, Get, Replace |
-| Default Value | False |
-
-
-
-**Allowed values**:
-
-| Value | Description |
-|:--|:--|
-| false (Default) | Credential Caching Enabled. |
-| true | Credential Caching Disabled. |
-
-
-
-
-
-
-
-
#### Device/{TenantId}/Policies/DisablePostLogonProvisioning
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2402] and later
✅ Windows 10, version 2004 [10.0.19041.4239] and later
✅ Windows 11, version 21H2 [10.0.22000.2899] and later
✅ Windows 11, version 22H2 [10.0.22621.3374] and later
✅ Windows Insider Preview |
diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md
index 0c1cf45b97..d80b42baec 100644
--- a/windows/client-management/mdm/passportforwork-ddf.md
+++ b/windows/client-management/mdm/passportforwork-ddf.md
@@ -1,7 +1,7 @@
---
title: PassportForWork DDF file
description: View the XML file containing the device description framework (DDF) for the PassportForWork configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/21/2024
---
@@ -39,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the P
10.0.10586
1.2
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
@@ -565,7 +565,7 @@ If you do not configure this policy setting, Windows Hello for Business requires
10.0.10586
1.2
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
@@ -870,7 +870,7 @@ If you disable or do not configure this policy setting, the PIN recovery secret
- 99.9.99999
+ 99.9.99999, 10.0.22621.3374, 10.0.22000.2899, 10.0.20348.2402, 10.0.19041.4239
1.6
@@ -885,45 +885,6 @@ If you disable or do not configure this policy setting, the PIN recovery secret
-
- DisablePostLogonCredentialCaching
-
-
-
-
-
-
-
- False
- Disable caching of the Windows Hello for Business credential after sign-in.
-
-
-
-
-
-
-
-
-
-
-
-
-
- 99.9.99999
- 1.6
-
-
-
- false
- Credential Caching Enabled
-
-
- true
- Credential Caching Disabled
-
-
-
-
UseCertificateForOnPremAuth
@@ -934,7 +895,7 @@ If you disable or do not configure this policy setting, the PIN recovery secret
False
- Windows Hello for Business can use certificates to authenticate to on-premise resources.
+ Windows Hello for Business can use certificates to authenticate to on-premise resources.
If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN.
diff --git a/windows/client-management/mdm/personaldataencryption-ddf-file.md b/windows/client-management/mdm/personaldataencryption-ddf-file.md
index f4f4cd55fc..5b3b1d0111 100644
--- a/windows/client-management/mdm/personaldataencryption-ddf-file.md
+++ b/windows/client-management/mdm/personaldataencryption-ddf-file.md
@@ -1,7 +1,7 @@
---
title: PDE DDF file
description: View the XML file containing the device description framework (DDF) for the PDE configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -39,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the P
10.0.22621
1.0
- 0x4;0x1B;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0xAB;0xAC;0xBC;0xBF;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0xAB;0xAC;0xB4;0xBC;0xBD;0xBF;
diff --git a/windows/client-management/mdm/personalization-csp.md b/windows/client-management/mdm/personalization-csp.md
index bf0dff0947..d455b2968a 100644
--- a/windows/client-management/mdm/personalization-csp.md
+++ b/windows/client-management/mdm/personalization-csp.md
@@ -1,7 +1,7 @@
---
title: Personalization CSP
description: Learn more about the Personalization CSP.
-ms.date: 04/10/2024
+ms.date: 06/21/2024
---
@@ -9,14 +9,12 @@ ms.date: 04/10/2024
# Personalization CSP
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
The Personalization CSP can set the lock screen, desktop background images and company branding on sign-in screen ([BootToCloud mode](policy-csp-clouddesktop.md#boottocloudmode) only). Setting these policies also prevents the user from changing the image. You can also use the Personalization settings in a provisioning package.
> [!IMPORTANT]
-> Personalization CSP is supported in Windows Enterprise and Education SKUs. It works in Windows Professional only when SetEduPolicies in [SharedPC CSP](sharedpc-csp.md) is set, or when the device is configured in [Shared PC mode with BootToCloudPCEnhanced policy](clouddesktop-csp.md#boottocloudpcenhanced).
+> Personalization CSP is supported in Windows Enterprise and Education SKUs. It works in Windows Professional only when SetEduPolicies in [SharedPC CSP](sharedpc-csp.md) is set, or when the device is configured in [Shared PC mode with BootToCloudPCEnhanced policy](clouddesktop-csp.md#deviceboottocloudpcenhanced).
@@ -38,7 +36,7 @@ The following list shows the Personalization configuration service provider node
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.3235] and later |
@@ -77,7 +75,7 @@ This represents the status of the Company Logo. 1 - Successfully downloaded or c
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.3235] and later |
@@ -116,7 +114,7 @@ An http or https Url to a jpg, jpeg or png image that needs to be downloaded and
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.3235] and later |
diff --git a/windows/client-management/mdm/personalization-ddf.md b/windows/client-management/mdm/personalization-ddf.md
index 6c5af077dd..5f6b982951 100644
--- a/windows/client-management/mdm/personalization-ddf.md
+++ b/windows/client-management/mdm/personalization-ddf.md
@@ -1,7 +1,7 @@
---
title: Personalization DDF file
description: View the XML file containing the device description framework (DDF) for the Personalization configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -42,7 +42,7 @@ The following XML file contains the device description framework (DDF) for the P
10.0.16299
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
@@ -101,7 +101,7 @@ The following XML file contains the device description framework (DDF) for the P
- A http or https Url to a jpg, jpeg or png image that neeeds to be downloaded and used as the Lock Screen Image or a file Url to a local image on the file system that needs to be used as the Lock Screen Image.
+ A http or https Url to a jpg, jpeg or png image that needs to be downloaded and used as the Lock Screen Image or a file Url to a local image on the file system that needs to be used as the Lock Screen Image.
@@ -148,7 +148,7 @@ The following XML file contains the device description framework (DDF) for the P
- A http or https Url to a jpg, jpeg or png image that neeeds to be downloaded and used as the Company Logo or a file Url to a local image on the file system that needs to be used as the Company Logo. This setting is currently available for boot to cloud shared pc mode only.
+ A http or https Url to a jpg, jpeg or png image that needs to be downloaded and used as the Company Logo or a file Url to a local image on the file system that needs to be used as the Company Logo. This setting is currently available for boot to cloud shared pc mode only.
@@ -162,7 +162,7 @@ The following XML file contains the device description framework (DDF) for the P
- 99.9.99999
+ 10.0.22621.3235
2.0
@@ -189,7 +189,7 @@ The following XML file contains the device description framework (DDF) for the P
- 99.9.99999
+ 10.0.22621.3235
2.0
@@ -217,7 +217,7 @@ The following XML file contains the device description framework (DDF) for the P
- 99.9.99999
+ 10.0.22621.3235
2.0
diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
index d24e808921..773526f0c6 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
@@ -1,7 +1,7 @@
---
title: ADMX-backed policies in Policy CSP
description: Learn about the ADMX-backed policies in Policy CSP.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -1663,6 +1663,7 @@ This article lists the ADMX-backed policies in Policy CSP.
- [TS_NoSecurityMenu](policy-csp-admx-terminalserver.md)
- [TS_START_PROGRAM_2](policy-csp-admx-terminalserver.md)
- [TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP](policy-csp-admx-terminalserver.md)
+- [TS_SERVER_REMOTEAPP_USE_SHELLAPPRUNTIME](policy-csp-admx-terminalserver.md)
- [TS_DX_USE_FULL_HWGPU](policy-csp-admx-terminalserver.md)
- [TS_SERVER_WDDM_GRAPHICS_DRIVER](policy-csp-admx-terminalserver.md)
- [TS_TSCC_PERMISSIONS_POLICY](policy-csp-admx-terminalserver.md)
@@ -2210,6 +2211,7 @@ This article lists the ADMX-backed policies in Policy CSP.
- [AllowSaveTargetAsInIEMode](policy-csp-internetexplorer.md)
- [DisableInternetExplorerApp](policy-csp-internetexplorer.md)
- [EnableExtendedIEModeHotkeys](policy-csp-internetexplorer.md)
+- [AllowLegacyURLFields](policy-csp-internetexplorer.md)
- [ResetZoomForDialogInIEMode](policy-csp-internetexplorer.md)
- [EnableGlobalWindowListInIEMode](policy-csp-internetexplorer.md)
- [JScriptReplacement](policy-csp-internetexplorer.md)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
index b48e301116..74c2d24c74 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
@@ -1,7 +1,7 @@
---
title: Policies in Policy CSP supported by Group Policy
description: Learn about the policies in Policy CSP supported by Group Policy.
-ms.date: 05/20/2024
+ms.date: 06/19/2024
---
@@ -805,6 +805,7 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [ConfigureDeadlineNoAutoRebootForFeatureUpdates](policy-csp-update.md)
- [ConfigureDeadlineNoAutoRebootForQualityUpdates](policy-csp-update.md)
- [AllowOptionalContent](policy-csp-update.md)
+- [AlwaysAutoRebootAtScheduledTimeMinutes](policy-csp-update.md)
## UserRights
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
index 17bb6fddc6..a51aba5851 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
@@ -1,7 +1,7 @@
---
title: Policies in Policy CSP supported by Windows 10 Team
description: Learn about the policies in Policy CSP supported by Windows 10 Team.
-ms.date: 01/18/2024
+ms.date: 06/19/2024
---
@@ -315,6 +315,7 @@ This article lists the policies in Policy CSP that are applicable for the Surfac
- [AllowOptionalContent](policy-csp-update.md#allowoptionalcontent)
- [AllowTemporaryEnterpriseFeatureControl](policy-csp-update.md#allowtemporaryenterprisefeaturecontrol)
- [AllowUpdateService](policy-csp-update.md#allowupdateservice)
+- [AlwaysAutoRebootAtScheduledTimeMinutes](policy-csp-update.md#alwaysautorebootatscheduledtimeminutes)
- [BranchReadinessLevel](policy-csp-update.md#branchreadinesslevel)
- [ConfigureFeatureUpdateUninstallPeriod](policy-csp-update.md#configurefeatureupdateuninstallperiod)
- [DeferFeatureUpdatesPeriodInDays](policy-csp-update.md#deferfeatureupdatesperiodindays)
diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md
index 0b5853336a..9209e4e647 100644
--- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md
+++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md
@@ -1,7 +1,7 @@
---
title: ADMX_TerminalServer Policy CSP
description: Learn more about the ADMX_TerminalServer Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 06/19/2024
---
@@ -4109,6 +4109,56 @@ This policy setting allows the administrator to configure the RemoteFX experienc
+
+## TS_SERVER_REMOTEAPP_USE_SHELLAPPRUNTIME
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.1202] and later
✅ Windows 10, version 2009 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SERVER_REMOTEAPP_USE_SHELLAPPRUNTIME
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | TS_SERVER_REMOTEAPP_USE_SHELLAPPRUNTIME |
+| ADMX File Name | TerminalServer.admx |
+
+
+
+
+
+
+
+
## TS_SERVER_VISEXP
diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
index f9f05c2927..6e3f949a36 100644
--- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md
+++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
@@ -1,7 +1,7 @@
---
title: DeliveryOptimization Policy CSP
description: Learn more about the DeliveryOptimization Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 06/19/2024
---
@@ -1500,20 +1500,8 @@ The default value 0 (zero) means that Delivery Optimization dynamically adjusts
-
-Set this policy to restrict peer selection via selected option.
-
-Options available are:
-
-0 = NAT.
-
-1 = Subnet mask.
-
-2 = Local discovery (DNS-SD).
-
-The default value has changed from 0 (no restriction) to 1 (restrict to the subnet).
-
-These options apply to both Download Mode LAN (1) and Group (2).
+
+Set this policy to restrict peer selection via selected option. Options available are: 1=Subnet mask, 2 = Local discovery (DNS-SD). These options apply to both Download Mode LAN (1) and Group (2).
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
index 8985e0fd66..61083dafc6 100644
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -1,7 +1,7 @@
---
title: InternetExplorer Policy CSP
description: Learn more about the InternetExplorer Area in Policy CSP.
-ms.date: 05/20/2024
+ms.date: 06/21/2024
---
@@ -985,6 +985,60 @@ Note. It's recommended to configure template policy settings in one Group Policy
+
+## AllowLegacyURLFields
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowLegacyURLFields
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowLegacyURLFields
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | AllowLegacyURLFields |
+| ADMX File Name | inetres.admx |
+
+
+
+
+
+
+
+
## AllowLocalMachineZoneTemplate
@@ -7718,7 +7772,7 @@ High Safety enables applets to run in their sandbox. Disable Java to prevent any
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2227] and later
✅ Windows 10, version 2004 [10.0.19041.3758] and later
✅ Windows 11, version 22H2 [10.0.22621.2792] and later
✅ Windows Insider Preview [10.0.25398.643] |
+| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2227] and later
✅ [10.0.25398.643] and later
✅ [10.0.25965] and later
✅ Windows 10, version 2004 [10.0.19041.3758] and later
✅ Windows 11, version 22H2 [10.0.22621.2792] and later |
@@ -8793,7 +8847,7 @@ High Safety enables applets to run in their sandbox. Disable Java to prevent any
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2227] and later
✅ Windows 10, version 2004 [10.0.19041.3758] and later
✅ Windows 11, version 22H2 [10.0.22621.2792] and later
✅ Windows Insider Preview [10.0.25398.643] |
+| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2227] and later
✅ [10.0.25398.643] and later
✅ [10.0.25965] and later
✅ Windows 10, version 2004 [10.0.19041.3758] and later
✅ Windows 11, version 22H2 [10.0.22621.2792] and later |
@@ -17364,7 +17418,7 @@ High Safety enables applets to run in their sandbox. Disable Java to prevent any
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2227] and later
✅ Windows 10, version 2004 [10.0.19041.3758] and later
✅ Windows 11, version 22H2 [10.0.22621.2792] and later
✅ Windows Insider Preview [10.0.25398.643] |
+| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2227] and later
✅ [10.0.25398.643] and later
✅ [10.0.25965] and later
✅ Windows 10, version 2004 [10.0.19041.3758] and later
✅ Windows 11, version 22H2 [10.0.22621.2792] and later |
diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md
index 5094419e31..4713b9e21b 100644
--- a/windows/client-management/mdm/policy-csp-privacy.md
+++ b/windows/client-management/mdm/policy-csp-privacy.md
@@ -1,7 +1,7 @@
---
title: Privacy Policy CSP
description: Learn more about the Privacy Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 06/21/2024
---
@@ -9,8 +9,6 @@ ms.date: 01/18/2024
# Policy CSP - Privacy
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
@@ -2929,7 +2927,7 @@ If an app is open when this Group Policy object is applied on a device, employee
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25000] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25000] and later |
@@ -3005,7 +3003,7 @@ If an app is open when this Group Policy object is applied on a device, employee
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25000] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25000] and later |
@@ -3070,7 +3068,7 @@ If an app is open when this Group Policy object is applied on a device, employee
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25000] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25000] and later |
@@ -3135,7 +3133,7 @@ If an app is open when this Group Policy object is applied on a device, employee
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25000] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25000] and later |
diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
index 1af96611e4..6a06309613 100644
--- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md
+++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
@@ -1,7 +1,7 @@
---
title: RemoteDesktopServices Policy CSP
description: Learn more about the RemoteDesktopServices Area in Policy CSP.
-ms.date: 04/10/2024
+ms.date: 06/21/2024
---
@@ -439,7 +439,7 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2400] and later
✅ [10.0.25398.827] and later
✅ Windows 11, version 21H2 [10.0.22000.2898] and later
✅ Windows 11, version 22H2 [10.0.22621.3374] and later
✅ Windows 11, version 23H2 [10.0.22631.3374] and later
✅ Windows Insider Preview |
@@ -493,7 +493,7 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2400] and later
✅ [10.0.25398.827] and later
✅ Windows 11, version 21H2 [10.0.22000.2898] and later
✅ Windows 11, version 22H2 [10.0.22621.3374] and later
✅ Windows 11, version 23H2 [10.0.22631.3374] and later
✅ Windows Insider Preview |
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index e8dfe5371f..796984d07c 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -1,7 +1,7 @@
---
title: Update Policy CSP
description: Learn more about the Update Area in Policy CSP.
-ms.date: 02/14/2024
+ms.date: 06/19/2024
---
@@ -18,6 +18,7 @@ ms.date: 02/14/2024
Update CSP policies are listed below based on the group policy area:
- [Windows Insider Preview](#windows-insider-preview)
+ - [AlwaysAutoRebootAtScheduledTimeMinutes](#alwaysautorebootatscheduledtimeminutes)
- [ConfigureDeadlineNoAutoRebootForFeatureUpdates](#configuredeadlinenoautorebootforfeatureupdates)
- [ConfigureDeadlineNoAutoRebootForQualityUpdates](#configuredeadlinenoautorebootforqualityupdates)
- [Manage updates offered from Windows Update](#manage-updates-offered-from-windows-update)
@@ -100,6 +101,68 @@ Update CSP policies are listed below based on the group policy area:
## Windows Insider Preview
+
+### AlwaysAutoRebootAtScheduledTimeMinutes
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Update/AlwaysAutoRebootAtScheduledTimeMinutes
+```
+
+
+
+
+
+- If you enable this policy, a restart timer will always begin immediately after Windows Update installs important updates, instead of first notifying users on the login screen for at least two days.
+
+The restart timer can be configured to start with any value from 15 to 180 minutes. When the timer runs out, the restart will proceed even if the PC has signed-in users.
+
+- If you disable or don't configure this policy, Windows Update won't alter its restart behavior.
+
+If the "No auto-restart with logged-on users for scheduled automatic updates installations" policy is enabled, then this policy has no effect.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[15-180]` |
+| Default Value | 15 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | AlwaysAutoRebootAtScheduledTime |
+| Friendly Name | Always automatically restart at the scheduled time |
+| Element Name | work (minutes) |
+| Location | Computer Configuration |
+| Path | Windows Components > Windows Update > Manage end user experience |
+| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU |
+| ADMX File Name | WindowsUpdate.admx |
+
+
+
+
+
+
+
+
### ConfigureDeadlineNoAutoRebootForFeatureUpdates
diff --git a/windows/client-management/mdm/policy-csp-windowsai.md b/windows/client-management/mdm/policy-csp-windowsai.md
index 85b838a4c2..8f672a114e 100644
--- a/windows/client-management/mdm/policy-csp-windowsai.md
+++ b/windows/client-management/mdm/policy-csp-windowsai.md
@@ -1,7 +1,7 @@
---
title: WindowsAI Policy CSP
description: Learn more about the WindowsAI Area in Policy CSP.
-ms.date: 06/13/2024
+ms.date: 06/19/2024
---
@@ -142,6 +142,9 @@ This policy setting allows you to control whether Windows saves snapshots of the
## TurnOffWindowsCopilot
+> [!NOTE]
+> This policy is deprecated and may be removed in a future release.
+
| Scope | Editions | Applicable OS |
|:--|:--|:--|
diff --git a/windows/client-management/mdm/printerprovisioning-ddf-file.md b/windows/client-management/mdm/printerprovisioning-ddf-file.md
index 21cb02133b..4aa2087423 100644
--- a/windows/client-management/mdm/printerprovisioning-ddf-file.md
+++ b/windows/client-management/mdm/printerprovisioning-ddf-file.md
@@ -1,7 +1,7 @@
---
title: PrinterProvisioning DDF file
description: View the XML file containing the device description framework (DDF) for the PrinterProvisioning configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the P
10.0.22000, 10.0.19044.1806, 10.0.19043.1806, 10.0.19042.1806
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/reboot-ddf-file.md b/windows/client-management/mdm/reboot-ddf-file.md
index a1c58cf7c1..3bca6f69a4 100644
--- a/windows/client-management/mdm/reboot-ddf-file.md
+++ b/windows/client-management/mdm/reboot-ddf-file.md
@@ -1,7 +1,7 @@
---
title: Reboot DDF file
description: View the XML file containing the device description framework (DDF) for the Reboot configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the R
10.0.14393
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/rootcacertificates-ddf-file.md b/windows/client-management/mdm/rootcacertificates-ddf-file.md
index 5ae45109b0..2a8292e9f6 100644
--- a/windows/client-management/mdm/rootcacertificates-ddf-file.md
+++ b/windows/client-management/mdm/rootcacertificates-ddf-file.md
@@ -1,7 +1,7 @@
---
title: RootCATrustedCertificates DDF file
description: View the XML file containing the device description framework (DDF) for the RootCATrustedCertificates configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the R
10.0.10586
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
@@ -1067,7 +1067,7 @@ The following XML file contains the device description framework (DDF) for the R
10.0.10586
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/secureassessment-ddf-file.md b/windows/client-management/mdm/secureassessment-ddf-file.md
index c4e5cf2830..d45d5f6b92 100644
--- a/windows/client-management/mdm/secureassessment-ddf-file.md
+++ b/windows/client-management/mdm/secureassessment-ddf-file.md
@@ -1,7 +1,7 @@
---
title: SecureAssessment DDF file
description: View the XML file containing the device description framework (DDF) for the SecureAssessment configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the S
10.0.15063
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/sharedpc-ddf-file.md b/windows/client-management/mdm/sharedpc-ddf-file.md
index 710f837864..0baa724281 100644
--- a/windows/client-management/mdm/sharedpc-ddf-file.md
+++ b/windows/client-management/mdm/sharedpc-ddf-file.md
@@ -1,7 +1,7 @@
---
title: SharedPC DDF file
description: View the XML file containing the device description framework (DDF) for the SharedPC configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the S
10.0.14393
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/supl-ddf-file.md b/windows/client-management/mdm/supl-ddf-file.md
index 3f4964bf42..fed441c564 100644
--- a/windows/client-management/mdm/supl-ddf-file.md
+++ b/windows/client-management/mdm/supl-ddf-file.md
@@ -1,7 +1,7 @@
---
title: SUPL DDF file
description: View the XML file containing the device description framework (DDF) for the SUPL configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -42,7 +42,7 @@ The following XML file contains the device description framework (DDF) for the S
10.0.10240
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/vpnv2-ddf-file.md b/windows/client-management/mdm/vpnv2-ddf-file.md
index 601a0363a7..7454dd4105 100644
--- a/windows/client-management/mdm/vpnv2-ddf-file.md
+++ b/windows/client-management/mdm/vpnv2-ddf-file.md
@@ -1,7 +1,7 @@
---
title: VPNv2 DDF file
description: View the XML file containing the device description framework (DDF) for the VPNv2 configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -39,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the V
10.0.10586
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
@@ -3265,7 +3265,7 @@ The following XML file contains the device description framework (DDF) for the V
10.0.10586
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/wifi-ddf-file.md b/windows/client-management/mdm/wifi-ddf-file.md
index a43971553f..d1e6f1f167 100644
--- a/windows/client-management/mdm/wifi-ddf-file.md
+++ b/windows/client-management/mdm/wifi-ddf-file.md
@@ -1,7 +1,7 @@
---
title: WiFi DDF file
description: View the XML file containing the device description framework (DDF) for the WiFi configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -39,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the W
10.0.10586
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
@@ -322,7 +322,7 @@ The following XML file contains the device description framework (DDF) for the W
10.0.10586
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
index 83c52f17cc..b4460e2d71 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
@@ -1,7 +1,7 @@
---
title: WindowsDefenderApplicationGuard DDF file
description: View the XML file containing the device description framework (DDF) for the WindowsDefenderApplicationGuard configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the W
10.0.16299
1.1
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/client-management/mdm/windowslicensing-ddf-file.md b/windows/client-management/mdm/windowslicensing-ddf-file.md
index a8bb624a6b..571ba992b0 100644
--- a/windows/client-management/mdm/windowslicensing-ddf-file.md
+++ b/windows/client-management/mdm/windowslicensing-ddf-file.md
@@ -1,7 +1,7 @@
---
title: WindowsLicensing DDF file
description: View the XML file containing the device description framework (DDF) for the WindowsLicensing configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the W
10.0.10586
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xBC;0xBF;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xB4;0xBC;0xBD;0xBF;
diff --git a/windows/client-management/mdm/wirednetwork-ddf-file.md b/windows/client-management/mdm/wirednetwork-ddf-file.md
index ddb1f28855..c3aebaeba0 100644
--- a/windows/client-management/mdm/wirednetwork-ddf-file.md
+++ b/windows/client-management/mdm/wirednetwork-ddf-file.md
@@ -1,7 +1,7 @@
---
title: WiredNetwork DDF file
description: View the XML file containing the device description framework (DDF) for the WiredNetwork configuration service provider.
-ms.date: 04/10/2024
+ms.date: 06/19/2024
---
@@ -39,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the W
10.0.17763
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
@@ -118,7 +118,7 @@ The following XML file contains the device description framework (DDF) for the W
10.0.17763
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
diff --git a/windows/deployment/do/mcc-isp.md b/windows/deployment/do/mcc-isp.md
index 87b1740400..ff0a665d2e 100644
--- a/windows/deployment/do/mcc-isp.md
+++ b/windows/deployment/do/mcc-isp.md
@@ -20,7 +20,7 @@ appliesto:
# Microsoft Connected Cache for Internet Service Providers (early preview)
> [!IMPORTANT]
-> This document is for Microsoft Connected Cache (early preview). Microsoft Connected Cache for ISPs is now in Public Preview - for our early preview customers, we highly encourage you to migrate your cache nodes to our public preview. See [instructions on how to migrate](#migrating-your-mcc-to-public-preview) below.
+> This document is for Microsoft Connected Cache (early preview). Microsoft Connected Cache for ISPs is now in Public Preview - for our early preview customers, we highly encourage you to onboard onto our Public Preview program. For instructions on signing up and onboarding please visit [Operator sign up and service onboarding for Microsoft Connected Cache](mcc-isp-signup.md).
## Overview
@@ -441,6 +441,13 @@ If the test fails, for more information, see the [common issues](#common-issues)
## Common Issues
+### Microsoft Connected Cache is no longer serving traffic
+If you did not migrate your cache node then your cache node may still be on early preview version.
+Microsoft Connected Cache for Internet Service Providers is now in Public Preview! To get started, visit [Azure portal](https://www.portal.azure.com) to sign up for Microsoft Connected Cache for Internet Service Providers. Please see [Operator sign up and service onboarding for Microsoft Connected Cache](mcc-isp-signup.md) for more information on the requirements for sign up and onboarding.
+
+
+
+
> [!NOTE]
> This section only lists common issues. For more information on additional issues you may encounter when configuring IoT Edge, see the [IoT Edge troubleshooting guide](/azure/iot-edge/troubleshoot).
@@ -551,19 +558,6 @@ If you have an MCC that's already active and running, follow the steps below to
1. To finish configuring your MCC with BGP routing, continue from Step 10 of [Steps to Install MCC](#steps-to-install-mcc). -->
-## Migrating your MCC to Public Preview
-
-> [!NOTE]
-> Please note, if you reboot your server, the version that you are currently on will no longer function, after which you will be required to migrate to the new version.
-
-We recommend migrating now to the new version to access these benefits and ensure no downtime.
-
-To migrate, use the following steps:
-
-1. Navigate to the cache node that you would like to migrate and select **Download Migration Package** using the button at the top of the page.
-1. Follow the instructions under the **Connected Cache Migrate Scripts** section within Azure portal.
- :::image type="content" source="images/mcc-isp-migrate.png" alt-text="A screenshot of Azure portal showing the migration instructions for migrating a cache node from the early preview to the public preview." lightbox="images/mcc-isp-migrate.png":::
-1. Go to https://portal.azure.com and navigate to your resource to check your migrated cache nodes.
## Uninstalling MCC
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-adfs.md
index 94167d36b9..d17d8078a4 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-adfs.md
@@ -1,7 +1,7 @@
---
title: Configure Active Directory Federation Services in a hybrid certificate trust model
description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business hybrid certificate trust model.
-ms.date: 03/12/2024
+ms.date: 06/23/2024
ms.topic: tutorial
---
@@ -52,19 +52,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
1. Restart the AD FS server
> [!NOTE]
-> For AD FS 2019 in a hybrid certificate trust model, a PRT issue exists. You may encounter this error in the AD FS Admin event logs: *Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'*. To remediate this error:
->
-> 1. Launch AD FS management console and browse to **Services > Scope Descriptions**
-> 1. Right click **Scope Descriptions** and select **Add Scope Description**
-> 1. Under name type `ugs` and select **Apply > OK**
-> 1. Launch PowerShell as an administrator
-> 1. Obtain the *ObjectIdentifier* of the application permission with the `ClientRoleIdentifier` parameter equal to `38aa3b87-a06d-4817-b275-7a316988d93b`:
-> ```PowerShell
-> (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier
-> ```
-> 1. Execute the command `Set-AdfsApplicationPermission -TargetIdentifier -AddScope 'ugs'`.
-> 1. Restart the AD FS service
-> 1. On the client: Restart the client. User should be prompted to provision Windows Hello for Business
+> For AD FS 2019 and later in a certificate trust model, a known PRT issue exists. You may encounter this error in AD FS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. For more information about the isse and its resolution, see [Certificate trust provisioning with AD FS broken on windows server 2019](../hello-deployment-issues.md#certificate-trust-provisioning-with-ad-fs-broken-on-windows-server-2019).
## Section review and next steps
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md
index 2891e83911..50ff10820c 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md
@@ -1,7 +1,7 @@
---
title: Configure and enroll in Windows Hello for Business in hybrid certificate trust model
description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid certificate trust scenario.
-ms.date: 03/12/2024
+ms.date: 06/23/2024
ms.topic: tutorial
---
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md
index 35d1ff0083..ff9434bc73 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md
@@ -1,7 +1,7 @@
---
-title: Configure and validate the PKI in an hybrid certificate trust model
+title: Configure and validate the PKI in a hybrid certificate trust model
description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a hybrid certificate trust model.
-ms.date: 03/12/2024
+ms.date: 06/23/2024
ms.topic: tutorial
---
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
index 58e8cc3e3d..bbb9a72759 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
@@ -1,7 +1,7 @@
---
title: Windows Hello for Business hybrid certificate trust deployment guide
description: Learn how to deploy Windows Hello for Business in a hybrid certificate trust scenario.
-ms.date: 03/12/2024
+ms.date: 06/23/2024
ms.topic: tutorial
---
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md b/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md
index a684145a1d..6adbe43c94 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md
@@ -1,5 +1,5 @@
---
-ms.date: 01/03/2024
+ms.date: 06/23/2024
ms.topic: include
---
@@ -8,6 +8,8 @@ ms.topic: include
Windows Hello for Business requires users perform multifactor authentication (MFA) prior to enroll in the service. On-premises deployments can use, as MFA option:
- certificates
+ > [!NOTE]
+ > When using this option, the certificates must be deployed to the users. For example, users can use their smart card or virtual smart card as a certificate authentication option.
- non-Microsoft authentication providers for AD FS
- custom authentication provider for AD FS
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-auth.md b/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-auth.md
index aab8d0e4c9..4adf8b030a 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-auth.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-auth.md
@@ -61,4 +61,4 @@ CertUtil: -dsTemplate command completed successfully."
```
>[!NOTE]
->If you gave your Windows Hello for Business Authentication certificate template a different name, then replace `WHFBAuthentication` in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the `Get-CATemplate` ADCS Administration Windows PowerShell cmdlet on your certification authority.
+>If you gave your Windows Hello for Business Authentication certificate template a different name, then replace `WHFBAuthentication` in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc).
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-enrollment-agent.md b/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-enrollment-agent.md
index b43c9f754a..df1df5291f 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-enrollment-agent.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-enrollment-agent.md
@@ -3,7 +3,7 @@ ms.date: 01/03/2024
ms.topic: include
---
-### Configure an enrollment agent certificate template
+## Configure an enrollment agent certificate template
A certificate registration authority (CRA) is a trusted authority that validates certificate request. Once it validates the request, it presents the request to the certification authority (CA) for issuance. The CA issues the certificate, returns it to the CRA, which returns the certificate to the requesting user. Windows Hello for Business certificate trust deployments use AD FS as the CRA.
@@ -12,7 +12,7 @@ The CRA enrolls for an *enrollment agent certificate*. Once the CRA verifies the
> [!IMPORTANT]
> Follow the procedures below based on the AD FS service account used in your environment.
-#### Create an enrollment agent certificate for Group Managed Service Accounts (GMSA)
+### Create an enrollment agent certificate for Group Managed Service Accounts (GMSA)
Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials.
@@ -32,7 +32,7 @@ Sign in to a CA or management workstations with *Domain Administrator* equivalen
1. Select **OK** to finalize your changes and create the new template
1. Close the console
-#### Create an enrollment agent certificate for a standard service account
+### Create an enrollment agent certificate for a standard service account
Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials.
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md
index dc000be03a..7446d01e92 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md
@@ -1,7 +1,7 @@
---
title: Configure Active Directory Federation Services in an on-premises certificate trust model
description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business on-premises certificate trust model.
-ms.date: 03/12/2024
+ms.date: 06/23/2024
ms.topic: tutorial
---
@@ -16,20 +16,7 @@ Windows Hello for Business works exclusively with the Active Directory Federatio
[!INCLUDE [adfs-deploy](includes/adfs-deploy.md)]
> [!NOTE]
-> For AD FS 2019 and later in a certificate trust model, a known PRT issue exists. You may encounter this error in AD FS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error:
->
-> 1. Launch AD FS management console. Browse to ***Services > Scope Descriptions**
-> 1. Right-click **Scope Descriptions** and select **Add Scope Description**
-> 1. Under name type *ugs* and select **Apply > OK**
-> 1. Launch PowerShell as an administrator and execute the following commands:
->
-> ```PowerShell
-> $id = (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier
-> Set-AdfsApplicationPermission -TargetIdentifier $id -AddScope 'ugs'
-> ```
->
-> 1. Restart the AD FS service
-> 1. Restart the client. User should be prompted to provision Windows Hello for Business
+> For AD FS 2019 and later in a certificate trust model, a known PRT issue exists. You may encounter this error in AD FS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. For more information about the isse and its resolution, see [Certificate trust provisioning with AD FS broken on windows server 2019](../hello-deployment-issues.md#certificate-trust-provisioning-with-ad-fs-broken-on-windows-server-2019).
## Review to validate the AD FS and Active Directory configuration
@@ -40,6 +27,21 @@ Windows Hello for Business works exclusively with the Active Directory Federatio
> - Confirm you added the AD FS service account to the KeyAdmins group
> - Confirm you enabled the Device Registration service
+[!INCLUDE [enrollment-agent-certificate-template](includes/certificate-template-enrollment-agent.md)]
+
+### Publish the certificate template to the CA
+
+Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials.
+
+1. Open the **Certification Authority** management console
+1. Expand the parent node from the navigation pane
+1. Select **Certificate Templates** in the navigation pane
+1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue
+1. In the **Enable Certificates Templates** window, select the *WHFB Enrollment Agent* template you created in the previous step. Select **OK** to publish the selected certificate templates to the certification authority
+1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list
+ - To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation
+1. Close the console
+
## Configure the certificate registration authority
The Windows Hello for Business on-premises certificate-based deployment uses AD FS as the certificate registration authority (CRA). The registration authority is responsible for issuing certificates to users and devices. The registration authority is also responsible for revoking certificates when users or devices are removed from the environment.
@@ -55,7 +57,7 @@ Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplat
>[!NOTE]
> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace *WHFBEnrollmentAgent* and *WHFBAuthentication* in the above command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name by using the `Get-CATemplate` PowerShell cmdlet on a CA.
-### Enrollment agent certificate enrollment
+### Enrollment agent certificate lifecycle management
AD FS performs its own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts.
@@ -87,6 +89,7 @@ For detailed information about the certificate, use `Certutil -q -v [!div class="checklist"]
> Before you continue with the deployment, validate your deployment progress by reviewing the following items:
>
+> - Configure an enrollment agent certificate template
> - Confirm only the AD FS service account has the allow enroll permission for the enrollment agent certificate template
> - Consider using an HSM to protect the enrollment agent certificate; however, understand the frequency and quantity of signature operations the enrollment agent server makes and understand the impact it has on overall performance
> - Confirm you properly configured the Windows Hello for Business authentication certificate template
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md
index f856919e78..ce1d4a781d 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md
@@ -1,5 +1,5 @@
---
-ms.date: 03/12/2024
+ms.date: 06/23/2024
ms.topic: tutorial
title: Configure Windows Hello for Business Policy settings in an on-premises certificate trust
description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises certificate trust scenario
@@ -73,7 +73,11 @@ After a successful key registration, Windows creates a certificate request using
The AD FS registration authority verifies the key used in the certificate request matches the key that was previously registered. On a successful match, the AD FS registration authority signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.
-The CA validates that the certificate is signed by the registration authority. On successful validation, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user's certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user that they can use their PIN to sign-in through the Action Center.
+The CA validates that the certificate is signed by the registration authority. On successful validation, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user's certificate store.
+
+The following video shows the Windows Hello for Business enrollment steps after signing in with a password, using a custom MFA adapter for AD FS.
+
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=771165c0-e37f-4f9d-9e21-4f383cc6590d alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."]
### Sequence diagram
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md
index 92ee0befff..0240088385 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md
@@ -1,13 +1,12 @@
---
title: Windows Hello for Business on-premises certificate trust deployment guide
description: Learn how to deploy Windows Hello for Business in an on-premises, certificate trust scenario.
-ms.date: 03/12/2024
+ms.date: 06/23/2024
ms.topic: tutorial
---
# On-premises certificate trust deployment guide
-
[!INCLUDE [apply-to-on-premises-cert-trust](includes/apply-to-on-premises-cert-trust.md)]
[!INCLUDE [requirements](includes/requirements.md)]
@@ -48,8 +47,6 @@ Windows Hello for Business must have a Public Key Infrastructure (PKI) when usin
[!INCLUDE [web-server-certificate-template](includes/certificate-template-web-server.md)]
-[!INCLUDE [enrollment-agent-certificate-template](includes/certificate-template-enrollment-agent.md)]
-
[!INCLUDE [auth-certificate-template](includes/certificate-template-auth.md)]
[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)]
@@ -64,7 +61,7 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
1. Expand the parent node from the navigation pane
1. Select **Certificate Templates** in the navigation pane
1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue
-1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)*, *Internal Web Server*, *WHFB Enrollment Agent* and *WHFB Authentication* templates you created in the previous steps. Select **OK** to publish the selected certificate templates to the certification authority
+1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)*, *Internal Web Server*, and *WHFB Authentication* templates you created in the previous steps. Select **OK** to publish the selected certificate templates to the certification authority
1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list
- To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation
1. Close the console
@@ -85,7 +82,6 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
> - Configure domain controller and web server certificate templates
> - Supersede existing domain controller certificates
> - Unpublish superseded certificate templates
-> - Configure an enrollment agent certificate template
> - Publish the certificate templates to the CA
> - Deploy certificates to the domain controllers
> - Validate the domain controllers configuration
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md
index 34f55f78f3..85c263917f 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md
@@ -1,5 +1,5 @@
---
-ms.date: 03/12/2024
+ms.date: 06/23/2024
ms.topic: tutorial
title: Configure Windows Hello for Business Policy settings in an on-premises key trust
description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises key trust scenario
@@ -52,6 +52,10 @@ This information is also available using the `dsregcmd.exe /status` command from
[!INCLUDE [user-experience](includes/user-experience.md)]
+The following video shows the Windows Hello for Business enrollment steps after signing in with a password, using a custom MFA adapter for AD FS.
+
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=771165c0-e37f-4f9d-9e21-4f383cc6590d alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."]
+
### Sequence diagram
To better understand the provisioning flows, review the following sequence diagram:
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md
index 0b7ef9d9a3..347471eeef 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md
@@ -1,7 +1,7 @@
---
title: Windows Hello for Business on-premises key trust deployment guide
description: Learn how to deploy Windows Hello for Business in an on-premises, key trust scenario.
-ms.date: 03/12/2024
+ms.date: 06/24/2024
ms.topic: tutorial
---
@@ -57,7 +57,7 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
1. Expand the parent node from the navigation pane
1. Select **Certificate Templates** in the navigation pane
1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue
-1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)*, and *Internal Web Server* templates you created in the previous steps. Select **OK** to publish the selected certificate templates to the certification authority
+1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)* and *Internal Web Server* templates you created in the previous steps. Select **OK** to publish the selected certificate templates to the certification authority
1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list
- To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation
1. Close the console
diff --git a/windows/security/identity-protection/hello-for-business/deploy/toc.yml b/windows/security/identity-protection/hello-for-business/deploy/toc.yml
index 55964be416..9ae8643cf0 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/deploy/toc.yml
@@ -8,7 +8,7 @@ items:
- name: Cloud Kerberos trust deployment
href: hybrid-cloud-kerberos-trust.md
- name: Key trust deployment
- items:
+ items:
- name: Requirements and validation
href: hybrid-key-trust.md
displayName: key trust
@@ -19,7 +19,7 @@ items:
href: ../hello-hybrid-aadj-sso.md
displayName: key trust
- name: Certificate trust deployment
- items:
+ items:
- name: Requirements and validation
href: hybrid-cert-trust.md
displayName: certificate trust
@@ -41,7 +41,7 @@ items:
- name: On-premises deployments
items:
- name: Key trust deployment
- items:
+ items:
- name: Requirements and validation
href: on-premises-key-trust.md
- name: Prepare and deploy Active Directory Federation Services (AD FS)
@@ -49,10 +49,10 @@ items:
- name: Configure and enroll in Windows Hello for Business
href: on-premises-key-trust-enroll.md
- name: Certificate trust deployment
- items:
+ items:
- name: Requirements and validation
href: on-premises-cert-trust.md
- - name: Prepare and Deploy Active Directory Federation Services (AD FS)
+ - name: Prepare and deploy Active Directory Federation Services (AD FS)
href: on-premises-cert-trust-adfs.md
- name: Configure and enroll in Windows Hello for Business
href: on-premises-cert-trust-enroll.md
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md
index 22f80cb481..3e29796ff1 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md
@@ -1,8 +1,8 @@
---
-title: BCD settings and BitLocker
+title: BCD settings and BitLocker
description: Learn how BCD settings are used by BitLocker.
ms.topic: reference
-ms.date: 10/30/2023
+ms.date: 06/18/2024
---
# Boot Configuration Data settings and BitLocker
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/configure.md b/windows/security/operating-system-security/data-protection/bitlocker/configure.md
index 12bf6e3613..7fbff47e8c 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/configure.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/configure.md
@@ -2,7 +2,7 @@
title: Configure BitLocker
description: Learn about the available options to configure BitLocker and how to configure them via Configuration Service Providers (CSP) or group policy (GPO).
ms.topic: how-to
-ms.date: 10/30/2023
+ms.date: 06/18/2024
---
# Configure BitLocker
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md b/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md
index 62dbc91a63..13b8fb7c50 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md
@@ -1,8 +1,8 @@
---
title: BitLocker countermeasures
-description: Learn about technologies and features to protect against attacks on the BitLocker encryption key.
+description: Learn about technologies and features to protect against attacks on the BitLocker encryption key.
ms.topic: concept-article
-ms.date: 10/30/2023
+ms.date: 06/18/2024
---
# BitLocker countermeasures
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/csv-san.md b/windows/security/operating-system-security/data-protection/bitlocker/csv-san.md
index 6eac3ac628..15db660036 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/csv-san.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/csv-san.md
@@ -2,7 +2,7 @@
title: Protect cluster shared volumes and storage area networks with BitLocker
description: Learn how to protect cluster shared volumes (CSV) and storage area networks (SAN) with BitLocker.
ms.topic: how-to
-ms.date: 10/30/2023
+ms.date: 06/18/2024
appliesto:
- ✅ Windows Server 2022
- ✅ Windows Server 2019
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/faq.yml
index d82b8f6355..b2642afed9 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/faq.yml
@@ -3,7 +3,7 @@ metadata:
title: BitLocker FAQ
description: Learn more about BitLocker by reviewing the frequently asked questions.
ms.topic: faq
- ms.date: 10/30/2023
+ ms.date: 06/18/2024
title: BitLocker FAQ
summary: Learn more about BitLocker by reviewing the frequently asked questions.
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-additional-recovery-information.png b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-additional-recovery-information.png
new file mode 100644
index 0000000000..113770d113
Binary files /dev/null and b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-additional-recovery-information.png differ
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-additional.png b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-additional.png
new file mode 100644
index 0000000000..179a50a84b
Binary files /dev/null and b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-additional.png differ
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/index.md b/windows/security/operating-system-security/data-protection/bitlocker/index.md
index 9d9ff5daed..e9e9e7bdb7 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/index.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/index.md
@@ -2,7 +2,7 @@
title: BitLocker overview
description: Learn about BitLocker practical applications and requirements.
ms.topic: overview
-ms.date: 10/30/2023
+ms.date: 06/18/2024
---
# BitLocker overview
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/install-server.md b/windows/security/operating-system-security/data-protection/bitlocker/install-server.md
index c79ab3d0aa..a1b63ed90b 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/install-server.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/install-server.md
@@ -2,7 +2,7 @@
title: Install BitLocker on Windows Server
description: Learn how to install BitLocker on Windows Server.
ms.topic: how-to
-ms.date: 10/30/2023
+ms.date: 06/18/2024
appliesto:
- ✅ Windows Server 2022
- ✅ Windows Server 2019
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md b/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md
index f0745f7122..39be442f55 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md
@@ -1,8 +1,8 @@
---
-title: Network Unlock
+title: Network Unlock
description: Learn how BitLocker Network Unlock works and how to configure it.
ms.topic: how-to
-ms.date: 10/30/2023
+ms.date: 06/18/2024
---
# Network Unlock
@@ -255,7 +255,7 @@ The subnet policy configuration file must use a `[SUBNETS]` section to identify
```ini
[SUBNETS]
SUBNET1=10.185.250.0/24 ; a comment about this subrange could be here, after the semicolon
-SUBNET2=10.185.252.200/28
+SUBNET2=10.185.252.200/28
SUBNET3= 2001:4898:a:2::/64 ; an IPv6 subnet
SUBNET4=2001:4898:a:3::/64; in production, the admin would likely give more useful names, like BUILDING9-EXCEPT-RECEP.
```
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md b/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md
index 1eaff6b4ec..29452a46ea 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md
@@ -2,7 +2,7 @@
title: BitLocker operations guide
description: Learn how to use different tools to manage and operate BitLocker.
ms.topic: how-to
-ms.date: 10/30/2023
+ms.date: 06/18/2024
---
# BitLocker operations guide
@@ -239,7 +239,7 @@ Add-BitLockerKeyProtector E: -PasswordProtector -Password $pw
**Example**: Use PowerShell to enable BitLocker with a TPM protector
```powershell
-Enable-BitLocker D: -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector
+Enable-BitLocker D: -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector
```
**Example**: Use PowerShell to enable BitLocker with a TPM+PIN protector, in this case with a PIN set to *123456*:
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md b/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md
index 5fb64c8c85..c54ad2e21e 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md
@@ -2,7 +2,7 @@
title: BitLocker planning guide
description: Learn how to plan for a BitLocker deployment in your organization.
ms.topic: concept-article
-ms.date: 10/30/2023
+ms.date: 06/18/2024
---
# BitLocker planning guide
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md b/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md
index 78ab928ae2..24437bd519 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md
@@ -2,14 +2,14 @@
title: BitLocker preboot recovery screen
description: Learn about the information displayed in the BitLocker preboot recovery screen, depending on configured policy settings and recovery keys status.
ms.topic: concept-article
-ms.date: 10/30/2023
+ms.date: 06/19/2024
---
# BitLocker preboot recovery screen
-During BitLocker recovery, the *preboot recovery screen* can display a custom recovery message, a custom recovery URL, and a few hints to help users finding where a key can be retrieved from.
+During BitLocker recovery, the *preboot recovery screen* is a critical touchpoint for users, offering a custom recovery message tailored to the organization's needs, a direct recovery URL for additional support, and strategic hints to assist users in locating their recovery key.
-This article describes the information displayed in the preboot recovery screen depending on configured policy settings and recovery keys status.
+This article delves into the various elements displayed on the preboot recovery screen, detailing how policy settings and the status of recovery keys influence the information presented. Whether it's a personalized message or practical guidance, the preboot recovery screen is designed to streamline the recovery process for users
## Default preboot recovery screen
@@ -72,10 +72,10 @@ There are rules governing which hint is shown during the recovery (in the order
:::row:::
:::column span="2":::
In this scenario, the recovery password is saved to a file
-
+
> [!IMPORTANT]
> It's not recommend to print recovery keys or saving them to a file. Instead, use Microsoft account, Microsoft Entra ID or Active Directory backup.
-
+
:::column-end:::
:::column span="2":::
:::image type="content" source="images/preboot-recovery-hint.png" alt-text="Screenshot of the BitLocker recovery screen showing a hint where the BitLocker recovery key was saved." lightbox="images/preboot-recovery-hint.png" border="false":::
@@ -92,7 +92,7 @@ There are rules governing which hint is shown during the recovery (in the order
- saved to Microsoft account
- not printed
- not saved to a file
-
+
**Result:** the hints for the custom URL and the Microsoft account (**https://aka.ms/myrecoverykey**) are displayed.
:::column-end:::
:::column span="2":::
@@ -110,7 +110,7 @@ There are rules governing which hint is shown during the recovery (in the order
- saved to Active Directory
- not printed
- not saved to a file
-
+
**Result:** only the custom URL is displayed.
:::column-end:::
:::column span="2":::
@@ -129,7 +129,7 @@ There are rules governing which hint is shown during the recovery (in the order
- saved to Microsoft Entra ID
- printed
- saved to file
-
+
**Result:** only the Microsoft account hint (**https://aka.ms/myrecoverykey**) is displayed.
:::column-end:::
:::column span="2":::
@@ -149,12 +149,12 @@ There are rules governing which hint is shown during the recovery (in the order
- saved to file
- creation time: **1PM**
- key ID: **4290B6C0-B17A-497A-8552-272CC30E80D4**
-
+
The recovery password #2 is:
- not backed up
- creation time: **3PM**
- key ID: **045219EC-A53B-41AE-B310-08EC883AAEDD**
-
+
**Result:** only the hint for the successfully backed up key is displayed, even if it isn't the most recent key.
:::column-end:::
:::column span="2":::
@@ -175,15 +175,130 @@ There are rules governing which hint is shown during the recovery (in the order
- Saved to Microsoft Entra ID
- creation time: **1PM**
- key ID: **4290B6C0-B17A-497A-8552-272CC30E80D4**
-
+
The recovery password #2 is:
- Saved to Microsoft Entra ID
- creation time: **3PM**
- key ID: **045219EC-A53B-41AE-B310-08EC883AAEDD**
-
+
**Result:** the Microsoft Entra ID hint (**https://aka.ms/aadrecoverykey**), which is the most recent key saved, is displayed.
:::column-end:::
:::column span="2":::
:::image type="content" source="images/preboot-recovery-multiple-passwords-multiple-backups.png" alt-text="Screenshot of the BitLocker recovery screen showing the key ID of the most recent key." lightbox="images/preboot-recovery-multiple-passwords-multiple-backups.png" border="false":::
:::column-end:::
:::row-end:::
+
+## Additional recovery information screen
+
+Starting in Windows 11, version 24H2, the BitLocker preboot recovery screen enhances the recovery error information. The recovery screen provides more detailed information about the nature of the recovery error, empowering users to better understand and address the issue.
+
+:::row:::
+ :::column span="2":::
+ Users have the option to review additional information about the recovery error by pressing the Alt key.
+ :::column-end:::
+ :::column span="2":::
+ :::image type="content" source="images/preboot-recovery-additional.png" alt-text="Screenshot of the BitLocker recovery screen highlighting the Alt keyboard button to access the recovery information screen." lightbox="images/preboot-recovery-additional.png" border="false":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="2":::
+ The **Additional recovery information** screen contains an *error category* and a *code*, which you can use to retrieve more details from the next section of this article.
+ :::column-end:::
+ :::column span="2":::
+ :::image type="content" source="images/preboot-recovery-additional-recovery-information.png" alt-text="Screenshot of the BitLocker recovery information screen." lightbox="images/preboot-recovery-additional-recovery-information.png" border="false":::
+ :::column-end:::
+:::row-end:::
+
+The next sections describe the codes for each BitLocker error category. Within each section there's a table with the error message displayed on the recovery screen, and the cause of the error. Some tables include possible resolution.
+
+The error categories are:
+
+- [Initiated by user](#initiated-by-user)
+- [Code integrity](#code-integrity)
+- [Device lockout](#device-lockout)
+- [Boot configuration](#boot-configuration)
+- [TPM](#tpm)
+- [Protector](#protector)
+- [Unknown](#unknown)
+
+### Initiated by user
+
+| Error code | Error cause | Resolution|
+|-|-|-|
+|`E_FVE_USER_REQUESTED_RECOVERY`|The user explicitly entered recovery mode from a screen with the option to `ESC` to recovery mode.||
+|`E_FVE_BOOT_DEBUG_ENABLED`|Boot debugging mode is enabled. |Remove the boot debugging option from the boot configuration database.|
+
+### Code integrity
+
+Driver signature enforcement is used to ensure code integrity of the operating system.
+
+| Error code | Error cause |
+|-|-|
+|`E_FVE_CI_DISABLED`|Driver signature enforcement is disabled.|
+
+### Device lockout
+
+Device lockout threshold functionality allows an administrator to configure Windows sign in with BitLocker protection. After the configured number of failed Windows sign in attempts, the device reboots and can only be recovered by providing a BitLocker recovery method.
+
+To take advantage of this functionality, you must configure the policy setting **Interactive logon: Machine account lockout threshold** located in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options**. Alternatively, use the [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) **MaxFailedPasswordAttempts** policy setting, or the [DeviceLock Configuration Service Provider (CSP)](/windows/client-management/mdm/policy-csp-devicelock#accountlockoutpolicy).
+
+| Error code | Error cause | Resolution|
+|-|-|-|
+|`E_FVE_DEVICE_LOCKEDOUT`|Device lockout triggered due to too many incorrect sign in attempts.|A BitLocker recovery method is required to return to the sign in screen.|
+|`E_FVE_DEVICE_LOCKOUT_MISMATCH`|The device lockout counter is out of sync. |A BitLocker recovery method is required to return to the sign in screen.|
+
+### Boot configuration
+
+The *Boot Configuration Database (BCD)* contains critical information for the Windows boot environment.
+
+| Error code | Error cause | Resolution|
+|-|-|-|
+|`E_FVE_BAD_CODE_ID`
`E_FVE_BAD_CODE_OPTION`|BitLocker entered recovery mode because a boot application changed.
BitLocker tracks the data inside the BCD and BitLocker recovery can occur when this data changes without warning.
Refer to the recovery screen to find the boot application that changed.|To remediate this issue, restore the BCD configuration. A BitLocker recovery method is required to unlock the device if the BCD configuration can't be restored before booting.|
+
+For more information, see [Boot Configuration Data settings and BitLocker](bcd-settings-and-bitlocker.md).
+
+### TPM
+
+The Trusted Platform Module (TPM) is cryptographic hardware or firmware used to secure a device. BitLocker creates a *TPM protector* to manage protection of the encryption keys used to encrypt your data.
+
+At boot, BitLocker attempts to communicate with the TPM to unlock the device and access your data.
+
+| Error code | Error cause |
+|-|-|
+|`E_FVE_TPM_DISABLED` | A TPM is present but is disabled for use before or during boot.|
+|`E_FVE_TPM_INVALIDATED` | A TPM is present but invalidated.|
+|`E_FVE_BAD_SRK` | The TPM's internal Storage Root Key is corrupted.|
+|`E_FVE_TPM_NOT_DETECTED` | The booting system doesn't have or doesn't detect a TPM.|
+|`E_MATCHING_PCRS_TPM_FAILURE`| The TPM unexpectedly failed when unsealing the encryption key.|
+|`E_FVE_TPM_FAILURE` | Catch-all for other TPM errors.|
+
+For more information, see [Trusted Platform Module Technology Overview](../../../hardware-security/tpm/trusted-platform-module-overview.md) and [BitLocker and TPM](index.md#bitlocker-and-tpm).
+
+### Protector
+
+#### TPM protectors
+
+The TPM contains multiple Platform Configuration Registers (PCRs) that can be used in the validation profile of the BitLocker TPM protector. The PCRs are used to validate the integrity of the boot process, that is, that the boot configuration and boot flow hasn't been tampered with.
+
+BitLocker recovery can be the result of unexpected changes in the PCRs used in the TPM protector validation profile. Changes to PCRs not used in the TPM protector profile don't influence BitLocker.
+
+| Error code | Error cause |Resolution|
+|-|-|
+|`E_FVE_PCR_MISMATCH`|The device's configuration changed.
Possible causes include:
- A bootable media is inserted. Removing it and restarting your device might fix this problem
- A firmware update was applied without updating the TPM protector| A recovery method is required to unlock the device.|
+
+For more examples, see [BitLocker recovery scenarios](recovery-overview.md#bitlocker-recovery-scenarios).
+
+#### Special cases for PCR 7
+
+If the TPM protector uses PCR 7 in the validation profile, BitLocker expects PCR 7 to measure a specific set of events for Secure Boot. These measurements are defined in the UEFI spec. For more information, see [Static Root of Trust Measurements](/previous-versions/windows/hardware/hck/jj923068(v=vs.85)#appendix-a-static-root-of-trust-measurements)
+
+| Error code | Error cause |Resolution|
+|-|-|-|
+|`E_FVE_SECUREBOOT_DISABLED`|Secure Boot has been disabled. To access the encryption key and unlock your device, BitLocker expects Secure Boot to be on. | Re-enabling Secure Boot and rebooting the system might fix the recovery issue. Otherwise, a recovery method is required to access the device.|
+|`E_FVE_SECUREBOOT_CHANGED`|The Secure Boot configuration unexpectedly changed. The boot configuration measured in PCR 7 changed.
This may be either because of:
- An additional measurement currently present that wasn't present when BitLocker updated the TPM protector
- A missing measurement that was present when BitLocker last updated the TPM protector but now isn't present
- An expected event has a different measurement | A recovery method is required to unlock the device.|
+
+### Unknown
+
+| Error code | Error cause | Resolution|
+|-|-|-|
+|`E_FVE_RECOVERY_ERROR_UNKNOWN`| BitLocker entered recovery mode because of an unknown error. | A recovery method is required to unlock the device.|
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md
index c7613a0f46..4625b2f5e0 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md
@@ -2,7 +2,7 @@
title: BitLocker recovery overview
description: Learn about BitLocker recovery scenarios, recovery options, and how to determine root cause of failed automatic unlocks.
ms.topic: how-to
-ms.date: 10/30/2023
+ms.date: 06/18/2024
---
# BitLocker recovery overview
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md
index b002833d87..ea2fd91338 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md
@@ -2,7 +2,7 @@
title: BitLocker recovery process
description: Learn how to obtain BitLocker recovery information for Microsoft Entra joined, Microsoft Entra hybrid joined, and Active Directory joined devices, and how to restore access to a locked drive.
ms.topic: how-to
-ms.date: 10/30/2023
+ms.date: 06/18/2024
---
# BitLocker recovery process
@@ -83,7 +83,7 @@ function Get-EntraBitLockerKeys{
foreach ($keyId in $keyIds) {
$recoveryKey = (Get-MgInformationProtectionBitlockerRecoveryKey -BitlockerRecoveryKeyId $keyId -Select "key").key
Write-Host -ForegroundColor White " Key id: $keyid"
- Write-Host -ForegroundColor Cyan " BitLocker recovery key: $recoveryKey"
+ Write-Host -ForegroundColor Cyan " BitLocker recovery key: $recoveryKey"
}
} else {
Write-Host -ForegroundColor Red "No BitLocker recovery keys found for device $DeviceName"