Try our Virtual Agent - It can help you quickly identify and fix common Windows boot issues +
Try our Virtual Agent - It can help you quickly identify and fix common Windows boot issues. > [!NOTE] -> This article is intended for use by support agents and IT professionals. If you're looking for more general information about recovery options, see [Recovery options in Windows 10](https://support.microsoft.com/help/12415). +> This article is intended for use by support agents and IT professionals. If you're looking for more general information about recovery options, see [Recovery options in Windows 10](https://support.microsoft.com/windows/recovery-options-in-windows-31ce2444-7de3-818c-d626-e3b5a3024da5). ## Summary There are several reasons why a Windows-based computer may have problems during startup. To troubleshoot boot problems, first determine in which of the following phases the computer gets stuck: - | Phase | Boot Process | BIOS | UEFI | |-----------|----------------------|------------------------------------|-----------------------------------| | 1 | PreBoot | MBR/PBR (Bootstrap Code) | UEFI Firmware | @@ -32,31 +31,21 @@ There are several reasons why a Windows-based computer may have problems during | 3 | Windows OS Loader | %SystemRoot%\system32\winload.exe | %SystemRoot%\system32\winload.efi | | 4 | Windows NT OS Kernel | %SystemRoot%\system32\ntoskrnl.exe | | -**1. PreBoot** +1. **PreBoot**: The PC's firmware initiates a power-on self test (POST) and loads firmware settings. This pre-boot process ends when a valid system disk is detected. Firmware reads the master boot record (MBR), and then starts Windows Boot Manager. -The PC’s firmware initiates a Power-On Self Test (POST) and loads firmware settings. This pre-boot process ends when a valid system disk is detected. Firmware reads the master boot record (MBR), and then starts Windows Boot Manager. +2. **Windows Boot Manager**: Windows Boot Manager finds and starts the Windows loader (Winload.exe) on the Windows boot partition. -**2. Windows Boot Manager** +3. **Windows operating system loader**: Essential drivers required to start the Windows kernel are loaded and the kernel starts to run. -Windows Boot Manager finds and starts the Windows loader (Winload.exe) on the Windows boot partition. +4. **Windows NT OS Kernel**: The kernel loads into memory the system registry hive and other drivers that are marked as BOOT_START. -**3. Windows operating system loader** - -Essential drivers required to start the Windows kernel are loaded and the kernel starts to run. - -**4. Windows NT OS Kernel** - -The kernel loads into memory the system registry hive and other drivers that are marked as BOOT_START. - -The kernel passes control to the session manager process (Smss.exe) which initializes the system session, and loads and starts the devices and drivers that aren't marked BOOT_START. - -Here's a summary of the boot sequence, what will be seen on the display, and typical boot problems at that point in the sequence. Before starting troubleshooting, you have to understand the outline of the boot process and display status to ensure that the issue is properly identified at the beginning of the engagement. - - -[Click to enlarge](img-boot-sequence.md) + The kernel passes control to the session manager process (Smss.exe) which initializes the system session, and loads and starts the devices and drivers that aren't marked BOOT_START. + +Here's a summary of the boot sequence, what will be seen on the display, and typical boot problems at that point in the sequence. Before you start troubleshooting, you have to understand the outline of the boot process and display status to ensure that the issue is properly identified at the beginning of the engagement. Select the thumbnail to view it larger. +:::image type="content" source="images/boot-sequence-thumb.png" alt-text="Diagram of the boot sequence flowchart." lightbox="images/boot-sequence.png"::: Each phase has a different approach to troubleshooting. This article provides troubleshooting techniques for problems that occur during the first three phases. @@ -69,7 +58,6 @@ Each phase has a different approach to troubleshooting. This article provides tr > > `Bcdedit /set {default} bootmenupolicy legacy` - ## BIOS phase To determine whether the system has passed the BIOS phase, follow these steps: @@ -86,26 +74,25 @@ To determine whether the system has passed the BIOS phase, follow these steps: If the screen is black except for a blinking cursor, or if you receive one of the following error codes, this status indicates that the boot process is stuck in the Boot Loader phase: -- Boot Configuration Data (BCD) missing or corrupted -- Boot file or MBR corrupted -- Operating system Missing -- Boot sector missing or corrupted -- Bootmgr missing or corrupted -- Unable to boot due to system hive missing or corrupted - -To troubleshoot this problem, use Windows installation media to start the computer, press Shift+F10 for a command prompt, and then use any of the following methods. +- Boot Configuration Data (BCD) missing or corrupted +- Boot file or MBR corrupted +- Operating system Missing +- Boot sector missing or corrupted +- Bootmgr missing or corrupted +- Unable to boot due to system hive missing or corrupted +To troubleshoot this problem, use Windows installation media to start the computer, press **Shift** + **F10** for a command prompt, and then use any of the following methods. ### Method 1: Startup Repair tool The Startup Repair tool automatically fixes many common problems. The tool also lets you quickly diagnose and repair more complex startup problems. When the computer detects a startup problem, the computer starts the Startup Repair tool. When the tool starts, it performs diagnostics. These diagnostics include analyzing startup log files to determine the cause of the problem. When the Startup Repair tool determines the cause, the tool tries to fix the problem automatically. -To do this task of invoking the Startup Repair tool, follow these steps. +To do this task of invoking the Startup Repair tool, follow these steps. > [!NOTE] -> For additional methods to start WinRE, see [Windows Recovery Environment (Windows RE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre). +> For additional methods to start WinRE, see [Windows Recovery Environment (Windows RE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#entry-points-into-winre). -1. Start the system to the installation media for the installed version of Windows. For more information, see [Create installation media for Windows](https://support.microsoft.com/help/15088). +1. Start the system to the installation media for the installed version of Windows. For more information, see [Create installation media for Windows](https://support.microsoft.com/windows/create-installation-media-for-windows-99a58364-8c02-206f-aa6f-40c3b507420d). 2. On the **Install Windows** screen, select **Next** > **Repair your computer**. @@ -117,28 +104,26 @@ To do this task of invoking the Startup Repair tool, follow these steps. The Startup Repair tool generates a log file to help you understand the startup problems and the repairs that were made. You can find the log file in the following location: -**%windir%\System32\LogFiles\Srt\Srttrail.txt** - - -For more information, see [A Stop error occurs, or the computer stops responding when you try to start Windows Vista or Windows 7](https://support.microsoft.com/help/925810/a-stop-error-occurs-or-the-computer-stops-responding-when-you-try-to-s) +`%windir%\System32\LogFiles\Srt\Srttrail.txt` +For more information, see [Troubleshoot blue screen errors](https://support.microsoft.com/sbs/windows/troubleshoot-blue-screen-errors-5c62726c-6489-52da-a372-3f73142c14ad). ### Method 2: Repair Boot Codes To repair boot codes, run the following command: -```console +```command BOOTREC /FIXMBR ``` To repair the boot sector, run the following command: -```console +```command BOOTREC /FIXBOOT ``` > [!NOTE] -> Running **BOOTREC** together with **Fixmbr** overwrites only the master boot code. If the corruption in the MBR affects the partition table, running **Fixmbr** may not fix the problem. +> Running `BOOTREC` together with `Fixmbr` overwrites only the master boot code. If the corruption in the MBR affects the partition table, running `Fixmbr` may not fix the problem. ### Method 3: Fix BCD errors @@ -146,15 +131,15 @@ If you receive BCD-related errors, follow these steps: 1. Scan for all the systems that are installed. To do this step, run the following command: - ```console + ```command Bootrec /ScanOS ``` 2. Restart the computer to check whether the problem is fixed. 3. If the problem isn't fixed, run the following commands: - - ```console + + ```command bcdedit /export c:\bcdbackup attrib c:\boot\bcd -r -s -h @@ -172,128 +157,116 @@ If methods 1, 2 and 3 don't fix the problem, replace the Bootmgr file from drive 1. At a command prompt, change the directory to the System Reserved partition. -2. Run the **attrib** command to unhide the file: +2. Run the `attrib` command to unhide the file: - ```console + ```command attrib -r -s -h ``` 3. Navigate to the system drive and run the same command: - ```console + ```command attrib -r -s -h ``` -4. Rename the Bootmgr file as Bootmgr.old: +4. Rename the `bootmgr` file as `bootmgr.old`: - ```console + ```command ren c:\bootmgr bootmgr.old ``` 5. Navigate to the system drive. -6. Copy the Bootmgr file, and then paste it to the System Reserved partition. +6. Copy the `bootmgr` file, and then paste it to the System Reserved partition. 7. Restart the computer. -### Method 5: Restore System Hive +### Method 5: Restore system hive -If Windows can't load the system registry hive into memory, you must restore the system hive. To do this step,, use the Windows Recovery Environment or use Emergency Repair Disk (ERD) to copy the files from the C:\Windows\System32\config\RegBack to C:\Windows\System32\config. +If Windows can't load the system registry hive into memory, you must restore the system hive. To do this step, use the Windows Recovery Environment or use the Emergency Repair Disk (ERD) to copy the files from the `C:\Windows\System32\config\RegBack` directory to `C:\Windows\System32\config`. If the problem persists, you may want to restore the system state backup to an alternative location, and then retrieve the registry hives to be replaced. > [!NOTE] -> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder) +> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more information, see [The system registry is no longer backed up to the RegBack folder starting in Windows 10 version 1803](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder). ## Kernel Phase If the system gets stuck during the kernel phase, you experience multiple symptoms or receive multiple error messages. These error messages include, but aren't limited to, the following examples: -- A Stop error appears after the splash screen (Windows Logo screen). +- A Stop error appears after the splash screen (Windows Logo screen). -- Specific error code is displayed. +- Specific error code is displayed. For example, `0x00000C2` , `0x0000007B` , or `inaccessible boot device`. + - [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md) + - [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md) - For example, "0x00000C2" , "0x0000007B" , "inaccessible boot device" and so on. - - [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md) - - [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md) +- The screen is stuck at the "spinning wheel" (rolling dots) "system busy" icon. -- The screen is stuck at the "spinning wheel" (rolling dots) "system busy" icon. - -- A black screen appears after the splash screen. +- A black screen appears after the splash screen. To troubleshoot these problems, try the following recovery boot options one at a time. -**Scenario 1: Try to start the computer in Safe mode or Last Known Good Configuration** +### Scenario 1: Try to start the computer in Safe mode or Last Known Good Configuration On the **Advanced Boot Options** screen, try to start the computer in **Safe Mode** or **Safe Mode with Networking**. If either of these options works, use Event Viewer to help identify and diagnose the cause of the boot problem. To view events that are recorded in the event logs, follow these steps: -1. Use one of the following methods to open Event Viewer: +1. Use one of the following methods to open Event Viewer: - - Click **Start**, point to **Administrative Tools**, and then click - **Event Viewer**. + - Go to the **Start** menu, select **Administrative Tools**, and then select **Event Viewer**. - - Start the Event Viewer snap-in in Microsoft Management Console (MMC). + - Start the Event Viewer snap-in in Microsoft Management Console (MMC). -2. In the console tree, expand Event Viewer, and then click the log that you - want to view. For example, click **System log** or **Application log**. +2. In the console tree, expand Event Viewer, and then select the log that you want to view. For example, choose **System log** or **Application log**. -3. In the details pane, double-click the event that you want to view. +3. In the details pane, open the event that you want to view. -4. On the **Edit** menu, click **Copy**, open a new document in the program in - which you want to paste the event (for example, Microsoft Word), and then - click **Paste**. - -5. Use the Up Arrow or Down Arrow key to view the description of the previous - or next event. +4. On the **Edit** menu, select **Copy**. Open a new document in the program in which you want to paste the event. For example, Microsoft Word. Then select **Paste**. +5. Use the up arrow or down arrow key to view the description of the previous or next event. ### Clean boot -To troubleshoot problems that affect services, do a clean boot by using System Configuration (msconfig). +To troubleshoot problems that affect services, do a clean boot by using System Configuration (`msconfig`). Select **Selective startup** to test the services one at a time to determine which one is causing the problem. If you can't find the cause, try including system services. However, in most cases, the problematic service is third-party. Disable any service that you find to be faulty, and try to start the computer again by selecting **Normal startup**. -For detailed instructions, see [How to perform a clean boot in Windows](https://support.microsoft.com/help/929135/how-to-perform-a-clean-boot-in-windows). +For detailed instructions, see [How to perform a clean boot in Windows](https://support.microsoft.com/topic/how-to-perform-a-clean-boot-in-windows-da2f9573-6eec-00ad-2f8a-a97a1807f3dd). If the computer starts in Disable Driver Signature mode, start the computer in Disable Driver Signature Enforcement mode, and then follow the steps that are documented in the following article to determine which drivers or files require driver signature enforcement: -[Troubleshooting boot problem caused by missing driver signature (x64)](/archive/blogs/askcore/troubleshooting-boot-issues-due-to-missing-driver-signature-x64) +[Troubleshooting boot problem caused by missing driver signature (x64)](/archive/blogs/askcore/troubleshooting-boot-issues-due-to-missing-driver-signature-x64) > [!NOTE] > If the computer is a domain controller, try Directory Services Restore mode (DSRM). > > This method is an important step if you encounter Stop error "0xC00002E1" or "0xC00002E2" - -**Examples** +#### Examples > [!WARNING] -> Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these -problems can be solved. Modify the registry at your own risk. +> Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft can't guarantee that these problems can be solved. Modify the registry at your own risk. *Error code INACCESSIBLE_BOOT_DEVICE (STOP 0x7B)* To troubleshoot this Stop error, follow these steps to filter the drivers: -1. Go to Windows Recovery Environment (WinRE) by putting an ISO disk of the system in the disk drive. The ISO should be of the same version of Windows or a later version. +1. Go to Windows Recovery Environment (WinRE) by putting an ISO disk of the system in the disk drive. The ISO should be of the same version of Windows or a later version. -2. Open the registry. +2. Open the registry. -3. Load the system hive, and name it as "test." +3. Load the system hive, and name it **test**. -4. Under the following registry subkey, check for lower filter and upper filter items for Non-Microsoft Drivers: - - **HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class** - -5. For each third-party driver that you locate, click the upper or lower filter, and then delete the value data. +4. Under the following registry subkey, check for lower filter and upper filter items for non-Microsoft drivers: -6. Search through the whole registry for similar items. Process as an appropriate, and then unload the registry hive. + `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class` -7. Restart the server in Normal mode. +5. For each third-party driver that you locate, select the upper or lower filter, and then delete the value data. -For more troubleshooting steps, see the following articles: +6. Search through the whole registry for similar items. Process as appropriate, and then unload the registry hive. -- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md) +7. Restart the server in Normal mode. + +For more troubleshooting steps, see [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md). To fix problems that occur after you install Windows updates, check for pending updates by using these steps: @@ -301,16 +274,15 @@ To fix problems that occur after you install Windows updates, check for pending 2. Run the command: - ```console + ```command DISM /image:C:\ /get-packages ``` 3. If there are any pending updates, uninstall them by running the following commands: - ```console + ```command DISM /image:C:\ /remove-package /packagename: name of the package - ``` - ```console + DISM /Image:C:\ /Cleanup-Image /RevertPendingActions ``` @@ -318,72 +290,67 @@ To fix problems that occur after you install Windows updates, check for pending If the computer doesn't start, follow these steps: -1. Open A Command Prompt window in WinRE, and start a text editor, such as Notepad. +1. Open a command prompt window in WinRE, and start a text editor, such as Notepad. -2. Navigate to the system drive, and search for windows\winsxs\pending.xml. +2. Navigate to the system drive, and search for `windows\winsxs\pending.xml`. -3. If the Pending.xml file is found, rename the file as Pending.xml.old. +3. If the pending.xml file is found, rename the file as `pending.xml.old`. -4. Open the registry, and then load the component hive in HKEY_LOCAL_MACHINE as a test. +4. Open the registry, and then load the component hive in HKEY_LOCAL_MACHINE as test. -5. Highlight the loaded test hive, and then search for the **pendingxmlidentifier** value. +5. Highlight the loaded test hive, and then search for the `pendingxmlidentifier` value. -6. If the **pendingxmlidentifier** value exists, delete the value. +6. If the `pendingxmlidentifier` value exists, delete it. -7. Unload the test hive. +7. Unload the test hive. -8. Load the system hive, name it as "test". +8. Load the system hive, name it **test**. -9. Navigate to the following subkey: - - **HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\TrustedInstaller** - -10. Change the **Start** value from **1** to **4** +9. Navigate to the following subkey: + + `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TrustedInstaller` + +10. Change the **Start** value from `1` to `4`. 11. Unload the hive. 12. Try to start the computer. -If the Stop error occurs late in the startup process, or if the Stop error is still being generated, you can capture a memory dump. A good memory dump can help determine the root cause of the Stop error. For details, see the following articles: +If the Stop error occurs late in the startup process, or if the Stop error is still being generated, you can capture a memory dump. A good memory dump can help determine the root cause of the Stop error. For more information, see [Generate a kernel or complete crash dump](./generate-kernel-or-complete-crash-dump.md). -- [Generate a kernel or complete crash dump](./generate-kernel-or-complete-crash-dump.md) +For more information about page file problems in Windows 10 or Windows Server 2016, see [Introduction to page files](./introduction-page-file.md). -For more information about page file problems in Windows 10 or Windows Server 2016, see the following article: -- [Introduction to page files](./introduction-page-file.md) +For more information about Stop errors, see [Advanced troubleshooting for Stop error or blue screen error issue](./troubleshoot-stop-errors.md). -For more information about Stop errors, see the following Knowledge Base article: -- [Advanced troubleshooting for Stop error or blue screen error issue](./troubleshoot-stop-errors.md) +Sometimes the dump file shows an error that's related to a driver. For example, `windows\system32\drivers\stcvsm.sys` is missing or corrupted. In this instance, follow these guidelines: - -If the dump file shows an error that is related to a driver (for example, windows\system32\drivers\stcvsm.sys is missing or corrupted), follow these guidelines: - -- Check the functionality that is provided by the driver. If the driver is a third-party boot driver, make sure that you understand what it does. +- Check the functionality that's provided by the driver. If the driver is a third-party boot driver, make sure that you understand what it does. - If the driver isn't important and has no dependencies, load the system hive, and then disable the driver. - If the stop error indicates system file corruption, run the system file checker in offline mode. - - To do this, open WinRE, open a command prompt, and then run the following command: + - To do this action, open WinRE, open a command prompt, and then run the following command: - ```console - SFC /Scannow /OffBootDir=C:\ /OffWinDir=C:\Windows - ``` + ```command + SFC /Scannow /OffBootDir=C:\ /OffWinDir=C:\Windows + ``` - For more information, see [Using System File Checker (SFC) To Fix Issues](/archive/blogs/askcore/using-system-file-checker-sfc-to-fix-issues) + For more information, see [Using system file checker (SFC) to fix issues](/archive/blogs/askcore/using-system-file-checker-sfc-to-fix-issues). - - If there's disk corruption, run the check disk command: + - If there's disk corruption, run the check disk command: - ```console - chkdsk /f /r - ``` + ```command + chkdsk /f /r + ``` - - If the Stop error indicates general registry corruption, or if you believe that new drivers or services were installed, follow these steps: +- If the Stop error indicates general registry corruption, or if you believe that new drivers or services were installed, follow these steps: - 1. Start WinRE, and open a Command Prompt window. - 2. Start a text editor, such as Notepad. - 3. Navigate to C:\Windows\System32\Config\. - 4. Rename the all five hives by appending ".old" to the name. - 5. Copy all the hives from the Regback folder, paste them in the Config folder, and then try to start the computer in Normal mode. + 1. Start WinRE, and open a command prompt window. + 2. Start a text editor, such as Notepad. + 3. Navigate to `C:\Windows\System32\Config\`. + 4. Rename the all five hives by appending `.old` to the name. + 5. Copy all the hives from the `Regback` folder, paste them in the `Config` folder, and then try to start the computer in Normal mode. > [!NOTE] -> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder). +> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more information, see [The system registry is no longer backed up to the RegBack folder starting in Windows 10 version 1803](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder). diff --git a/windows/client-management/img-boot-sequence.md b/windows/client-management/img-boot-sequence.md deleted file mode 100644 index 6ce343dade..0000000000 --- a/windows/client-management/img-boot-sequence.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -title: Boot sequence flowchart -description: View a full-sized view of the boot sequence flowchart. Use the link to return to the Advanced troubleshooting for Windows boot problems article. -ms.date: 11/16/2018 -ms.reviewer: -manager: dansimp -ms.author: dansimp -author: dansimp -ms.topic: article -ms.prod: w10 ---- - -# Boot sequence flowchart - -Return to: [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md) - - diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index cc38c493dd..0f27f3d1d1 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -1,140 +1,136 @@ --- title: Manage Windows 10 in your organization - transitioning to modern management -description: This topic offers strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. -keywords: ["MDM", "device management", "group policy", "Azure Active Directory"] +description: This article offers strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: devices -author: dansimp ms.localizationpriority: medium -ms.date: 04/26/2018 +ms.date: 06/03/2022 +author: aczechowski +ms.author: aaroncz ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article +manager: dougeby +ms.topic: overview --- # Manage Windows 10 in your organization - transitioning to modern management Use of personal devices for work, and employees working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows 10 offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows 10 devices gradually, following the normal upgrade schedules used in your organization. -Your organization might have considered bringing in Windows 10 devices and downgrading them to Windows 7 until everything is in place for a formal upgrade process. While this downgrade may appear to save costs due to standardization, greater savings can come from avoiding the downgrade and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, it’s easy for versions to coexist. +Your organization might have considered bringing in Windows 10 devices and downgrading them to an earlier version of Windows until everything is in place for a formal upgrade process. While this downgrade may appear to save costs due to standardization, greater savings can come from avoiding the downgrade and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, it's easy for versions to coexist. -Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Endpoint Configuration Manager, Microsoft Intune, or other third-party products. This “managed diversity” enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster. +Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Endpoint Configuration Manager, Microsoft Intune, or other third-party products. This "managed diversity" enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster. This six-minute video demonstrates how users can bring in a new retail device and be up and working with their personalized settings and a managed experience in a few minutes, without being on the corporate network. It also demonstrates how IT can apply policies and configurations to ensure device compliance. > [!VIDEO https://www.youtube.com/embed/g1rIcBhhxpA] - >[!NOTE] - >The video demonstrates the configuration process using the classic Azure portal, which is retired. Customers should use the new Azure portal. [Learn how use the new Azure portal to perform tasks that you used to do in the classic Azure portal.](/information-protection/deploy-use/migrate-portal) +> [!NOTE] +> The video demonstrates the configuration process using the classic Azure portal, which is retired. Customers should use the new Azure portal. [Learn how use the new Azure portal to perform tasks that you used to do in the classic Azure portal.](/information-protection/deploy-use/migrate-portal) -This topic offers guidance on strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. The topic covers [management options](#reviewing-the-management-options-with-windows-10) plus the four stages of the device lifecycle: +This article offers guidance on strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. It covers [management options](#reviewing-the-management-options-with-windows-10) plus the four stages of the device lifecycle: -- [Deployment and Provisioning](#deployment-and-provisioning) +- [Deployment and Provisioning](#deployment-and-provisioning) -- [Identity and Authentication](#identity-and-authentication) +- [Identity and Authentication](#identity-and-authentication) -- [Configuration](#settings-and-configuration) +- [Configuration](#settings-and-configuration) -- [Updating and Servicing](#updating-and-servicing) +- [Updating and Servicing](#updating-and-servicing) ## Reviewing the management options with Windows 10 Windows 10 offers a range of management options, as shown in the following diagram: - +:::image type="content" source="images/windows-10-management-range-of-options.png" alt-text="Diagram of the path to modern IT." lightbox="images/windows-10-management-range-of-options.png"::: -As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like Group Policy, Active Directory, and Microsoft Configuration Manager. It also delivers a “mobile-first, cloud-first” approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Microsoft Store for Business. +As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like group Policy, Active Directory, and Configuration Manager. It also delivers a "mobile-first, cloud-first" approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Microsoft Store for Business. -## Deployment and Provisioning +## Deployment and provisioning -With Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” To transform new devices into fully configured, fully managed devices, you can: +With Windows 10, you can continue to use traditional OS deployment, but you can also "manage out of the box." To transform new devices into fully configured, fully managed devices, you can: +- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management service such as [Windows Autopilot](/mem/autopilot/windows-autopilot) or [Microsoft Intune](/mem/intune/fundamentals/). -- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services such as [Microsoft Autopilot](/windows/deployment/windows-10-auto-pilot) or [Microsoft Intune](/mem/intune/fundamentals/). +- Create self-contained provisioning packages built with the Windows Configuration Designer. For more information, see [Provisioning packages for Windows](/windows/configuration/provisioning-packages/provisioning-packages). -- Create self-contained provisioning packages built with the [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-packages). +- Use traditional imaging techniques such as deploying custom images using [Configuration Manager](/mem/configmgr/core/understand/introduction). -- Use traditional imaging techniques such as deploying custom images using [Microsoft Endpoint Configuration Manager](/configmgr/core/understand/introduction). +You have multiple options for [upgrading to Windows 10](/windows/deployment/windows-10-deployment-scenarios). For existing devices running Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This process usage can mean lower deployment costs, and improved productivity as end users can be immediately productive - everything is right where they left it. You can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today. -You have multiple options for [upgrading to Windows 10](/windows/deployment/windows-10-deployment-scenarios). For existing devices running Windows 7 or Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This process usage can mean lower deployment costs, and improved productivity as end users can be immediately productive – everything is right where they left it. You can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today with Windows 7. +## Identity and authentication -## Identity and Authentication - -You can use Windows 10 and services like [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **“bring your own device” (BYOD)** or to **“choose your own device” (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them. +You can use Windows 10 and services like [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **"bring your own device" (BYOD)** or to **"choose your own device" (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them. You can envision user and device management as falling into these two categories: -- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices: +- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices: - - For corporate devices, they can set up corporate access with [Azure AD Join](/azure/active-directory/devices/overview). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud.Azure AD Join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources. + - For corporate devices, they can set up corporate access with [Azure AD join](/azure/active-directory/devices/overview). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud. - - Likewise, for personal devices, employees can use a new, simplified [BYOD experience](/azure/active-directory/devices/overview) to add their work account to Windows, then access work resources on the device. + Azure AD join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources. -- **Domain joined PCs and tablets used for traditional applications and access to important resources.** These applications and resources may be traditional ones that require authentication or accessing highly sensitive or classified resources on-premises. - With Windows 10, if you have an on-premises [Active Directory](/windows-server/identity/whats-new-active-directory-domain-services) domain that’s [integrated with Azure AD](/azure/active-directory/devices/hybrid-azuread-join-plan), when employee devices are joined, they automatically register with Azure AD. This registration provides: + - Likewise, for personal devices, employees can use a new, simplified [BYOD experience](/azure/active-directory/devices/overview) to add their work account to Windows, then access work resources on the device. - - Single sign-on to cloud and on-premises resources from everywhere +- **Domain joined PCs and tablets used for traditional applications and access to important resources.** These applications and resources may be traditional ones that require authentication or accessing highly sensitive or classified resources on-premises. - - [Enterprise roaming of settings](/azure/active-directory/devices/enterprise-state-roaming-overview) + With Windows 10, if you have an on-premises [Active Directory](/windows-server/identity/whats-new-active-directory-domain-services) domain that's [integrated with Azure AD](/azure/active-directory/devices/hybrid-azuread-join-plan), when employee devices are joined, they automatically register with Azure AD. This registration provides: - - [Conditional access](/azure/active-directory/conditional-access/overview) to corporate resources based on the health or configuration of the device + - Single sign-on to cloud and on-premises resources from everywhere - - [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification) + - [Enterprise roaming of settings](/azure/active-directory/devices/enterprise-state-roaming-enable) - - Windows Hello + - [Conditional access](/azure/active-directory/conditional-access/overview) to corporate resources based on the health or configuration of the device - Domain joined PCs and tablets can continue to be managed with the [Configuration Manager](/configmgr/core/understand/introduction) client or Group Policy. + - [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification) + + - Windows Hello + + Domain joined PCs and tablets can continue to be managed with the [Configuration Manager](/mem/configmgr/core/understand/introduction) client or group policy. For more information about how Windows 10 and Azure AD optimize access to work resources across a mix of devices and scenarios, see [Using Windows 10 devices in your workplace](/azure/active-directory/devices/overview). As you review the roles in your organization, you can use the following generalized decision tree to begin to identify users or devices that require domain join. Consider switching the remaining users to Azure AD. - +:::image type="content" source="images/windows-10-management-cyod-byod-flow.png" alt-text="Diagram of decision tree for device authentication options." lightbox="images/windows-10-management-cyod-byod-flow.png"::: -## Settings and Configuration +## Settings and configuration -Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. With Windows 10, you can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer. +Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. With Windows 10, you can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer. -**MDM**: [MDM](https://www.microsoft.com/cloud-platform/mobile-device-management) gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, Group Policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using GP that requires on-premises domain-joined devices. This provision makes MDM the best choice for devices that are constantly on the go. +**MDM**: MDM gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, group policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using group policy that requires on-premises domain-joined devices. This provision makes MDM the best choice for devices that are constantly on the go. -**Group Policy** and **Microsoft Endpoint Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorer’s 1,500 configurable Group Policy settings. If so, Group Policy and Configuration Manager continue to be excellent management choices: +**Group policy** and **Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorer's 1,500 configurable group policy settings. If so, group policy and Configuration Manager continue to be excellent management choices: -- Group Policy is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add Group Policy settings with each new version of Windows. +- Group policy is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add group policy settings with each new version of Windows. -- Configuration Manager remains the recommended solution for granular configuration with robust software deployment, Windows updates, and OS deployment. +- Configuration Manager remains the recommended solution for granular configuration with robust software deployment, Windows updates, and OS deployment. +## Updating and servicing -## Updating and Servicing +With Windows as a Service, your IT department no longer needs to perform complex imaging (wipe-and-load) processes with each new Windows release. Whether on current branch (CB) or current branch for business (CBB), devices receive the latest feature and quality updates through simple - often automatic - patching processes. For more information, see [Windows 10 deployment scenarios](/windows/deployment/windows-10-deployment-scenarios). -With Windows as a Service, your IT department no longer needs to perform complex imaging (wipe-and-load) processes with each new Windows release. Whether on current branch (CB) or current branch for business (CBB), devices receive the latest feature and quality updates through simple – often automatic – patching processes. For more information, see [Windows 10 deployment scenarios](/windows/deployment/windows-10-deployment-scenarios). - -MDM with Intune provide tools for applying Windows updates to client computers in your organization. Configuration Manager allows rich management and tracking capabilities of these updates, including maintenance windows and automatic deployment rules. +MDM with Intune provide tools for applying Windows updates to client computers in your organization. Configuration Manager allows rich management and tracking capabilities of these updates, including maintenance windows and automatic deployment rules. ## Next steps There are various steps you can take to begin the process of modernizing device management in your organization: -**Assess current management practices, and look for investments you might make today.** Which of your current practices need to stay the same, and which can you change? Specifically, what elements of traditional management do you need to retain and where can you modernize? Whether you take steps to minimize custom imaging, re-evaluate settings management, or reassesses authentication and compliance, the benefits can be immediate. You can use the [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to help determine which Group Policies are set for a target user/computer and cross-reference them against the list of available MDM policies. +**Assess current management practices, and look for investments you might make today.** Which of your current practices need to stay the same, and which can you change? Specifically, what elements of traditional management do you need to retain and where can you modernize? Whether you take steps to minimize custom imaging, reevaluate settings management, or reassesses authentication and compliance, the benefits can be immediate. You can use [Group policy analytics in Microsoft Endpoint Manager](/mem/intune/configuration/group-policy-analytics) to help determine which group policies supported by cloud-based MDM providers, including Microsoft Intune. **Assess the different use cases and management needs in your environment.** Are there groups of devices that could benefit from lighter, simplified management? BYOD devices, for example, are natural candidates for cloud-based management. Users or devices handling more highly regulated data might require an on-premises Active Directory domain for authentication. Configuration Manager and EMS provide you the flexibility to stage implementation of modern management scenarios while targeting different devices the way that best suits your business needs. **Review the decision trees in this article.** With the different options in Windows 10, plus Configuration Manager and Enterprise Mobility + Security, you have the flexibility to handle imaging, authentication, settings, and management tools for any scenario. -**Take incremental steps.** Moving towards modern device management doesn’t have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this “managed diversity,” users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. Starting with Windows 10, version 1803, the new policy [MDMWinsOverGP](./mdm/policy-csp-controlpolicyconflict.md#controlpolicyconflict-mdmwinsovergp) was added to allow MDM policies to take precedence over GP when both GP and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your GP environment. Here's the list of MDM policies with equivalent GP - [Policies supported by GP](./mdm/policy-configuration-service-provider.md) +**Take incremental steps.** Moving towards modern device management doesn't have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this "managed diversity," users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. The CSP policy [MDMWinsOverGP](./mdm/policy-csp-controlpolicyconflict.md#controlpolicyconflict-mdmwinsovergp) allows MDM policies to take precedence over group policy when both group policy and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your group policy environment. For more information, including the list of MDM policies with equivalent group policies, see [Policies supported by group policy](./mdm/policy-configuration-service-provider.md). +**Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. For more information, see the following articles: -**Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Configuration Manager 1710 onward, co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. See these topics for details: +- [Co-management for Windows devices](/mem/configmgr/comanage/overview) +- [Prepare Windows devices for co-management](/mem/configmgr/comanage/how-to-prepare-Win10) +- [Switch Configuration Manager workloads to Intune](/mem/configmgr/comanage/how-to-switch-workloads) +- [Co-management dashboard in Configuration Manager](/mem/configmgr/comanage/how-to-monitor) -- [Co-management for Windows 10 devices](/configmgr/core/clients/manage/co-management-overview) -- [Prepare Windows 10 devices for co-management](/configmgr/core/clients/manage/co-management-prepare) -- [Switch Configuration Manager workloads to Intune](/configmgr/core/clients/manage/co-management-switch-workloads) -- [Co-management dashboard in Configuration Manager](/configmgr/core/clients/manage/co-management-dashboard) +## Related articles -## Related topics - -- [What is Intune?](/mem/intune/fundamentals/what-is-intune) -- [Windows 10 Policy CSP](./mdm/policy-configuration-service-provider.md) -- [Windows 10 Configuration service Providers](./mdm/configuration-service-provider-reference.md) +- [What is Intune?](/mem/intune/fundamentals/what-is-intune) +- [Windows 10 policy CSP](./mdm/policy-configuration-service-provider.md) +- [Windows 10 configuration service providers](./mdm/configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/change-history-for-mdm-documentation.md b/windows/client-management/mdm/change-history-for-mdm-documentation.md index ef943cbe35..5eb147ea0c 100644 --- a/windows/client-management/mdm/change-history-for-mdm-documentation.md +++ b/windows/client-management/mdm/change-history-for-mdm-documentation.md @@ -1,13 +1,13 @@ --- title: Change history for MDM documentation description: This article lists new and updated articles for Mobile Device Management. +author: aczechowski +ms.author: aaroncz ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: dougeby ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp ms.localizationpriority: medium ms.date: 10/19/2020 --- @@ -174,7 +174,6 @@ This article lists new and updated articles for the Mobile Device Management (MD |New or updated article | Description| |--- | ---| -|[Mobile device management](index.md#mmat) | Added information about the MDM Migration Analysis Tool (MMAT).| |[Policy CSP - DeviceGuard](policy-csp-deviceguard.md) | Updated ConfigureSystemGuardLaunch policy and replaced EnableSystemGuard with it.| ## August 2018 @@ -227,7 +226,6 @@ This article lists new and updated articles for the Mobile Device Management (MD |[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)|Added the following node in Windows 10, version 1803:
This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all customers. For example, we can generate a statistically significant signal saying that critical errors are trending up in a specific release for all customers but can't be confident that it's doing so in your environment.
Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this ring might experience outages if there are scenarios that weren't covered during testing in the Test ring. | +| First | 1% | The First ring is the first group of production users to receive a change.
Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this ring might experience outages if there are scenarios that weren't covered during testing in the Test ring.| | Fast | 9% | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.
The goal with this ring is to cross the 500-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.
For more information, see [Unlicensed admins](/mem/intune/fundamentals/unlicensed-admins). | -### Windows 10 update rings +### Update rings for Windows 10 or later Your "Windows 10 update ring" policy in Intune must not target any Windows Autopatch devices. diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md index c8b35d5a1c..3d918f7629 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md @@ -35,7 +35,9 @@ Windows Autopatch is included with Window 10/11 Enterprise E3 or higher. The fol The following Windows 64-bit editions are required for Windows Autopatch: +- Windows 10/11 Pro - Windows 10/11 Enterprise +- Windows 10/11 Pro for Workstations ## Co-management requirements diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index f0e2079b1c..b942f83a14 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -396,7 +396,7 @@ For the purposes of this demo, select **All** under the **MDM user scope** and s ## Register your VM -Your VM (or device) can be registered either via Intune or Microsoft Store for Business (MSfB). Both processes are shown here, but *only pick one* for the purposes of this lab. It's highly recommended that you use Intune rather than MSfB. +Your VM (or device) can be registered either via Intune or Microsoft Store for Business (MSfB). Both processes are shown here, but *only pick one* for the purposes of this lab. It's highly recommended that you use Intune rather than Microsoft Store for Business. ### Autopilot registration using Intune @@ -430,7 +430,7 @@ Optional: see the following video for an overview of the process. > [!video https://www.youtube.com/embed/IpLIZU_j7Z0] -First, you need a MSfB account. You can use the same one you created above for Intune, or follow [these instructions](/microsoft-store/windows-store-for-business-overview) to create a new one. +First, you need a Microsoft Store for Business account. You can use the same one you created above for Intune, or follow [these instructions](/microsoft-store/windows-store-for-business-overview) to create a new one. Next, to sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) with your test account, select **Sign in** on the upper-right-corner of the main page. @@ -445,16 +445,16 @@ Select the **Add devices** link to upload your CSV file. A message appears that ## Create and assign a Windows Autopilot deployment profile > [!IMPORTANT] -> Autopilot profiles can be created and assigned to your registered VM or device either through Intune or MSfB. Both processes are shown here, but only *pick one for the purposes of this lab*: +> Autopilot profiles can be created and assigned to your registered VM or device either through Intune or Microsoft Store for Business. Both processes are shown here, but only *pick one for the purposes of this lab*: Pick one: - [Create profiles using Intune](#create-a-windows-autopilot-deployment-profile-using-intune) -- [Create profiles using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb) +- [Create profiles using Microsoft Store for Business](#create-a-windows-autopilot-deployment-profile-using-msfb) ### Create a Windows Autopilot deployment profile using Intune > [!NOTE] -> Even if you registered your device in MSfB, it still appears in Intune. Although, you might have to **sync** and then **refresh** your device list. +> Even if you registered your device in Microsoft Store for Business, it still appears in Intune. Although, you might have to **sync** and then **refresh** your device list.  @@ -533,13 +533,13 @@ Select **OK**, and then select **Create**. If you already created and assigned a profile via Intune with the steps immediately above, then skip this section. -A [video](https://www.youtube.com/watch?v=IpLIZU_j7Z0) is available that covers the steps required to create and assign profiles in MSfB. These steps are also summarized below. +A [video](https://www.youtube.com/watch?v=IpLIZU_j7Z0) is available that covers the steps required to create and assign profiles in Microsoft Store for Business. These steps are also summarized below. First, sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/manage/dashboard) using the Intune account you initially created for this lab. Select **Manage** from the top menu, then select **Devices** from the left navigation tree. - + Select the **Windows Autopilot Deployment Program** link in the **Devices** tile. @@ -548,17 +548,17 @@ To CREATE the profile: Select your device from the **Devices** list: > [!div class="mx-imgBorder"] ->  +>  On the Autopilot deployment dropdown menu, select **Create new profile**: > [!div class="mx-imgBorder"] ->  +>  Name the profile, choose your desired settings, and then select **Create**: > [!div class="mx-imgBorder"] ->  +>  The new profile is added to the Autopilot deployment list. @@ -567,12 +567,12 @@ To ASSIGN the profile: To assign (or reassign) the profile to a device, select the checkboxes next to the device you registered for this lab. Then, select the profile you want to assign from the **Autopilot deployment** dropdown menu, as shown: > [!div class="mx-imgBorder"] ->  +>  To confirm the profile was successfully assigned to the intended device, check the contents of the **Profile** column: > [!div class="mx-imgBorder"] ->  +>  > [!IMPORTANT] > The new profile is only applied if the device hasn't started and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device. @@ -609,7 +609,7 @@ Windows Autopilot takes over to automatically join your device into Azure AD and ## Remove devices from Autopilot -To use the device (or VM) for other purposes after completion of this lab, you need to remove (deregister) it from Autopilot via either Intune or MSfB, and then reset it. Instructions for deregistering devices can be found at [Enroll Windows devices in Intune by using Windows Autopilot](/intune/enrollment-autopilot#create-an-autopilot-device-group), [Remove devices by using wipe, retire, or manually unenrolling the device](/intune/devices-wipe#delete-devices-from-the-azure-active-directory-portal), and below. +To use the device (or VM) for other purposes after completion of this lab, you need to remove (deregister) it from Autopilot via either Intune or Microsoft Store for Business, and then reset it. Instructions for deregistering devices can be found at [Enroll Windows devices in Intune by using Windows Autopilot](/intune/enrollment-autopilot#create-an-autopilot-device-group), [Remove devices by using wipe, retire, or manually unenrolling the device](/intune/devices-wipe#delete-devices-from-the-azure-active-directory-portal), and below. ### Delete (deregister) Autopilot device diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index fe5f9e9510..c6ded941c3 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -1584,9 +1584,9 @@ The following fields are available: - **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). - **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. - **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades. -- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network. +- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded Windows Update (WU) updates to other devices on the same network. - **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. -- **WUPauseState** Retrieves WU setting to determine if updates are paused. +- **WUPauseState** Retrieves Windows Update setting to determine if updates are paused. - **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). @@ -4281,7 +4281,7 @@ The following fields are available: - **DeviceModel** What is the device model. - **DeviceOEM** What OEM does this device belong to. - **DownloadPriority** The priority of the download activity. -- **DownloadScenarioId** A unique ID for a given download used to tie together WU and DO events. +- **DownloadScenarioId** A unique ID for a given download used to tie together Windows Update and DO events. - **DriverPingBack** Contains information about the previous driver and system state. - **Edition** Indicates the edition of Windows being used. - **EventInstanceID** A globally unique identifier for event instance. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index f20bf940f2..8df5ccd434 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -1681,9 +1681,9 @@ The following fields are available: - **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). - **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. - **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades. -- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network. +- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded Windows Update(WU) updates to other devices on the same network. - **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. -- **WUPauseState** Retrieves WU setting to determine if updates are paused. +- **WUPauseState** Retrieves Windows Update setting to determine if updates are paused. - **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index fc82f5a509..14bed98da4 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -1829,9 +1829,9 @@ The following fields are available: - **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). - **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. - **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades. -- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network. +- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded Windows Update (WU) updates to other devices on the same network. - **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. -- **WUPauseState** Retrieves WU setting to determine if updates are paused. +- **WUPauseState** Retrieves Windows Update setting to determine if updates are paused. - **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). @@ -6126,7 +6126,7 @@ This event sends data regarding OS Updates and Upgrades from Windows 7.X, Window The following fields are available: - **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **HostOSBuildNumber** The build number of the previous operating system. - **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system). - **InstanceId** Unique GUID that identifies each instance of setuphost.exe. @@ -8188,7 +8188,7 @@ This event sends data specific to the FixAppXReparsePoints mitigation used for O The following fields are available: -- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **FlightId** Unique identifier for each flight. - **InstanceId** Unique GUID that identifies each instances of setuphost.exe. - **MitigationScenario** The update scenario in which the mitigation was executed. @@ -8210,7 +8210,7 @@ This event sends data specific to the FixupEditionId mitigation used for OS upda The following fields are available: -- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **EditionIdUpdated** Determine whether EditionId was changed. - **FlightId** Unique identifier for each flight. - **InstanceId** Unique GUID that identifies each instances of setuphost.exe. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index e660f2df49..406fa55f82 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -2574,9 +2574,9 @@ The following fields are available: - **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). - **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. - **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades. -- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network. +- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded Windows Update (WU) updates to other devices on the same network. - **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. -- **WUPauseState** Retrieves WU setting to determine if updates are paused. +- **WUPauseState** Retrieves Windows Update setting to determine if updates are paused. - **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). @@ -4236,7 +4236,7 @@ The following fields are available: - **FlightId** The ID of the Windows Insider build the device received. - **InstallDate** The date the driver was installed. - **InstallFlags** The driver installation flags. -- **OptionalData** Metadata specific to WU (Windows Update) associated with the driver (flight IDs, recovery IDs, etc.) +- **OptionalData** Metadata specific to Windows Update (WU) associated with the driver (flight IDs, recovery IDs, etc.) - **RebootRequired** Indicates whether a reboot is required after the installation. - **RollbackPossible** Indicates whether this driver can be rolled back. - **WuTargetedHardwareId** Indicates that the driver was installed because the device hardware ID was targeted by the Windows Update. @@ -7554,7 +7554,7 @@ This event sends data regarding OS Updates and Upgrades from Windows 7.X, Window The following fields are available: - **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **HostOSBuildNumber** The build number of the previous operating system. - **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system). - **InstanceId** Unique GUID that identifies each instance of setuphost.exe. @@ -9816,7 +9816,7 @@ This event sends data specific to the FixAppXReparsePoints mitigation used for O The following fields are available: -- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **FlightId** Unique GUID that identifies each instances of setuphost.exe. - **InstanceId** Unique GUID that identifies each instances of setuphost.exe. - **MitigationScenario** The update scenario in which the mitigation was executed. @@ -9838,7 +9838,7 @@ This event sends data specific to the FixupEditionId mitigation used for OS upda The following fields are available: -- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **EditionIdUpdated** Determine whether EditionId was changed. - **FlightId** Unique identifier for each flight. - **InstanceId** Unique GUID that identifies each instances of setuphost.exe. @@ -9861,7 +9861,7 @@ This event sends data specific to the FixupWimmountSysPath mitigation used for O The following fields are available: -- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **FlightId** Unique identifier for each flight. - **ImagePathDefault** Default path to wimmount.sys driver defined in the system registry. - **ImagePathFixedup** Boolean indicating whether the wimmount.sys driver path was fixed by this mitigation. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 2dd8d27ae5..fc4d236e62 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -2775,10 +2775,10 @@ The following fields are available: - **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). - **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. - **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades. -- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network. +- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded Windows Update (WU) updates to other devices on the same network. - **WULCUVersion** Version of the LCU Installed on the machine. - **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. -- **WUPauseState** Retrieves WU setting to determine if updates are paused. +- **WUPauseState** Retrieves Windows Update setting to determine if updates are paused. - **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). @@ -4337,7 +4337,7 @@ The following fields are available: - **FlightId** The ID of the Windows Insider build the device received. - **InstallDate** The date the driver was installed. - **InstallFlags** The driver installation flags. -- **OptionalData** Metadata specific to WU (Windows Update) associated with the driver (flight IDs, recovery IDs, etc.) +- **OptionalData** Metadata specific to Windows Update (WU) associated with the driver (flight IDs, recovery IDs, etc.) - **RebootRequired** Indicates whether a reboot is required after the installation. - **RollbackPossible** Indicates whether this driver can be rolled back. - **WuTargetedHardwareId** Indicates that the driver was installed because the device hardware ID was targeted by the Windows Update. @@ -7722,7 +7722,7 @@ This event sends data regarding OS Updates and Upgrades from Windows 7.X, Window The following fields are available: - **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **HostOSBuildNumber** The build number of the previous operating system. - **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system). - **InstanceId** Unique GUID that identifies each instance of setuphost.exe. @@ -9395,7 +9395,7 @@ The following fields are available: - **updaterCmdLine** The command line requested by the updater. - **updaterId** The ID of the updater that requested the work. -- **wuDeviceid** WU device ID. +- **wuDeviceid** Windows Update device ID. ### Microsoft.Windows.Update.Orchestrator.UniversalOrchestratorScheduleWorkNonSystem @@ -9840,7 +9840,7 @@ This event sends data specific to the FixAppXReparsePoints mitigation used for O The following fields are available: -- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **FlightId** Unique identifier for each flight. - **InstanceId** Unique GUID that identifies each instances of setuphost.exe. - **MitigationScenario** The update scenario in which the mitigation was executed. @@ -9862,7 +9862,7 @@ This event sends data specific to the FixupEditionId mitigation used for OS upda The following fields are available: -- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **EditionIdUpdated** Determine whether EditionId was changed. - **FlightId** Unique identifier for each flight. - **InstanceId** Unique GUID that identifies each instances of setuphost.exe. @@ -9885,7 +9885,7 @@ This event sends data specific to the FixupWimmountSysPath mitigation used for O The following fields are available: -- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **FlightId** Unique identifier for each flight. - **ImagePathDefault** Default path to wimmount.sys driver defined in the system registry. - **ImagePathFixedup** Boolean indicating whether the wimmount.sys driver path was fixed by this mitigation. diff --git a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md index c867fe681a..ee2bf8af2f 100644 --- a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md +++ b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md @@ -119,7 +119,7 @@ Collects Office metadata through UTC to compare with equivalent data collected t Applicable to all Win32 applications. Helps us understand the status of the update process of the office suite (Success or failure with error details). - **build:** App version -- **channel:** Is this part of SAC or SAC-T? +- **channel:** Is this part of GA Channel or SAC-T? - **errorCode:** What error occurred during the upgrade process? - **errorMessage:** what was the error message during the upgrade process? - **status:** Was the upgrade successful or not? @@ -355,14 +355,14 @@ The following fields are available: Initialization of Explorer is complete. ## Microsoft-Windows-Security-EFS-EDPAudit-ApplicationLearning.EdpAuditLogApplicationLearning -For a device subject to Windows Information Protection policy, learning events are generated when an app encounters a policy boundary (for example, trying to open a work document from a personal app). These events help the WIP administrator tune policy rules and prevent unnecessary user disruption. +For a device subject to Windows Information Protection policy, learning events are generated when an app encounters a policy boundary (for example, trying to open a work document from a personal app). These events help the Windows Information Protection administrator tune policy rules and prevent unnecessary user disruption. The following fields are available: - **actiontype:** Indicates what type of resource access the app was attempting (for example, opening a local document vs. a network resource) when it encountered a policy boundary. Useful for Windows Information Protection administrators to tune policy rules. - **appIdType:** Based on the type of application, this field indicates what type of app rule a Windows Information Protection administrator would need to create for this app. - **appname:** App that triggered the event -- **status:** Indicates whether errors occurred during WIP learning events +- **status:** Indicates whether errors occurred during Windows Information Protection learning events ## Win32kTraceLogging.AppInteractivitySummary Summarizes which app windows are being used (for example, have focus) to help Microsoft improve compatibility and user experience. Also helps organizations (by using Desktop Analytics) to understand and improve application reliability on managed devices. diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index f12658e2d0..b4ba7be281 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -84,7 +84,7 @@ For Windows 10 and Windows 11, the following MDM policies are available in the [ 1. MDM Policy: [Notifications/DisallowTileNotification](/windows/client-management/mdm/policy-csp-notifications). This policy setting turns off tile notifications. If you enable this policy setting applications and system features will not be able to update their tiles and tile badges in the Start screen. **Integer value 1** 1. **Mail synchronization** - 1. MDM Policy: [Accounts/AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountconnection). Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services. **Set to 0 (zero)** + 1. MDM Policy: [Accounts/AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountconnection). Specifies whether the user is allowed to use an Microsoft account for non-email related connection authentication and services. **Set to 0 (zero)** 1. **Microsoft Account** 1. MDM Policy: [Accounts/AllowMicrosoftAccountSignInAssistant](/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountsigninassistant). Disable the Microsoft Account Sign-In Assistant. **Set to 0 (zero)** diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md index 084f8f8a9e..49191ee0d4 100644 --- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md +++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md @@ -2292,10 +2292,10 @@ The following fields are available: - **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). - **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. - **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades. -- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network. +- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded Windows Update (WU) updates to other devices on the same network. - **WULCUVersion** Version of the LCU Installed on the machine. - **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. -- **WUPauseState** Retrieves WU setting to determine if updates are paused. +- **WUPauseState** Retrieves Windows Update setting to determine if updates are paused. - **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). @@ -6022,7 +6022,7 @@ This event sends data regarding OS Updates and Upgrades from Windows 7.X, Window The following fields are available: - **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **HostOSBuildNumber** The build number of the previous operating system. - **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system). - **InstanceId** Unique GUID that identifies each instance of setuphost.exe. @@ -6789,7 +6789,7 @@ The following fields are available: - **freeDiskSpaceInMB** Amount of free disk space. - **interactive** Informs if this action is caused due to user interaction. - **priority** The CPU and IO priority this action is being performed on. -- **provider** The provider that is being invoked to perform this action (WU, Legacy UO Provider etc.). +- **provider** The provider that is being invoked to perform this action (Windows Update , Legacy UO Provider etc.). - **update** Update related metadata including UpdateId. - **uptimeMinutes** Duration USO for up for in the current boot session. - **wilActivity** Wil Activity related information. @@ -6988,7 +6988,7 @@ The following fields are available: - **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. - **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000). - **DeferredUpdates** UpdateIds which are currently being deferred until a later time. -- **DriverExclusionPolicy** Indicates if policy for not including drivers with WU updates is enabled. +- **DriverExclusionPolicy** Indicates if policy for not including drivers with Windows Update (WU) updates is enabled. - **DriverSyncPassPerformed** A flag indicating whether the driver sync is performed in a update scan. - **EventInstanceID** A globally unique identifier for event instance. - **ExcludedUpdateClasses** Update classifications being excluded via policy. @@ -8139,7 +8139,7 @@ This event sends data specific to the FixAppXReparsePoints mitigation used for O The following fields are available: -- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **FlightId** Unique identifier for each flight. - **InstanceId** Unique GUID that identifies each instances of setuphost.exe. - **MitigationScenario** The update scenario in which the mitigation was executed. @@ -8161,7 +8161,7 @@ This event sends data specific to the FixupWimmountSysPath mitigation used for O The following fields are available: -- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **FlightId** Unique identifier for each flight. - **ImagePathDefault** Default path to wimmount.sys driver defined in the system registry. - **ImagePathFixedup** Boolean indicating whether the wimmount.sys driver path was fixed by this mitigation. diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md index b37678708d..d075c45196 100644 --- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md +++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md @@ -2305,10 +2305,10 @@ The following fields are available: - **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). - **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. - **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades. -- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network. +- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded Windows Update (WU) updates to other devices on the same network. - **WULCUVersion** Version of the LCU Installed on the machine. - **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. -- **WUPauseState** Retrieves WU setting to determine if updates are paused. +- **WUPauseState** Retrieves Windows Update setting to determine if updates are paused. - **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 7d7f56a09d..2871ffa4fd 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -192,19 +192,19 @@ - name: Overview href: threat-protection/index.md - name: Microsoft Defender Antivirus - href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows + href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows - name: Attack surface reduction rules - href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction + href: /microsoft-365/security/defender-endpoint/attack-surface-reduction - name: Tamper protection - href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection + href: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection - name: Network protection - href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/network-protection + href: /microsoft-365/security/defender-endpoint/network-protection - name: Controlled folder access - href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/controlled-folders + href: /microsoft-365/security/defender-endpoint/controlled-folders - name: Exploit protection - href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/exploit-protection + href: /microsoft-365/security/defender-endpoint/exploit-protection - name: Microsoft Defender for Endpoint - href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint + href: /microsoft-365/security/defender-endpoint - name: More Windows security items: - name: Override Process Mitigation Options to help enforce app-related security policies @@ -394,7 +394,7 @@ - name: Overview href: cloud.md - name: Mobile device management - href: https://docs.microsoft.com/windows/client-management/mdm/ + href: /windows/client-management/mdm/ - name: Windows 365 Cloud PCs href: /windows-365/overview - name: Azure Virtual Desktop diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index a5041cd575..b63bf80703 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -28,45 +28,44 @@ ms.custom: - Windows Server 2019 - Windows Server 2022 - ## Enable Windows Defender Credential Guard -Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard [hardware readiness tool](dg-readiness-tool.md). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. -The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines. +Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the [Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard hardware readiness tool](#enable-windows-defender-credential-guard-by-using-the-hvci-and-windows-defender-credential-guard-hardware-readiness-tool). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. +The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines. ### Enable Windows Defender Credential Guard by using Group Policy You can use Group Policy to enable Windows Defender Credential Guard. This will add and enable the virtualization-based security features for you if needed. -1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard**. +1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**. -2. Double-click **Turn On Virtualization Based Security**, and then click the **Enabled** option. +1. Select **Turn On Virtualization Based Security**, and then select the **Enabled** option. -3. In the **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**. +1. In the **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**. -4. In the **Credential Guard Configuration** box, click **Enabled with UEFI lock**, and then click **OK**. If you want to be able to turn off Windows Defender Credential Guard remotely, choose **Enabled without lock**. +1. In the **Credential Guard Configuration** box, select **Enabled with UEFI lock**. If you want to be able to turn off Windows Defender Credential Guard remotely, choose **Enabled without lock**. -5. In the **Secure Launch Configuration** box, choose **Not Configured**, **Enabled** or **Disabled**. Check [this article](../../threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md) for more details. +1. In the **Secure Launch Configuration** box, choose **Not Configured**, **Enabled** or **Disabled**. For more information, see [System Guard Secure Launch and SMM protection](../../threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md). -  + :::image type="content" source="images/credguard-gp.png" alt-text="Windows Defender Credential Guard Group Policy setting."::: -6. Close the Group Policy Management Console. +1. Select **OK**, and then close the Group Policy Management Console. -To enforce processing of the group policy, you can run ```gpupdate /force```. +To enforce processing of the group policy, you can run `gpupdate /force`. ### Enable Windows Defender Credential Guard by using Intune -1. From **Home**, click **Microsoft Intune**. +1. From **Home**, select **Microsoft Intune**. -2. Click **Device configuration**. +1. Select **Device configuration**. -3. Click **Profiles** > **Create Profile** > **Endpoint protection** > **Windows Defender Credential Guard**. +1. Select **Profiles** > **Create Profile** > **Endpoint protection** > **Windows Defender Credential Guard**. - > [!NOTE] - > It will enable VBS and Secure Boot and you can do it with or without UEFI Lock. If you will need to disable Credential Guard remotely, enable it without UEFI lock. + > [!NOTE] + > It will enable VBS and Secure Boot and you can do it with or without UEFI Lock. If you will need to disable Credential Guard remotely, enable it without UEFI lock. > [!TIP] -> You can also configure Credential Guard by using an account protection profile in endpoint security. See [Account protection policy settings for endpoint security in Intune](/mem/intune/protect/endpoint-security-account-protection-profile-settings). +> You can also configure Credential Guard by using an account protection profile in endpoint security. For more information, see [Account protection policy settings for endpoint security in Intune](/mem/intune/protect/endpoint-security-account-protection-profile-settings). ### Enable Windows Defender Credential Guard by using the registry @@ -82,72 +81,68 @@ You can do this by using either the Control Panel or the Deployment Image Servic > [!NOTE] > If you enable Windows Defender Credential Guard by using Group Policy, the steps to enable Windows features through Control Panel or DISM are not required. Group Policy will install Windows features for you. - -**Add the virtualization-based security features by using Programs and Features** +##### Add the virtualization-based security features by using Programs and Features -1. Open the Programs and Features control panel. +1. Open the Programs and Features control panel. -2. Click **Turn Windows feature on or off**. +1. Select **Turn Windows feature on or off**. -3. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box. +1. Go to **Hyper-V** > **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box. -4. Select the **Isolated User Mode** check box at the top level of the feature selection. +1. Select the **Isolated User Mode** check box at the top level of the feature selection. -5. Click **OK**. +1. Select **OK**. -**Add the virtualization-based security features to an offline image by using DISM** +##### Add the virtualization-based security features to an offline image by using DISM -1. Open an elevated command prompt. +1. Open an elevated command prompt. -2. Add the Hyper-V Hypervisor by running the following command: +1. Add the Hyper-V Hypervisor by running the following command: - ```console - dism /image: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all - ``` - -3. Add the Isolated User Mode feature by running the following command: + ```cmd + dism /image: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all + ``` - ```console - dism /image: /Enable-Feature /FeatureName:IsolatedUserMode - ``` - - > [!NOTE] - > In Windows 10, version 1607 and later, the Isolated User Mode feature has been integrated into the core operating system. Running the command in step 3 above is therefore no longer required. +1. Add the Isolated User Mode feature by running the following command: + + ```cmd + dism /image: /Enable-Feature /FeatureName:IsolatedUserMode + ``` + + > [!NOTE] + > In Windows 10, version 1607 and later, the Isolated User Mode feature has been integrated into the core operating system. Running the command in step 3 above is therefore no longer required. > [!TIP] > You can also add these features to an online image by using either DISM or Configuration Manager. #### Enable virtualization-based security and Windows Defender Credential Guard -1. Open Registry Editor. +1. Open Registry Editor. -2. Enable virtualization-based security: +1. Enable virtualization-based security: - 1. Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard. - - 1. Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it. - - 1. Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**. + 1. Go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard`. -3. Enable Windows Defender Credential Guard: + 1. Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it. - 1. Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA. - - 1. Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Windows Defender Credential Guard with UEFI lock, set it to 2 to enable Windows Defender Credential Guard without lock, and set it to 0 to disable it. + 1. Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**. -4. Close Registry Editor. +1. Enable Windows Defender Credential Guard: + 1. Go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa`. + + 1. Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Windows Defender Credential Guard with UEFI lock, set it to 2 to enable Windows Defender Credential Guard without lock, and set it to 0 to disable it. + +1. Close Registry Editor. > [!NOTE] > You can also enable Windows Defender Credential Guard by setting the registry entries in the [FirstLogonCommands](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-firstlogoncommands) unattend setting. - - ### Enable Windows Defender Credential Guard by using the HVCI and Windows Defender Credential Guard hardware readiness tool You can also enable Windows Defender Credential Guard by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md). -```console +```cmd DG_Readiness_Tool.ps1 -Enable -AutoReboot ``` @@ -158,24 +153,21 @@ DG_Readiness_Tool.ps1 -Enable -AutoReboot ### Review Windows Defender Credential Guard performance -**Is Windows Defender Credential Guard running?** +#### Is Windows Defender Credential Guard running? You can view System Information to check that Windows Defender Credential Guard is running on a PC. -1. Click **Start**, type **msinfo32.exe**, and then click **System Information**. +1. Select **Start**, type **msinfo32.exe**, and then select **System Information**. -2. Click **System Summary**. +1. Select **System Summary**. -3. Confirm that **Credential Guard** is shown next to **Virtualization-based security Services Running**. +1. Confirm that **Credential Guard** is shown next to **Virtualization-based security Services Running**. - Here's an example: - - > [!div class="mx-imgBorder"] - >  + :::image type="content" source="images/credguard-msinfo32.png" alt-text="The 'Virtualization-based security Services Running' entry lists Credential Guard in System Information (msinfo32.exe)."::: You can also check that Windows Defender Credential Guard is running by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md). -```console +```cmd DG_Readiness_Tool_v3.6.ps1 -Ready ``` @@ -187,63 +179,65 @@ DG_Readiness_Tool_v3.6.ps1 -Ready > [!NOTE] > For client machines that are running Windows 10 1703, LsaIso.exe is running whenever virtualization-based security is enabled for other features. -- We recommend enabling Windows Defender Credential Guard before a device is joined to a domain. If Windows Defender Credential Guard is enabled after domain join, the user and device secrets may already be compromised. In other words, enabling Credential Guard will not help to secure a device or identity that has already been compromised, which is why we recommend turning on Credential Guard as early as possible. +- We recommend enabling Windows Defender Credential Guard before a device is joined to a domain. If Windows Defender Credential Guard is enabled after domain join, the user and device secrets may already be compromised. In other words, enabling Credential Guard will not help to secure a device or identity that has already been compromised, which is why we recommend turning on Credential Guard as early as possible. -- You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for: +- You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for: - - **Event ID 13** Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials. - - - **Event ID 14** Windows Defender Credential Guard (LsaIso.exe) configuration: \[**0x0** \| **0x1** \| **0x2**\], **0** - - - The first variable: **0x1** or **0x2** means that Windows Defender Credential Guard is configured to run. **0x0** means that it's not configured to run. - - - The second variable: **0** means that it's configured to run in protect mode. **1** means that it's configured to run in test mode. This variable should always be **0**. - - - **Event ID 15** Windows Defender Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Windows Defender Credential Guard. - - - **Event ID 16** Windows Defender Credential Guard (LsaIso.exe) failed to launch: \[error code\] - - - **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\] - - - You can also verify that TPM is being used for key protection by checking **Event ID 51** in *Applications and Services logs → Microsoft → Windows → Kernel-Boot* event log. The full event text will read like this: `VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.` If you are running with a TPM, the TPM PCR mask value will be something other than 0. - - - You can use Windows PowerShell to determine whether credential guard is running on a client computer. On the computer in question, open an elevated PowerShell window and run the following command: - - ```powershell - (Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning - ``` + - **Event ID 13** Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials. - This command generates the following output: - - - **0**: Windows Defender Credential Guard is disabled (not running) - - - **1**: Windows Defender Credential Guard is enabled (running) - - > [!NOTE] - > Checking the task list or Task Manager to see if LSAISO.exe is running is not a recommended method for determining whether Windows Defender Credential Guard is running. + - **Event ID 14** Windows Defender Credential Guard (LsaIso.exe) configuration: \[**0x0** \| **0x1** \| **0x2**\], **0** + + - The first variable: **0x1** or **0x2** means that Windows Defender Credential Guard is configured to run. **0x0** means that it's not configured to run. + + - The second variable: **0** means that it's configured to run in protect mode. **1** means that it's configured to run in test mode. This variable should always be **0**. + + - **Event ID 15** Windows Defender Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Windows Defender Credential Guard. + + - **Event ID 16** Windows Defender Credential Guard (LsaIso.exe) failed to launch: \[error code\] + + - **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\] + +- You can also verify that TPM is being used for key protection by checking **Event ID 51** in *Applications and Services logs > Microsoft > Windows > Kernel-Boot* event log. The full event text will read like this: `VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.` If you are running with a TPM, the TPM PCR mask value will be something other than 0. + +- You can use Windows PowerShell to determine whether credential guard is running on a client computer. On the computer in question, open an elevated PowerShell window and run the following command: + + ```powershell + (Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning + ``` + + This command generates the following output: + + - **0**: Windows Defender Credential Guard is disabled (not running) + + - **1**: Windows Defender Credential Guard is enabled (running) + + > [!NOTE] + > Checking the task list or Task Manager to see if LSAISO.exe is running is not a recommended method for determining whether Windows Defender Credential Guard is running. ## Disable Windows Defender Credential Guard -To disable Windows Defender Credential Guard, you can use the following set of procedures or [the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool). If Credential Guard was enabled with UEFI Lock then you must use the following procedure as the settings are persisted in EFI (firmware) variables and it will require physical presence at the machine to press a function key to accept the change. If Credential Guard was enabled without UEFI Lock then you can turn it off by using Group Policy. +To disable Windows Defender Credential Guard, you can use the following set of procedures or the [HVCI and Windows Defender Credential Guard hardware readiness tool](#disable-windows-defender-credential-guard-by-using-the-hvci-and-windows-defender-credential-guard-hardware-readiness-tool). If Credential Guard was enabled with UEFI Lock then you must use the following procedure as the settings are persisted in EFI (firmware) variables and it will require physical presence at the machine to press a function key to accept the change. If Credential Guard was enabled without UEFI Lock then you can turn it off by using Group Policy. -1. If you used Group Policy, disable the Group Policy setting that you used to enable Windows Defender Credential Guard (**Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard** -> **Turn on Virtualization Based Security**). +1. If you used Group Policy, disable the Group Policy setting that you used to enable Windows Defender Credential Guard (**Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn on Virtualization Based Security**). -2. Delete the following registry settings: +1. Delete the following registry settings: - - HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA\LsaCfgFlags - - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\LsaCfgFlags + - `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LsaCfgFlags` -3. If you also wish to disable virtualization-based security delete the following registry settings: + - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags` + +1. If you also wish to disable virtualization-based security delete the following registry settings: + + - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\EnableVirtualizationBasedSecurity` + + - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\RequirePlatformSecurityFeatures` - - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity - - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures - > [!IMPORTANT] > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery. -4. Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands: +1. Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands: - ```console + ```cmd mountvol X: /s copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader @@ -254,28 +248,26 @@ To disable Windows Defender Credential Guard, you can use the following set of p mountvol X: /d ``` -5. Restart the PC. +1. Restart the PC. -6. Accept the prompt to disable Windows Defender Credential Guard. +1. Accept the prompt to disable Windows Defender Credential Guard. -7. Alternatively, you can disable the virtualization-based security features to turn off Windows Defender Credential Guard. +1. Alternatively, you can disable the virtualization-based security features to turn off Windows Defender Credential Guard. > [!NOTE] > The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Windows Defender Credential Guard and virtualization-based security, run the following bcdedit commands after turning off all virtualization-based security Group Policy and registry settings: > - >```console - >bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS - >bcdedit /set vsmlaunchtype off - >``` + > ```cmd + > bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS + > bcdedit /set vsmlaunchtype off + > ``` For more info on virtualization-based security and HVCI, see [Enable virtualization-based protection of code integrity](../../threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md). > [!NOTE] > Credential Guard and Device Guard are not supported when using Azure Gen 1 VMs. These options are available with Gen 2 VMs only. - - -#### Disable Windows Defender Credential Guard by using the HVCI and Windows Defender Credential Guard hardware readiness tool +### Disable Windows Defender Credential Guard by using the HVCI and Windows Defender Credential Guard hardware readiness tool You can also disable Windows Defender Credential Guard by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md). @@ -288,7 +280,7 @@ DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot > > This is a known issue. -#### Disable Windows Defender Credential Guard for a virtual machine +### Disable Windows Defender Credential Guard for a virtual machine From the host, you can disable Windows Defender Credential Guard for a virtual machine: diff --git a/windows/security/identity-protection/credential-guard/images/credguard-gp-2.png b/windows/security/identity-protection/credential-guard/images/credguard-gp-2.png deleted file mode 100644 index ead9410405..0000000000 Binary files a/windows/security/identity-protection/credential-guard/images/credguard-gp-2.png and /dev/null differ diff --git a/windows/security/identity-protection/credential-guard/images/credguard-gp.png b/windows/security/identity-protection/credential-guard/images/credguard-gp.png index 827121f0fc..ad34b6deb3 100644 Binary files a/windows/security/identity-protection/credential-guard/images/credguard-gp.png and b/windows/security/identity-protection/credential-guard/images/credguard-gp.png differ diff --git a/windows/security/identity-protection/credential-guard/images/credguard-msinfo32.png b/windows/security/identity-protection/credential-guard/images/credguard-msinfo32.png index 46f838c8d2..c9737e3236 100644 Binary files a/windows/security/identity-protection/credential-guard/images/credguard-msinfo32.png and b/windows/security/identity-protection/credential-guard/images/credguard-msinfo32.png differ diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md index fae8060193..cbaecf9da3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md +++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md @@ -48,7 +48,7 @@ The Windows Server 2016 or later domain controller is handling 100 percent of al  -Upgrading another domain controller to Windows Server 2016 or later distributes the public key trust authentication across two domain controllers - each supporting 50 percent of the load. But it doesn't change the distribution of password and certificate trust authentication. Both Windows Server 2019 domain controllers still share 10 percent of this load. Now look at the scenario when half of the domain controllers are upgraded to Windows Server 2016 or later, but the number of WHFB clients remains the same. +Upgrading another domain controller to Windows Server 2016 or later distributes the public key trust authentication across two domain controllers - each supporting 50 percent of the load. But it doesn't change the distribution of password and certificate trust authentication. Both Windows Server 2019 domain controllers still share 10 percent of this load. Now look at the scenario when half of the domain controllers are upgraded to Windows Server 2016 or later, but the number of Windows Hello for Business clients remains the same.  diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md index 187d42ad0f..b67d63f1b7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md @@ -125,7 +125,7 @@ Before you continue with the deployment, validate your deployment progress by re ## Add users to the Windows Hello for Business Users group -Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the WHFB Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the Windows Hello for Business Users group. Users and groups that are not members of this group will not attempt to enroll for Windows Hello for Business. +Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the Windows Hello for Business Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the Windows Hello for Business Users group. Users and groups that are not members of this group will not attempt to enroll for Windows Hello for Business. ## Follow the Windows Hello for Business on premises certificate trust deployment guide diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md index c059f9b372..f86f657b67 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md @@ -1,16 +1,11 @@ --- -title: Breaking out of a Bitlocker recovery loop -description: This topic for IT professionals describes how to break out of a Bitlocker recovery loop. -ms.assetid: #c40f87ac-17d3-47b2-afc6-6c641f72ecee +title: Breaking out of a BitLocker recovery loop +description: This article for IT professionals describes how to break out of a BitLocker recovery loop. ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium -ms.author: v-maave -author: dansimp +author: aczechowski +ms.author: aaroncz manager: dansimp -audience: ITPro ms.collection: - M365-security-compliance - highpri @@ -19,11 +14,11 @@ ms.date: 10/28/2019 ms.custom: bitlocker --- -# Breaking out of a Bitlocker recovery loop +# Breaking out of a BitLocker recovery loop -Sometimes, following a crash, you might be unable to successfully boot into your operating system, due to the recovery screen repeatedly prompting you to enter your recovery key. This can be very frustrating. +Sometimes, following a crash, you might be unable to successfully boot into your operating system, due to the recovery screen repeatedly prompting you to enter your recovery key. This experience can be frustrating. -If you've entered the correct Bitlocker recovery key multiple times, and are still unable to continue past the initial recovery screen, follow these steps to break out of the loop. +If you've entered the correct BitLocker recovery key multiple times, and are still unable to continue past the initial recovery screen, follow these steps to break out of the loop. > [!NOTE] > Only try these steps after you have restarted your device at least once. diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md index 1220e20185..f7bfc44de4 100644 --- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md +++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md @@ -50,7 +50,7 @@ This table includes all available attributes/elements for the **Log** element. T |Attribute/Element |Value type |Description | |----------|-----------|------------| |ProviderType |String |This is always **EDPAudit**. | -|LogType |String |Includes:**DataCopied.** Work data is copied or shared to a personal location.**ProtectionRemoved.** WIP protection is removed from a Work-defined file.**ApplicationGenerated.** A custom audit log provided by an app.| +|LogType |String |Includes:**DataCopied.** Work data is copied or shared to a personal location.**ProtectionRemoved.** Windows Information Protection is removed from a Work-defined file.**ApplicationGenerated.** A custom audit log provided by an app.| |TimeStamp |Int |Uses the [FILETIME structure](/windows/win32/api/minwinbase/ns-minwinbase-filetime) to represent the time that the event happened. | |Policy |String |How the work data was shared to the personal location:**CopyPaste.** Work data was pasted into a personal location or app.**ProtectionRemoved.** Work data was changed to be unprotected.**DragDrop.** Work data was dropped into a personal location or app.**Share.** Work data was shared with a personal location or app.**NULL.** Any other way work data could be made personal beyond the options above. For example, when a work file is opened using a personal application (also known as, temporary access). | |Justification |String |Not implemented. This will always be either blank or NULL.**Note**Reserved for future use to collect the user justification for changing from **Work** to **Personal**. | @@ -160,7 +160,7 @@ Here are a few examples of responses from the Reporting CSP. ## Collect WIP audit logs by using Windows Event Forwarding (for Windows desktop domain-joined devices only) -Use Windows Event Forwarding to collect and aggregate your WIP audit events. You can view your audit events in the Event Viewer. +Use Windows Event Forwarding to collect and aggregate your Windows Information Protection audit events. You can view your audit events in the Event Viewer. **To view the WIP events in the Event Viewer** diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md index 8a0ecac521..fdbf865d8a 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md @@ -65,12 +65,12 @@ The **Configure Windows Information Protection settings** page appears, where yo ## Add app rules to your policy -During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. +During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through Windows Information Protection. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file. >[!IMPORTANT] ->Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you don't get this statement, it's possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. +>Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.Care must be taken to get a support statement from the software provider that their app is safe with Windows Information Protection before adding it to your **App rules** list. If you don't get this statement, it's possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. ### Add a store app rule to your policy For this example, we're going to add Microsoft OneNote, a store app, to the **App Rules** list. @@ -278,7 +278,7 @@ For this example, we're going to add an AppLocker XML file to the **App Rules** The file is imported and the apps are added to your **App Rules** list. ### Exempt apps from WIP restrictions -If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak. +If you're running into compatibility issues where your app is incompatible with Windows Information Protection (WIP), but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak. **To exempt a store app, a desktop app, or an AppLocker policy file app rule** diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md index a1dba47f5e..21a45af6ca 100644 --- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md +++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md @@ -37,7 +37,7 @@ Apps can be enlightened or unenlightened: - Windows **Save As** experiences only allow you to save your files as enterprise. -- **WIP-work only apps** are unenlightened line-of-business apps that have been tested and deemed safe for use in an enterprise with WIP and Mobile App Management (MAM) solutions without device enrollment. Unenlightened apps that are targeted by WIP without enrollment run under personal mode. +- **Windows Information Protection-work only apps** are unenlightened line-of-business apps that have been tested and deemed safe for use in an enterprise with WIP and Mobile App Management (MAM) solutions without device enrollment. Unenlightened apps that are targeted by WIP without enrollment run under personal mode. ## List of enlightened Microsoft apps Microsoft has made a concerted effort to enlighten several of our more popular apps, including the following: @@ -75,10 +75,10 @@ Microsoft has made a concerted effort to enlighten several of our more popular a - Microsoft To Do > [!NOTE] -> Microsoft Visio, Microsoft Office Access, Microsoft Project, and Microsoft Publisher are not enlightened apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioning. +> Microsoft Visio, Microsoft Office Access, Microsoft Project, and Microsoft Publisher are not enlightened apps and need to be exempted from Windows Information Protection policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioning. ## List of WIP-work only apps from Microsoft -Microsoft still has apps that are unenlightened, but which have been tested and deemed safe for use in an enterprise with WIP and MAM solutions. +Microsoft still has apps that are unenlightened, but which have been tested and deemed safe for use in an enterprise with Windows Information Protection and MAM solutions. - Skype for Business @@ -102,7 +102,7 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li | PowerPoint Mobile | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`**Product Name:** Microsoft.Office.PowerPoint**App Type:** Universal app | | OneNote | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`**Product Name:** Microsoft.Office.OneNote**App Type:** Universal app | | Outlook Mail and Calendar | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`**Product Name:** microsoft.windowscommunicationsapps**App Type:** Universal app | -| Microsoft 365 Apps for enterprise and Office 2019 Professional Plus | Microsoft 365 Apps for enterprise and Office 2019 Professional Plus apps are set up as a suite. You must use the [O365 ProPlus - Allow and Exempt AppLocker policy files (.zip files)](https://download.microsoft.com/download/7/0/D/70D72459-D72D-4673-B309-F480E3BEBCC9/O365%20ProPlus%20-%20WIP%20Enterprise%20AppLocker%20Policy%20Files.zip) to turn the suite on for WIP.We don't recommend setting up Office by using individual paths or publisher rules. | +| Microsoft 365 Apps for enterprise and Office 2019 Professional Plus | Microsoft 365 Apps for enterprise and Office 2019 Professional Plus apps are set up as a suite. You must use the [O365 ProPlus - Allow and Exempt AppLocker policy files (.zip files)](https://download.microsoft.com/download/7/0/D/70D72459-D72D-4673-B309-F480E3BEBCC9/O365%20ProPlus%20-%20WIP%20Enterprise%20AppLocker%20Policy%20Files.zip) to turn the suite on for Windows Information Protection.We don't recommend setting up Office by using individual paths or publisher rules. | | Microsoft Photos | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`**Product Name:** Microsoft.Windows.Photos**App Type:** Universal app | | Groove Music | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`**Product Name:** Microsoft.ZuneMusic**App Type:** Universal app | | Microsoft Movies & TV | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`**Product Name:** Microsoft.ZuneVideo**App Type:** Universal app | diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md index 5462ca7f17..18726f1c02 100644 --- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md @@ -22,7 +22,7 @@ ms.localizationpriority: medium **Applies to:** - Windows 10, version 1607 and later -This following list provides info about the most common problems you might encounter while running WIP in your organization. +This following list provides info about the most common problems you might encounter while running Windows Information Protection in your organization. - **Limitation**: Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration. - **How it appears**: @@ -33,12 +33,12 @@ This following list provides info about the most common problems you might encou We strongly recommend educating employees about how to limit or eliminate the need for this decryption. -- **Limitation**: Direct Access is incompatible with WIP. - - **How it appears**: Direct Access might experience problems with how WIP enforces app behavior and data movement because of how WIP determines what is and isn’t a corporate network resource. +- **Limitation**: Direct Access is incompatible with Windows Information Protection. + - **How it appears**: Direct Access might experience problems with how Windows Information Protection enforces app behavior and data movement because of how WIP determines what is and isn’t a corporate network resource. - **Workaround**: We recommend that you use VPN for client access to your intranet resources. > [!NOTE] - > VPN is optional and isn’t required by WIP. + > VPN is optional and isn’t required by Windows Information Protection. - **Limitation**: **NetworkIsolation** Group Policy setting takes precedence over MDM Policy settings. - **How it appears**: The **NetworkIsolation** Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured. @@ -48,7 +48,7 @@ This following list provides info about the most common problems you might encou - **How it appears**: If Cortana is on the allowed list, some files might become unexpectedly encrypted after an employee performs a search using Cortana. Your employees will still be able to use Cortana to search and provide results on enterprise documents and locations, but results might be sent to Microsoft. - **Workaround**: We don’t recommend adding Cortana to your allowed apps list. However, if you wish to use Cortana and don't mind whether the results potentially go to Microsoft, you can make Cortana an Exempt app. -- **Limitation**: WIP is designed for use by a single user per device. +- **Limitation**: Windows Information Protection is designed for use by a single user per device. - **How it appears**: A secondary user on a device might experience app compatibility issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled user’s content can be revoked during the unenrollment process. - **Workaround**: We recommend only having one user per managed device. @@ -67,14 +67,14 @@ This following list provides info about the most common problems you might encou - **Limitation**: Changing your primary Corporate Identity isn’t supported. - **How it appears**: You might experience various instabilities, including but not limited to network and file access failures, and potentially granting incorrect access. - - **Workaround**: Turn off WIP for all devices before changing the primary Corporate Identity (first entry in the list), restarting, and finally redeploying. + - **Workaround**: Turn off Windows Information Protection for all devices before changing the primary Corporate Identity (first entry in the list), restarting, and finally redeploying. -- **Limitation**: Redirected folders with Client-Side Caching are not compatible with WIP. +- **Limitation**: Redirected folders with Client-Side Caching are not compatible with Windows Information Protection. - **How it appears**: Apps might encounter access errors while attempting to read a cached, offline file. - **Workaround**: Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business. > [!NOTE] - > For more info about Work Folders and Offline Files, see the [Work Folders and Offline Files support for Windows Information Protection blog](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and WIP, see [Can't open files offline when you use Offline Files and Windows Information Protection](/troubleshoot/windows-client/networking/error-open-files-offline-offline-files-wip). + > For more info about Work Folders and Offline Files, see the [Work Folders and Offline Files support for Windows Information Protection blog](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and Windows Information Protection, see [Can't open files offline when you use Offline Files and Windows Information Protection](/troubleshoot/windows-client/networking/error-open-files-offline-offline-files-wip). - **Limitation**: An unmanaged device can use Remote Desktop Protocol (RDP) to connect to a WIP-managed device. - **How it appears**: @@ -83,23 +83,23 @@ This following list provides info about the most common problems you might encou - Local **Work** data copied to the WIP-managed device remains **Work** data. - **Work** data that is copied between two apps in the same session remains ** data. - - **Workaround**: Disable RDP to prevent access because there is no way to restrict access to only devices managed by WIP. RDP is disabled by default. + - **Workaround**: Disable RDP to prevent access because there is no way to restrict access to only devices managed by Windows Information Protection. RDP is disabled by default. - **Limitation**: You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer. - **How it appears**: A message appears stating that the content is marked as **Work** and the user isn't given an option to override to **Personal**. - **Workaround**: Open File Explorer and change the file ownership to **Personal** before you upload. - **Limitation**: ActiveX controls should be used with caution. - - **How it appears**: Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using WIP. + - **How it appears**: Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using Windows Information Protection. - **Workaround**: We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology. For more info, see [Out-of-date ActiveX control blocking](/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking). -- **Limitation**: Resilient File System (ReFS) isn't currently supported with WIP. - - **How it appears**:Trying to save or transfer WIP files to ReFS will fail. +- **Limitation**: Resilient File System (ReFS) isn't currently supported with Windows Information Protection. + - **How it appears**:Trying to save or transfer Windows Information Protection files to ReFS will fail. - **Workaround**: Format drive for NTFS, or use a different drive. -- **Limitation**: WIP isn’t turned on if any of the following folders have the **MakeFolderAvailableOfflineDisabled** option set to **False**: +- **Limitation**: Windows Information Protection isn’t turned on if any of the following folders have the **MakeFolderAvailableOfflineDisabled** option set to **False**: - AppDataRoaming - Desktop - StartMenu @@ -116,10 +116,10 @@ This following list provides info about the most common problems you might encou - - **How it appears**: WIP isn’t turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using Microsoft Endpoint Configuration Manager. + - **How it appears**: Windows Information Protection isn’t turned on for employees in your organization. Error code 0x807c0008 will result if Windows Information Protection is deployed by using Microsoft Endpoint Configuration Manager. - **Workaround**: Don’t set the **MakeFolderAvailableOfflineDisabled** option to **False** for any of the specified folders. You can configure this parameter, as described [Disable Offline Files on individual redirected folders](/windows-server/storage/folder-redirection/disable-offline-files-on-folders). - If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. + If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports Windows Information Protection, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after Windows Information Protection is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](/troubleshoot/windows-client/networking/error-open-files-offline-offline-files-wip). @@ -134,7 +134,7 @@ This following list provides info about the most common problems you might encou - **How it appears**: Any attempt to encrypt a file in the Windows directory will return a file access denied error. But if you copy or drag and drop an encrypted file to the Windows directory, it will retain encryption to honor the intent of the owner. - **Workaround**: If you need to save an encrypted file in the Windows directory, create and encrypt the file in a different directory and copy it. -- **Limitation**: OneNote notebooks on OneDrive for Business must be properly configured to work with WIP. +- **Limitation**: OneNote notebooks on OneDrive for Business must be properly configured to work with Windows Information Protection. - **How it appears**: OneNote might encounter errors syncing a OneDrive for Business notebook and suggest changing the file ownership to Personal. Attempting to view the notebook in OneNote Online in the browser will show an error and unable to view it. - **Workaround**: OneNote notebooks that are newly copied into the OneDrive for Business folder from File Explorer should get fixed automatically. To do this, follow these steps: @@ -150,6 +150,6 @@ This following list provides info about the most common problems you might encou > [!NOTE] > -> - When corporate data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. One caveat to keep in mind is that the Preview Pane in File Explorer will not work for encrypted files. +> - When corporate data is written to disk, Windows Information Protection uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. One caveat to keep in mind is that the Preview Pane in File Explorer will not work for encrypted files. > > - Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to our content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md index daf5a9fac0..6c2ccfde53 100644 --- a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md @@ -27,7 +27,7 @@ This list provides all of the tasks and settings that are required for the opera |Task|Description| |----|-----------| |Add at least one app of each type (Store and Desktop) to the **Protected apps** list in your WIP policy.|You must have at least one Store app and one Desktop app added to your **Protected apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Protected apps list** section of the policy creation topics. | -|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the [Manage the WIP protection mode for your enterprise data](./create-wip-policy-using-configmgr.md#manage-the-wip-protection-level-for-your-enterprise-data) section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| +|Choose your Windows Information Protection protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the [Manage Windows Information Protection mode for your enterprise data](./create-wip-policy-using-configmgr.md#manage-the-wip-protection-level-for-your-enterprise-data) section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| |Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if it’s incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics. |Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.| |Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.| diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md index aabc6b7080..89d703af97 100644 --- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md +++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md @@ -31,14 +31,14 @@ With the increase of employee-owned devices in the enterprise, there’s also an Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Finally, another data protection technology, Azure Rights Management also works alongside WIP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client. >[!IMPORTANT] ->While WIP can stop accidental data leaks from honest employees, it is not intended to stop malicious insiders from removing enterprise data. For more details about the benefits WIP provides, see [Why use WIP?](#why-use-wip) later in this topic. +>While Windows Information Protection can stop accidental data leaks from honest employees, it is not intended to stop malicious insiders from removing enterprise data. For more details about the benefits WIP provides, see [Why use WIP?](#why-use-wip) later in this topic. ## Video: Protect enterprise data from being accidentally copied to the wrong place > [!Video https://www.microsoft.com/videoplayer/embed/RE2IGhh] ## Prerequisites -You’ll need this software to run WIP in your enterprise: +You’ll need this software to run Windows Information Protection in your enterprise: |Operating system | Management solution | |-----------------|---------------------| @@ -70,7 +70,7 @@ After the type of protection is set, the creating app encrypts the document so t Finally, there’s the risk of data leaking from your company when an employee leaves or unenrolls a device. Previously, you would simply erase all of the corporate data from the device, along with any other personal data on the device. ## Benefits of WIP -WIP provides: +Windows Information Protection provides: - Obvious separation between personal and corporate data, without requiring employees to switch environments or apps. - Additional data protection for existing line-of-business apps without a need to update the apps. @@ -79,12 +79,12 @@ WIP provides: - Use of audit reports for tracking issues and remedial actions. -- Integration with your existing management system (Microsoft Intune, Microsoft Endpoint Configuration Manager, or your current mobile device management (MDM) system) to configure, deploy, and manage WIP for your company. +- Integration with your existing management system (Microsoft Intune, Microsoft Endpoint Configuration Manager, or your current mobile device management (MDM) system) to configure, deploy, and manage Windows Information Protection for your company. ## Why use WIP? -WIP is the mobile application management (MAM) mechanism on Windows 10. WIP gives you a new way to manage data policy enforcement for apps and documents on Windows 10 desktop operating systems, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune). +Windows Information Protection is the mobile application management (MAM) mechanism on Windows 10. WIP gives you a new way to manage data policy enforcement for apps and documents on Windows 10 desktop operating systems, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune). -- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. WIP helps protect enterprise on both corporate and employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data. +- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. Windows Information Protection helps protect enterprise on both corporate and employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data. - **Manage your enterprise documents, apps, and encryption modes.** @@ -99,21 +99,21 @@ WIP is the mobile application management (MAM) mechanism on Windows 10. WIP give - **Deciding your level of data access.** WIP lets you block, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your protected apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). - - **Data encryption at rest.** WIP helps protect enterprise data on local files and on removable media. + - **Data encryption at rest.** Windows Information Protection helps protect enterprise data on local files and on removable media. - Apps such as Microsoft Word work with WIP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens WIP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies WIP to the new document. + Apps such as Microsoft Word work with WIP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens WIP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies Windows Information Protection to the new document. - - **Helping prevent accidental data disclosure to public spaces.** WIP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your protected apps list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your protected apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally. + - **Helping prevent accidental data disclosure to public spaces.** Windows Information Protection helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your protected apps list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your protected apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally. - - **Helping prevent accidental data disclosure to removable media.** WIP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t. + - **Helping prevent accidental data disclosure to removable media.** Windows Information Protection helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t. -- **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable. +- **Remove access to enterprise data from enterprise-protected devices.** Windows Information Protection gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable. >[!NOTE] >For management of Surface devices it is recommended that you use the Current Branch of Microsoft Endpoint Configuration Manager.Microsoft Endpoint Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device. ## How WIP works -WIP helps address your everyday challenges in the enterprise. Including: +Windows Information Protection helps address your everyday challenges in the enterprise. Including: - Helping to prevent enterprise data leaks, even on employee-owned devices that can't be locked down. @@ -124,7 +124,7 @@ WIP helps address your everyday challenges in the enterprise. Including: - Helping control the network and data access and data sharing for apps that aren’t enterprise aware ### Enterprise scenarios -WIP currently addresses these enterprise scenarios: +Windows Information Protection currently addresses these enterprise scenarios: - You can encrypt enterprise data on employee-owned and corporate-owned devices. - You can remotely wipe enterprise data off managed computers, including employee-owned computers, without affecting the personal data. @@ -134,21 +134,21 @@ WIP currently addresses these enterprise scenarios: - Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isn’t required. ### WIP-protection modes -Enterprise data is automatically encrypted after it’s loaded on a device from an enterprise source or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. +Enterprise data is automatically encrypted after it’s loaded on a device from an enterprise source or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, Windows Information Protection uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. -Your WIP policy includes a list of trusted apps that are protected to access and process corporate data. This list of apps is implemented through the [AppLocker](/windows/device-security/applocker/applocker-overview) functionality, controlling what apps are allowed to run and letting the Windows operating system know that the apps can edit corporate data. Apps included on this list don’t have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant them access. However, new for Windows 10, app developers can use a new set of application programming interfaces (APIs) to create *enlightened* apps that can use and edit both enterprise and personal data. A huge benefit to working with enlightened apps is that dual-use apps, like Microsoft Word, can be used with less concern about encrypting personal data by mistake because the APIs allow the app to determine whether data is owned by the enterprise or if it’s personally owned. +Your Windows Information Protection policy includes a list of trusted apps that are protected to access and process corporate data. This list of apps is implemented through the [AppLocker](/windows/device-security/applocker/applocker-overview) functionality, controlling what apps are allowed to run and letting the Windows operating system know that the apps can edit corporate data. Apps included on this list don’t have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant them access. However, new for Windows 10, app developers can use a new set of application programming interfaces (APIs) to create *enlightened* apps that can use and edit both enterprise and personal data. A huge benefit to working with enlightened apps is that dual-use apps, like Microsoft Word, can be used with less concern about encrypting personal data by mistake because the APIs allow the app to determine whether data is owned by the enterprise or if it’s personally owned. >[!NOTE] >For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). -You can set your WIP policy to use 1 of 4 protection and management modes: +You can set your Windows Information Protection policy to use 1 of 4 protection and management modes: |Mode|Description| |----|-----------| -|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.| -|Allow overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.| -|Silent |WIP runs silently, logging inappropriate data sharing, without stopping anything that would’ve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.| -|Off |WIP is turned off and doesn't help to protect or audit your data.After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on. | +|Block |Windows Information Protection looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.| +|Allow overrides |Windows Information Protection looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.| +|Silent |Windows Information Protection runs silently, logging inappropriate data sharing, without stopping anything that would’ve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.| +|Off |Windows Information Protection is turned off and doesn't help to protect or audit your data.After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn Windows Information Protection back on. | ## Turn off WIP You can turn off all Windows Information Protection and restrictions, decrypting all devices managed by WIP and reverting to where you were pre-WIP, with no data loss. However, this isn’t recommended. If you choose to turn WIP off, you can always turn it back on, but your decryption and policy info won’t be automatically reapplied. diff --git a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md index d5400291be..c55f4fe75b 100644 --- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md @@ -25,7 +25,7 @@ ms.reviewer: >Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). -We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings when you create a WIP policy. If you are using Intune, the SharePoint entries may be added automatically. +We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings when you create a Windows Information Protection policy. If you are using Intune, the SharePoint entries may be added automatically. ## Recommended Enterprise Cloud Resources diff --git a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md index cd707f5044..84dae48f11 100644 --- a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md +++ b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md @@ -29,7 +29,7 @@ Use Task Manager to check the context of your apps while running in Windows Info ## Viewing the Enterprise Context column in Task Manager You need to add the Enterprise Context column to the **Details** tab of the Task Manager. -1. Make sure that you have an active WIP policy deployed and turned on in your organization. +1. Make sure that you have an active Windows Information Protection policy deployed and turned on in your organization. 2. Open the Task Manager (taskmgr.exe), click the **Details** tab, right-click in the column heading area, and click **Select columns**. @@ -50,7 +50,7 @@ The **Enterprise Context** column shows you what each app can do with your enter - **Personal.** Shows the text, *Personal*. This app is considered non-work-related and can't touch any work data or resources. -- **Exempt.** Shows the text, *Exempt*. WIP policies don't apply to these apps (such as, system components). +- **Exempt.** Shows the text, *Exempt*. Windows Information Protection policies don't apply to these apps (such as, system components). > [!Important] > Enlightened apps can change between Work and Personal, depending on the data being touched. For example, Microsoft Word 2016 shows as **Personal** when an employee opens a personal letter, but changes to **Work** when that same employee opens the company financials. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index e99bc8205f..e423ab56b2 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -9,7 +9,6 @@ metadata: ms.localizationpriority: medium author: denisebmsft ms.author: deniseb - ms.date: 03/14/2022 ms.reviewer: manager: dansimp ms.custom: asr @@ -45,7 +44,7 @@ sections: To make sure the FQDNs (Fully Qualified Domain Names) for the “PAC file” and the “proxy servers the PAC file redirects to” are added as Neutral Resources in the Network Isolation policies used by Application Guard, you can: - Verify this by going to edge://application-guard-internals/#utilities and entering the FQDN for the pac/proxy in the “check url trust” field and verifying that it says “Neutral”. - - It must be a FQDN. A simple IP address will not work. + - It must be an FQDN. A simple IP address won't work. - Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the Enterprise IP Ranges in the Network Isolation policies used by Application Guard. - question: | @@ -54,7 +53,7 @@ sections: Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition, version 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune. - question: | - Which Input Method Editors (IME) in 19H1 are not supported? + Which Input Method Editors (IME) in 19H1 aren't supported? answer: | The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard: @@ -74,7 +73,7 @@ sections: - question: | I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering? answer: | - This feature is currently experimental only and is not functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature. + This feature is currently experimental only and isn't functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature. - question: | What is the WDAGUtilityAccount local account? @@ -83,7 +82,7 @@ sections: **Error: 0x80070569, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error: 0x00000000 Location: 0x00000000** - We recommend that you do not modify this account. + We recommend that you don't modify this account. - question: | How do I trust a subdomain in my site list? @@ -93,35 +92,35 @@ sections: - question: | Are there differences between using Application Guard on Windows Pro vs Windows Enterprise? answer: | - When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md). + When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode doesn't. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md). - question: | Is there a size limit to the domain lists that I need to configure? answer: | - Yes, both the Enterprise Resource domains that are hosted in the cloud and the domains that are categorized as both work and personal have a 16383-B limit. + Yes, both the Enterprise Resource domains that are hosted in the cloud and the domains that are categorized as both work and personal have a 1,6383-byte limit. - question: | Why does my encryption driver break Microsoft Defender Application Guard? answer: | - Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). + Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard doesn't work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). - question: | Why do the Network Isolation policies in Group Policy and CSP look different? answer: | - There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP. + There's not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP. - Mandatory network isolation GP policy to deploy Application Guard: **DomainSubnets or CloudResources** - Mandatory network isolation CSP policy to deploy Application Guard: **EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)** - - For EnterpriseNetworkDomainNames, there is no mapped CSP policy. + - For EnterpriseNetworkDomainNames, there's no mapped CSP policy. - Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). + Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard doesn't work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). - question: | Why did Application Guard stop working after I turned off hyperthreading? answer: | - If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements. + If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there's a possibility Application Guard no longer meets the minimum requirements. - question: | Why am I getting the error message "ERROR_VIRTUAL_DISK_LIMITATION"? diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md index 2b7a3193ab..ffd97aa5cd 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md @@ -2,12 +2,9 @@ title: Microsoft Defender Application Guard Extension description: Learn about the Microsoft Defender Application Guard browser extension, which extends Application Guard's protection to more web browsers. ms.prod: m365-security -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium -author: martyav -ms.author: v-maave +author: aczechowski +ms.author: aaroncz ms.date: 09/09/2021 ms.reviewer: manager: dansimp @@ -60,24 +57,24 @@ Both Chrome and Firefox have their own browser-specific group policies. We recom #### Chrome policies -These policies can be found along the filepath, *Software\Policies\Google\Chrome\\*, with each policy name corresponding to the file name (e.g., IncognitoModeAvailability is located at *Software\Policies\Google\Chrome\IncognitoModeAvailability*). +These policies can be found along the filepath, `Software\Policies\Google\Chrome\`, with each policy name corresponding to the file name. For example, `IncognitoModeAvailability` is located at `Software\Policies\Google\Chrome\IncognitoModeAvailability`. Policy name | Values | Recommended setting | Reason -|-|-|- -[IncognitoModeAvailability](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=IncognitoModeAvailability) | `0` = Enabled `1` = Disabled `2` = Forced (i.e. forces pages to only open in Incognito mode) | Disabled | This policy allows users to start Chrome in Incognito mode. In this mode, all extensions are turned off by default. -[BrowserGuestModeEnabled](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=BrowserGuestModeEnabled) | `false` or `0` = Disabled `true`, `1`, or not configured = Enabled | Disabled | This policy allows users to login as *Guest*, which opens a session in Incognito mode. In this mode, all extensions are turned off by default. -[BackgroundModeEnabled](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=BackgroundModeEnabled) | `false` or `0` = Disabled `true` or `1` = Enabled **Note:** If this policy is not set, the user can enable or disable background mode through local browser settings. | Enabled | This policy keeps Chrome running in the background, ensuring that navigation is always passed to the extension. +[IncognitoModeAvailability](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=IncognitoModeAvailability) | `0` = Enabled `1` = Disabled `2` = Forces pages to only open in Incognito mode | Disabled | This policy allows users to start Chrome in Incognito mode. In this mode, all extensions are turned off by default. +[BrowserGuestModeEnabled](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=BrowserGuestModeEnabled) | `false` or `0` = Disabled `true`, `1`, or not configured = Enabled | Disabled | This policy allows users to sign in as *Guest*, which opens a session in Incognito mode. In this mode, all extensions are turned off by default. +[BackgroundModeEnabled](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=BackgroundModeEnabled) | `false` or `0` = Disabled `true` or `1` = Enabled **Note:** If this policy isn't set, the user can enable or disable background mode through local browser settings. | Enabled | This policy keeps Chrome running in the background, ensuring that navigation is always passed to the extension. [ExtensionSettings](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=ExtensionSettings) | This policy accepts a dictionary that configures multiple other management settings for Chrome. See the [Google Cloud documentation](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=ExtensionSettings) for complete schema. | Include an entry for `force_installed` | This policy prevents users from manually removing the extension. #### Firefox policies -These policies can be found along the filepath, *Software\Policies\Mozilla\Firefox\\*, with each policy name corresponding to the file name (e.g., DisableSafeMode is located at *Software\Policies\Mozilla\Firefox\DisableSafeMode*). +These policies can be found along the filepath, `Software\Policies\Mozilla\Firefox\`, with each policy name corresponding to the file name. Foe example, `DisableSafeMode` is located at `Software\Policies\Mozilla\Firefox\DisableSafeMode`. Policy name | Values | Recommended setting | Reason -|-|-|- -[DisableSafeMode](https://github.com/mozilla/policy-templates/blob/master/README.md#DisableSafeMode) | `false` or `0` = Safe mode is enabled `true` or `1` = Safe mode is disabled | True (i.e. the policy is enabled and Safe mode is *not* allowed to run) | Safe mode can allow users to circumvent Application Guard -[BlockAboutConfig](https://github.com/mozilla/policy-templates/blob/master/README.md#BlockAboutConfig) | `false` or `0` = User access to *about:config* is allowed `true` or `1` = User access to *about:config* is not allowed | True (i.e. the policy is enabled and access to about:config is *not* allowed) | *About:config* is a special page within Firefox that offers control over many settings that may compromise security -[Extensions - Locked](https://github.com/mozilla/policy-templates/blob/master/README.md#Extensions) | This setting accepts a list of UUIDs for extensions (these can be found by searching `extensions.webextensions.uuids` within the about:config page) | Software\Policies\Mozilla\Firefox\Extensions\Locked\1 = "`ApplicationGuardRel@microsoft.com`" | This setting allows you to lock the extension, so the user cannot disable or uninstall it. +[DisableSafeMode](https://github.com/mozilla/policy-templates/blob/master/README.md#DisableSafeMode) | `false` or `0` = Safe mode is enabled `true` or `1` = Safe mode is disabled | The policy is enabled and Safe mode isn't allowed to run. | Safe mode can allow users to circumvent Application Guard +[BlockAboutConfig](https://github.com/mozilla/policy-templates/blob/master/README.md#BlockAboutConfig) | `false` or `0` = User access to `about:config` is allowed `true` or `1` = User access to `about:config` isn't allowed | The policy is enabled and access to `about:config` isn't allowed. | `About:config` is a special page within Firefox that offers control over many settings that may compromise security +[Extensions - Locked](https://github.com/mozilla/policy-templates/blob/master/README.md#Extensions) | This setting accepts a list of UUIDs for extensions. You can find these extensions by searching `extensions.webextensions.uuids` within the `about:config` page) | Software\Policies\Mozilla\Firefox\Extensions\Locked\1 = "`ApplicationGuardRel@microsoft.com`" | This setting allows you to lock the extension, so the user can't disable or uninstall it. ## Troubleshooting guide @@ -85,15 +82,15 @@ Policy name | Values | Recommended setting | Reason Error message | Cause | Actions -|-|- -Application Guard undetermined state | The extension was unable to communicate with the companion app during the last information request. | 1. Install the [companion app](https://www.microsoft.com/p/windows-defender-application-guard-companion/9n8gnlc8z9c8?activetab=pivot:overviewtab) and reboot 2. If the companion app is already installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and re-install the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser +Application Guard undetermined state | The extension was unable to communicate with the companion app during the last information request. | 1. Install the [companion app](https://www.microsoft.com/p/windows-defender-application-guard-companion/9n8gnlc8z9c8?activetab=pivot:overviewtab) and reboot 2. If the companion app is already installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and reinstall the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser ExceptionThrown | An unexpected exception was thrown. | 1. [File a bug](https://aka.ms/wdag-fb) 2. Retry the operation Failed to determine if Application Guard is enabled | The extension was able to communicate with the companion app, but the information request failed in the app. | 1. Restart the browser 2. Check for updates in both the Microsoft store and the respective web store for the affected browser -Launch in WDAG failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This can be caused by the companion app being uninstalled while Chrome was running. | 1. Make sure the companion app is installed 2. If the companion app is installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and re-install the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser +Launch in WDAG failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This error can be caused by the companion app being uninstalled while Chrome was running. | 1. Make sure the companion app is installed 2. If the companion app is installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and reinstall the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser Main page navigation caught an unexpected error | An unexpected exception was thrown during the main page navigation. | 1. [File a bug](https://aka.ms/wdag-fb) 2. Retry the operation -Process trust response failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This can be caused by the companion app being uninstalled while Chrome was running.| 1. Make sure the companion app is installed. 2. If the companion app is installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and re-install the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser -Protocol out of sync | The extension and native app cannot communicate with each other. This is likely caused by one being updated without supporting the protocol of the other. | Check for updates in both the Microsoft store, and the web store for the affected browser -Security patch level does not match | Microsoft determined that there was a security issue with either the extension or the companion app, and has issued a mandatory update. | Check for updates in both the Microsoft store, and the web store for the affected browser -Unexpected response while processing trusted state | The extension was able to communicate with the companion app, but the API failed and a failure response code was sent back to the extension. | 1. [File a bug](https://aka.ms/wdag-fb) 2. Check if Edge is working 3. Retry the operation +Process trust response failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This error can be caused by the companion app being uninstalled while Chrome was running.| 1. Make sure the companion app is installed. 2. If the companion app is installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and reinstall the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser +Protocol out of sync | The extension and native app can't communicate with each other. This error is likely caused by one being updated without supporting the protocol of the other. | Check for updates in both the Microsoft store, and the web store for the affected browser +Security patch level doesn't match | Microsoft determined that there was a security issue with either the extension or the companion app, and has issued a mandatory update. | Check for updates in both the Microsoft store, and the web store for the affected browser +Unexpected response while processing trusted state | The extension was able to communicate with the companion app, but the API failed and a failure response code was sent back to the extension. | 1. [File a bug](https://aka.ms/wdag-fb) 2. Check if Microsoft Edge is working 3. Retry the operation ## Related articles diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md index eec6f18251..5901726822 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md @@ -14,7 +14,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 09/21/2017 ms.technology: windows-sec --- @@ -24,10 +23,10 @@ ms.technology: windows-sec - Windows 10 - Windows 11 -- Windows Server 2016 and above +- Windows Server 2012 R2 and later ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes how to import an AppLocker policy. @@ -35,11 +34,14 @@ Before completing this procedure, you should have exported an AppLocker policy. Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. ->**Caution:** Importing a policy will overwrite the existing policy on that computer. +> **Caution:** Importing a policy will overwrite the existing policy on that computer. **To import an AppLocker policy** 1. From the AppLocker console, right-click **AppLocker**, and then click **Import Policy**. + 2. In the **Import Policy** dialog box, locate the file that you exported, and then click **Open**. + 3. The **Import Policy** dialog box will warn you that importing a policy will overwrite the existing rules and enforcement settings. If acceptable, click **OK** to import and overwrite the policy. + 4. The **AppLocker** dialog box will notify you of how many rules were overwritten and imported. Click **OK**. diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md index 3203610df6..d7e1d5636c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md @@ -14,7 +14,6 @@ author: jgeurten ms.reviewer: jsuther1974 ms.author: dansimp manager: dansimp -ms.date: 03/22/2022 ms.technology: windows-sec --- @@ -45,6 +44,9 @@ To create effective WDAC deny policies, it's crucial to understand how WDAC pars 5. If no rule exists for the file and it's not allowed based on ISG or MI, then the file is blocked implicitly. +> [!NOTE] +> If your WDAC policy does not have an explicit rule to allow or deny a binary to run, then WDAC will make a call to the cloud to determine whether the binary is familiar and safe. However, if your policy already authorizes or denies the binary, then WDAC will not make a call to the cloud. For more details, see [How does the integration between WDAC and the Intelligent Security Graph work?](use-windows-defender-application-control-with-intelligent-security-graph.md#how-does-the-integration-between-wdac-and-the-intelligent-security-graph-work). + ## Interaction with Existing Policies ### Adding Allow Rules diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md index 36aa766318..3e1dfaea27 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md @@ -14,7 +14,6 @@ author: jsuther1974 ms.reviewer: isbrahm ms.author: dansimp manager: dansimp -ms.date: 07/15/2021 ms.technology: windows-sec --- @@ -24,7 +23,7 @@ ms.technology: windows-sec - Windows 10 - Windows 11 -- Windows Server 2016 and above +- Windows Server 2019 and above > [!NOTE] > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml index 9e25d09647..dc42004f13 100644 --- a/windows/whats-new/TOC.yml +++ b/windows/whats-new/TOC.yml @@ -20,23 +20,3 @@ href: whats-new-windows-10-version-21H1.md - name: What's new in Windows 10, version 20H2 href: whats-new-windows-10-version-20H2.md - - name: What's new in Windows 10, version 2004 - href: whats-new-windows-10-version-2004.md - - name: What's new in Windows 10, version 1909 - href: whats-new-windows-10-version-1909.md - - name: What's new in Windows 10, version 1903 - href: whats-new-windows-10-version-1903.md -- name: Previous versions - items: - - name: What's new in Windows 10, version 1809 - href: whats-new-windows-10-version-1809.md - - name: What's new in Windows 10, version 1803 - href: whats-new-windows-10-version-1803.md - - name: What's new in Windows 10, version 1709 - href: whats-new-windows-10-version-1709.md - - name: What's new in Windows 10, version 1703 - href: whats-new-windows-10-version-1703.md - - name: What's new in Windows 10, version 1607 - href: whats-new-windows-10-version-1607.md - - name: What's new in Windows 10, versions 1507 and 1511 - href: whats-new-windows-10-version-1507-and-1511.md \ No newline at end of file diff --git a/windows/whats-new/contribute-to-a-topic.md b/windows/whats-new/contribute-to-a-topic.md index b99b7a48ad..77dfd79528 100644 --- a/windows/whats-new/contribute-to-a-topic.md +++ b/windows/whats-new/contribute-to-a-topic.md @@ -1,10 +1,7 @@ --- title: Edit an existing topic using the Edit link description: Instructions about how to edit an existing topic by using the Edit link on docs.microsoft.com. -keywords: contribute, edit a topic ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library ms.date: 10/13/2017 ms.reviewer: manager: dansimp diff --git a/windows/whats-new/get-started-with-1709.md b/windows/whats-new/get-started-with-1709.md deleted file mode 100644 index c2522f3e4c..0000000000 --- a/windows/whats-new/get-started-with-1709.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -title: Get started with Windows 10, version 1709 -description: Learn about features, review requirements, and plan your deployment of Windows 10, version 1709, including IT Pro content, release information, and history. -keywords: ["get started", "windows 10", "fall creators update", "1709"] -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: dansimp -ms.author: dansimp -ms.date: 10/16/2017 -ms.reviewer: -manager: dansimp -ms.localizationpriority: high -ms.topic: article ---- - -# Get started with Windows 10, version 1709 - -**Applies to** - -- Windows 10 - -> **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -Welcome to Windows 10, version 1709, also known as the Fall Creators Update. Use the following information to learn about new features, review system requirements, and plan your deployment of the latest version of Windows 10. - -## Specification and systems requirements - -Before you install any version of Windows 10, make sure you visit the [Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/windows/windows-10-specifications) page. This page contains the minimum systems requirements and important notes to install Windows 10, as well as feature deprecation information and additional requirements to use certain features. - -## What's new in Windows 10, version 1709 IT Pro content - -Take a look at the [What's new in Windows 10, version 1709 IT Pro content](whats-new-windows-10-version-1709.md), for the latest updates in content. Use this topic to easily navigate the documentation for the new features in Windows 10, version 1709. - -## Windows 10 release information and update history - -To view availability dates and servicing options for each version and update of Windows, including version 1709, visit the [Windows 10 release information](https://technet.microsoft.com/windows/mt679505.aspx) page. For further details on each update, go to the [Windows 10 update history](https://support.microsoft.com/help/4018124/windows-10-update-history) page. - -## Windows 10 Roadmap - -If you'd like to gain some insight into preview, or in-development features, visit the [Windows 10 Roadmap](https://www.microsoft.com/WindowsForBusiness/windows-roadmap) page. You'll be able to filter by feature state and product category, to make this information easier to navigate. - -## Top support solutions for Windows 10 - -Having problems with your latest deployment of Windows 10, version 1709? Check out the [Top support solutions for Windows 10](/windows/client-management/windows-10-support-solutions) topic, where we've collected the top Microsoft Support solutions for the most common issues experienced when using Windows 10 in an enterprise or IT pro environment. - -> Want even more information? Visit the [Windows 10 lifecycle page](https://www.microsoft.com/itpro/windows-10) on the [Windows IT Pro Center](https://itpro.windows.com). - -Ready to get started with Windows 10, version 1709? -> [!div class="nextstepaction"] -> [Deploy and Update Windows 10](/windows/deployment) diff --git a/windows/whats-new/images/bulk-token.PNG b/windows/whats-new/images/bulk-token.PNG deleted file mode 100644 index b0d2221824..0000000000 Binary files a/windows/whats-new/images/bulk-token.PNG and /dev/null differ diff --git a/windows/whats-new/images/wdatp.png b/windows/whats-new/images/wdatp.png deleted file mode 100644 index 79410f493f..0000000000 Binary files a/windows/whats-new/images/wdatp.png and /dev/null differ diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml index 615251c635..3d11bd96e3 100644 --- a/windows/whats-new/index.yml +++ b/windows/whats-new/index.yml @@ -1,76 +1,67 @@ ### YamlMime:Landing -title: What's new in Windows # < 60 chars -summary: Find out about new features and capabilities in the latest release of Windows 10 and Windows 11. # < 160 chars +title: What's new in Windows +summary: Find out about new features and capabilities in the latest release of Windows 10 and Windows 11. metadata: - title: What's new in Windows # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Find out about new features and capabilities in the latest release of Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars. + title: What's new in Windows + description: Find out about new features and capabilities in the latest release of Windows 10 and Windows 11. services: windows-10 - ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. + ms.service: windows-10 ms.subservice: subservice - ms.topic: landing-page # Required + ms.topic: landing-page ms.collection: - windows-10 - highpri author: aczechowski ms.author: aaroncz manager: dougeby - ms.date: 06/24/2021 #Required; mm/dd/yyyy format. + ms.date: 06/03/2022 localization_priority: medium - -# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new landingContent: -# Cards and links should be based on top customer tasks or top subjects -# Start card title with a verb - # Card (optional) - title: Windows 11 linkLists: - linkListType: overview links: - text: Windows 11 overview - url: windows-11-overview.md + url: windows-11-overview.md - text: Windows 11 requirements url: windows-11-requirements.md - - text: Plan for Windows 11 + - text: Plan for Windows 11 url: windows-11-plan.md - - text: Prepare for Windows 11 + - text: Prepare for Windows 11 url: windows-11-prepare.md - title: Windows 10 linkLists: - linkListType: overview links: + - text: What's new in Windows 10, version 21H2 + url: whats-new-windows-10-version-21h2.md - text: What's new in Windows 10, version 21H1 - url: whats-new-windows-10-version-21h1.md + url: whats-new-windows-10-version-21h1.md - text: What's new in Windows 10, version 20H2 - url: whats-new-windows-10-version-20H2.md - - text: What's new in Windows 10, version 2004 - url: whats-new-windows-10-version-2004.md - - text: What's new in Windows 10, version 1909 - url: whats-new-windows-10-version-1909.md - - text: What's new in Windows 10, version 1903 - url: whats-new-windows-10-version-1903.md + url: whats-new-windows-10-version-20h2.md - - # Card (optional) - title: Learn more linkLists: - linkListType: overview links: - - text: Windows release information - url: /windows/release-health/release-information + - text: Windows 11 release information + url: /windows/release-health/windows11-release-information - text: Windows release health dashboard - url: /windows/release-information/ - - text: Windows update history - url: https://support.microsoft.com/topic/windows-10-update-history-7dd3071a-3906-fa2c-c342-f7f86728a6e3 - - text: Windows 10 features we’re no longer developing + url: /windows/release-health/ + - text: Windows 11 update history + url: https://support.microsoft.com/topic/windows-11-update-history-a19cd327-b57f-44b9-84e0-26ced7109ba9 + - text: Windows 10 update history + url: https://support.microsoft.com/topic/windows-10-update-history-857b8ccb-71e4-49e5-b3f6-7073197d98fb + - text: Windows 10 features we're no longer developing url: /windows/deployment/planning/windows-10-deprecated-features - text: Features and functionality removed in Windows 10 url: /windows/deployment/planning/windows-10-removed-features - text: Compare Windows 10 Editions - url: https://go.microsoft.com/fwlink/p/?LinkId=690485 + url: https://www.microsoft.com/windowsforbusiness/compare - text: Windows 10 Enterprise LTSC url: ltsc/index.md diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md index dfb0df5731..5d691021f8 100644 --- a/windows/whats-new/ltsc/index.md +++ b/windows/whats-new/ltsc/index.md @@ -1,11 +1,7 @@ --- title: Windows 10 Enterprise LTSC description: New and updated IT Pro content about new features in Windows 10, LTSC (also known as Windows 10 LTSB). -keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 LTSC", "Windows 10 LTSB"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: aczechowski ms.author: aaroncz manager: dougeby @@ -30,9 +26,9 @@ This topic provides links to articles with information about what's new in each ## The Long-Term Servicing Channel (LTSC) -The following table summarizes equivalent feature update versions of Windows 10 LTSC and General Availability Channel (SAC) releases. +The following table summarizes equivalent feature update versions of Windows 10 LTSC and General Availability Channel (GA Channel) releases. -| LTSC release | Equivalent SAC release | Availability date | +| LTSC release | Equivalent GA Channel release | Availability date | | --- | --- | --- | | Windows 10 Enterprise LTSC 2015 | Windows 10, Version 1507 | 7/29/2015 | | Windows 10 Enterprise LTSC 2016 | Windows 10, Version 1607 | 8/2/2016 | diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md index c1c29d8f63..6e75a1fb9f 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md @@ -4,13 +4,9 @@ ms.reviewer: manager: dougeby ms.author: aaroncz description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2015 (also known as Windows 10 Enterprise 2015 LTSB). -keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise LTSC 2015"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: aczechowski -ms.localizationpriority: low +ms.localizationpriority: medium ms.topic: article --- @@ -21,9 +17,6 @@ ms.topic: article This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md). -> [!NOTE] -> Features in Windows 10 Enterprise LTSC 2015 are equivalent to [Windows 10, version 1507](../whats-new-windows-10-version-1507-and-1511.md). - ## Deployment ### Provisioning devices using Windows Imaging and Configuration Designer (ICD) diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md index 354488f563..7ee18df927 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md @@ -4,11 +4,7 @@ ms.reviewer: manager: dougeby ms.author: aaroncz description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2016 (also known as Windows 10 Enterprise 2016 LTSB). -keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise LTSC 2016"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: aczechowski ms.localizationpriority: low ms.topic: article diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index 40a615660a..034ffc1f83 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -4,12 +4,9 @@ ms.reviewer: manager: dougeby ms.author: aaroncz description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2019 (also known as Windows 10 Enterprise 2019 LTSB). -keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise LTSC 2019"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski -ms.localizationpriority: low +ms.localizationpriority: medium ms.topic: article --- @@ -21,22 +18,23 @@ ms.topic: article This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2019, compared to Windows 10 Enterprise LTSC 2016 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md). >[!NOTE] ->Features in Windows 10 Enterprise LTSC 2019 are equivalent to Windows 10, version 1809. +>Features in Windows 10 Enterprise LTSC 2019 are equivalent to Windows 10, version 1809. Windows 10 Enterprise LTSC 2019 builds on Windows 10 Pro, version 1809 adding premium features designed to address the needs of large and mid-size organizations (including large academic institutions), such as: -- Advanced protection against modern security threats + +- Advanced protection against modern security threats - Full flexibility of OS deployment - Updating and support options - Comprehensive device and app management and control capabilities -The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC users because it includes the cumulative enhancements provided in Windows 10 versions 1703, 1709, 1803, and 1809. Details about these enhancements are provided below. +The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC users because it includes the cumulative enhancements provided in Windows 10 versions 1703, 1709, 1803, and 1809. Details about these enhancements are provided below. >[!IMPORTANT] >The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the General Availability Channel release of Windows 10 might be limited. ## Microsoft Intune -Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. However, note that Windows 10 Update Rings Device profiles do not support LTSC releases, therefore you should use [Policy configuration service provider](/windows/client-management/mdm/policy-csp-update), WSUS, or Configuration Manager for patching. +Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. However, Windows 10 update rings device profiles don't support LTSC releases. For installing software updates, use the [policy configuration service provider (CSP)](/windows/client-management/mdm/policy-csp-update), Windows Server Update Services (WSUS), or Microsoft Endpoint Configuration Manager. ## Security @@ -46,37 +44,36 @@ This version of Windows 10 includes security improvements for threat protection, #### Microsoft Defender for Endpoint -The [Microsoft Defender for Endpoint](/windows/security/threat-protection/index) platform includes the security pillars shown in the following diagram. In this version of Windows, Defender for Endpoint includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. +The [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/) platform includes multiple security pillars. In this version of Windows, Defender for Endpoint includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. -[  ](../images/wdatp.png#lightbox) - -##### Attack surface reduction +##### Attack surface reduction Attack surface reduction includes host-based intrusion prevention systems such as [controlled folder access]/microsoft-365/security/defender-endpoint/enable-controlled-folders). -- This feature can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether. +- This feature can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We've made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether. -- When an app is blocked, it will appear in a recently blocked apps list, which you can get to by clicking **Manage settings** under the **Ransomware protection** heading. Click **Allow an app through Controlled folder access**. After the prompt, click the **+** button and choose **Recently blocked apps**. Select any of the apps to add them to the allowed list. You can also browse for an app from this page. +- When an app is blocked, it will appear in a recently blocked apps list, which you can get to by clicking **Manage settings** under the **Ransomware protection** heading. Select **Allow an app through Controlled folder access**. After the prompt, select the **+** button and choose **Recently blocked apps**. Select any of the apps to add them to the allowed list. You can also browse for an app from this page. -###### Windows Defender Firewall +###### Windows Defender Firewall -Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes. You can add specific rules for a WSL process just as you would for any Windows process. Also, Windows Defender Firewall now supports notifications for WSL processes. For example, when a Linux tool wants to allow access to a port from the outside (like SSH or a web server like nginx), Windows Defender Firewall will prompt to allow access just like it would for a Windows process when the port starts accepting connections. This was first introduced in [Build 17627](/windows/wsl/release-notes#build-17618-skip-ahead). +Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes. You can add specific rules for a WSL process just as you would for any Windows process. Also, Windows Defender Firewall now supports notifications for WSL processes. For example, when a Linux tool wants to allow access to a port from the outside (like SSH or a web server like nginx), Windows Defender Firewall will prompt to allow access just like it would for a Windows process when the port starts accepting connections. This behavior was first introduced in [Build 17627](/windows/wsl/release-notes#build-17618-skip-ahead). ##### Windows Defender Device Guard -[Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control) has always been a collection of technologies that can be combined to lock down a PC, including: -- Software-based protection provided by code integrity policies +[Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control) has always been a collection of technologies that can be combined to lock down a PC, including: + +- Software-based protection provided by code integrity policies - Hardware-based protection provided by Hypervisor-protected code integrity (HVCI) -But these protections can also be configured separately. And, unlike HVCI, code integrity policies do not require virtualization-based security (VBS). To help underscore the distinct value of these protections, code integrity policies have been rebranded as [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control). +But these protections can also be configured separately. And, unlike HVCI, code integrity policies don't require virtualization-based security (VBS). To help underscore the distinct value of these protections, code integrity policies have been rebranded as [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control). -### Next-gen protection +### Next-gen protection -### Endpoint detection and response +### Endpoint detection and response -Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Microsoft Defender for Endpoint portal. +Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Microsoft Defender for Endpoint portal. -Windows Defender is now called Microsoft Defender Antivirus and now shares detection status between M365 services and interoperates with Microsoft Defender for Endpoint. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus). +Windows Defender is now called Microsoft Defender Antivirus and now shares detection status between Microsoft 365 services and interoperates with Microsoft Defender for Endpoint. Other policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus). We've also [increased the breadth of the documentation library for enterprise security admins](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows). The new library includes information on: @@ -98,9 +95,9 @@ We've [invested heavily in helping to protect against ransomware](https://blogs. **Endpoint detection and response** is also enhanced. New **detection** capabilities include: -- [Use the threat intelligence API to create custom alerts](/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization. +- [Use the threat intelligence API to create custom alerts](/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intelligence application, and create custom threat intelligence alerts for your organization. -- [Custom detection](/microsoft-365/security/defender-endpoint/overview-custom-detections). With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. +- [Custom detection](/microsoft-365/security/defender-endpoint/overview-custom-detections). With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. You can use advanced hunting through the creation of custom detection rules. - Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks. @@ -110,83 +107,77 @@ We've [invested heavily in helping to protect against ransomware](https://blogs. **Threat response** is improved when an attack is detected, enabling immediate action by security teams to contain a breach: -- [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package. -- [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file. +- [Take response actions on a machine](/microsoft-365/security/defender-endpoint/respond-machine-alerts) - Quickly respond to detected attacks by isolating machines or collecting an investigation package. +- [Take response actions on a file](/microsoft-365/security/defender-endpoint/respond-file-alerts) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file. -Additional capabilities have been added to help you gain a holistic view on **investigations** include: +Other capabilities have been added to help you gain a holistic view on **investigations** include: -- [Threat analytics](/windows/security/threat-protection/windows-defender-atp/threat-analytics) - Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. +- [Threat analytics](/microsoft-365/security/defender-endpoint/threat-analytics) - Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess the effect to their environment. They also provide recommended actions to contain, increase organizational resilience, and prevent specific threats. -- [Query data using Advanced hunting in Microsoft Defender for Endpoint](/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection) +- [Query data using Advanced hunting in Microsoft Defender for Endpoint](/microsoft-365/security/defender/advanced-hunting-query-language) -- [Use Automated investigations to investigate and remediate threats](/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) +- [Use Automated investigations to investigate and remediate threats](/microsoft-365/security/defender-endpoint/automated-investigations) -- [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials. +- [Investigate a user account](/microsoft-365/security/defender-endpoint/investigate-user) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials. -- [Alert process tree](/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time. +- [Alert process tree](/microsoft-365/security/defender-endpoint/investigate-alerts) - Aggregates multiple detections and related events into a single view to reduce case resolution time. -- [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Microsoft Defender for Endpoint. +- [Pull alerts using REST API](/microsoft-365/security/defender-endpoint/configure-siem) - Use REST API to pull alerts from Microsoft Defender for Endpoint. Other enhanced security features include: -- [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Microsoft Defender for Endpoint service and fix known issues. +- [Check sensor health state](/microsoft-365/security/defender-endpoint/check-sensor-status) - Check an endpoint's ability to provide sensor data and communicate with the Microsoft Defender for Endpoint service and fix known issues. -- [Managed security service provider (MSSP) support](/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection) - Microsoft Defender for Endpoint adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools. +- [Managed security service provider (MSSP) support](/microsoft-365/security/defender-endpoint/mssp-support) - Microsoft Defender for Endpoint adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools. -- [Integration with Azure Defender](/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center) - Microsoft Defender for Endpoint integrates with Azure Defender to provide a comprehensive server protection solution. With this integration Azure Defender can leverage the power of Defender for Endpoint to provide improved threat detection for Windows Servers. +- [Integration with Azure Defender](/microsoft-365/security/defender-endpoint/configure-server-endpoints#integration-with-microsoft-defender-for-cloud) - Microsoft Defender for Endpoint integrates with Azure Defender to provide a comprehensive server protection solution. With this integration, Azure Defender can use Defender for Endpoint to provide improved threat detection for Windows Servers. -- [Integration with Microsoft Cloud App Security](/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration) - Microsoft Cloud App Security leverages Microsoft Defender for Endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Defender for Endpoint monitored machines. +- [Integration with Microsoft Cloud App Security](/microsoft-365/security/defender-endpoint/microsoft-cloud-app-security-integration) - Microsoft Cloud App Security uses Microsoft Defender for Endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Defender for Endpoint monitored machines. -- [Onboard Windows Server 2019](/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019) - Microsoft Defender for Endpoint now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. +- [Onboard Windows Server 2019](/microsoft-365/security/defender-endpoint/configure-server-endpoints#windows-server-semi-annual-enterprise-channel-sac-windows-server-2019-and-windows-server-2022) - Microsoft Defender for Endpoint now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. -- [Onboard previous versions of Windows](/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection) - Onboard supported versions of Windows machines so that they can send sensor data to the Microsoft Defender for Endpoint sensor. +- [Onboard previous versions of Windows](/microsoft-365/security/defender-endpoint/onboard-downlevel) - Onboard supported versions of Windows machines so that they can send sensor data to the Microsoft Defender for Endpoint sensor. -- [Enable conditional access to better protect users, devices, and data](/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection) +- [Enable conditional access to better protect users, devices, and data](/microsoft-365/security/defender-endpoint/conditional-access) -We've also added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device’s time is not properly synced with our time servers and the time-syncing service is disabled, we’ll provide the option for you to turn it back on. +We've also added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device's time isn't properly synced with our time servers and the time-syncing service is disabled, we'll provide the option for you to turn it back on. -We’re continuing to work on how other security apps you’ve installed show up in the **Windows Security** app. There’s a new page called **Security providers** that you can find in the **Settings** section of the app. Click **Manage providers** to see a list of all the other security providers (including antivirus, firewall, and web protection) that are running on your device. Here you can easily open the providers’ apps or get more information on how to resolve issues reported to you through **Windows Security**. +We're continuing to work on how other security apps you've installed show up in the **Windows Security** app. There's a new page called **Security providers** that you can find in the **Settings** section of the app. Select **Manage providers** to see a list of all the other security providers (including antivirus, firewall, and web protection) that are running on your device. Here you can easily open the providers' apps or get more information on how to resolve issues reported to you through **Windows Security**. -This also means you’ll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you’ll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks). +This improvement also means you'll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you'll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks). You can read more about ransomware mitigations and detection capability at: -- [Averting ransomware epidemics in corporate networks with Microsoft Defender for Endpoint](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/) -- [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/) +- [Averting ransomware epidemics in corporate networks with Microsoft Defender for Endpoint](https://www.microsoft.com/security/blog/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/) +- [Microsoft Malware Protection Center blog](https://www.microsoft.com/security/blog/category/research/ransomware/) Also see [New capabilities of Microsoft Defender for Endpoint further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97) -Get a quick, but in-depth overview of Microsoft Defender for Endpoint for Windows 10: [Defender for Endpoint](/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). +Get a quick, but in-depth overview of Microsoft Defender for Endpoint for Windows 10: [Defender for Endpoint](/microsoft-365/security/defender-endpoint/). - +### Information protection -### Information protection - -Improvements have been added to Windows Information Protection and BitLocker. +Improvements have been added to Windows Information Protection and BitLocker. #### Windows Information Protection -Windows Information Protection is now designed to work with Microsoft Office and Azure Information Protection. For more information, see [Deploying and managing Windows Information Protection (WIP) with Azure Information Protection](https://myignite.microsoft.com/sessions/53660?source=sessions). +Windows Information Protection is now designed to work with Microsoft Office and Azure Information Protection. -Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune). +Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure). -You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For info, see the brand-new topic, [How to collect Windows Information Protection (WIP) audit event logs](/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs). +You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For more information, see [How to collect Windows Information Protection (WIP) audit event logs](/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs). -This release enables support for WIP with Files on Demand, allows file encryption while the file is open in another app, and improves performance. For more information, see [OneDrive Files On-Demand For The Enterprise](https://techcommunity.microsoft.com/t5/OneDrive-Blog/OneDrive-Files-On-Demand-For-The-Enterprise/ba-p/117234). +This release enables support for WIP with Files on Demand, allows file encryption while the file is open in another app, and improves performance. For more information, see [OneDrive files on-demand for the enterprise](https://techcommunity.microsoft.com/t5/microsoft-onedrive-blog/onedrive-files-on-demand-for-the-enterprise/ba-p/117234). ### BitLocker -The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](/windows/device-security/bitlocker/bitlocker-group-policy-settings#bkmk-unlockpol3). +The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#configure-minimum-pin-length-for-startup). #### Silent enforcement on fixed drives -Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard AAD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don’t pass the HSTI. +Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (Azure AD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard Azure AD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don't pass the HSTI. -This is an update to the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp), which was introduced in Windows 10, version 1703, and leveraged by Intune and others. - -This feature will soon be enabled on Olympia Corp as an optional feature. +This change is an update to the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) and used by Intune and others. ### Identity protection @@ -194,50 +185,46 @@ Improvements have been added are to Windows Hello for Business and Credential Gu #### Windows Hello for Business -New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you are not present. +New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you aren't present. -New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification) include: +New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification) include: -- You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). +- You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](/mem/intune). -- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset). +- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more information, see [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset). -[Windows Hello](/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in [Kiosk configuration](#kiosk-configuration). +[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/index) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in [Kiosk configuration](#kiosk-configuration). -- Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/). +- Windows Hello is now password-less on S-mode. - Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions. -- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their device Bluetooth is off. +- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign-in, and will notify Dynamic lock users if Dynamic lock has stopped working because their device Bluetooth is off. -- You can set up Windows Hello from lock screen for MSA accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options. +- You can set up Windows Hello from lock screen for Microsoft accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options. -- New [public API](/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider. +- New [public API](/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync) for secondary account SSO for a particular identity provider. + +- It's easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: device Bluetooth is off). -- It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: device Bluetooth is off). - For more information, see: [Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/#OdKBg3pwJQcEKCbJ.97) #### Windows Defender Credential Guard -Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It is designed to protect against well-known threats such as Pass-the-Hash and credential harvesting. +Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It's designed to protect against well-known threats such as Pass-the-Hash and credential harvesting. -Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. +Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns on this functionality by default when the machine has been Azure Active Directory joined. This feature provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. > [!NOTE] -> Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions. +> Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions. -For more information, see [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations). +For more information, see [Credential Guard Security Considerations](/windows/security/identity-protection/credential-guard/credential-guard-requirements#security-considerations). ### Other security improvements #### Windows security baselines -Microsoft has released new [Windows security baselines](/windows/device-security/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/device-security/security-compliance-toolkit-10). - -**Windows security baselines** have been updated for Windows 10. A [security baseline](/windows/device-security/windows-security-baselines) is a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/device-security/security-compliance-toolkit-10). - -The new [security baseline for Windows 10 version 1803](/windows/security/threat-protection/security-compliance-toolkit-10) has been published. +Microsoft has released new [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security effect. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10). #### SMBLoris vulnerability @@ -245,57 +232,52 @@ An issue, known as _SMBLoris_, which could result in denial of service, has been #### Windows Security Center -Windows Defender Security Center is now called **Windows Security Center**. +Windows Defender Security Center is now called **Windows Security Center**. -You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Microsoft Defender Antivirus** and **Windows Defender Firewall**. +You can still get to the app in all the usual ways. Ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Microsoft Defender Antivirus** and **Windows Defender Firewall**. -The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Microsoft Defender Antivirus will remain enabled side-by-side with these products. +The WSC service now requires antivirus products to run as a protected process to register. Products that haven't yet implemented this functionality won't appear in the Windows Security Center user interface, and Microsoft Defender Antivirus will remain enabled side-by-side with these products. -WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**. +WSC now includes the Fluent Design System elements you know and love. You'll also notice we've adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you've enabled that option in **Color Settings**. - +:::image type="content" source="../images/defender.png" alt-text="Screenshot of the Windows Security Center."::: -#### Group Policy Security Options +#### Group policy security options -The security setting [**Interactive logon: Display user information when the session is locked**](/windows/device-security/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. +The security setting [**Interactive logon: Display user information when the session is locked**](/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked) has been updated to work with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. A new security policy setting -[**Interactive logon: Don't display username at sign-in**](/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 Enterprise LTSC 2019. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile. +[**Interactive logon: Don't display username at sign-in**](/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 Enterprise LTSC 2019. This security policy setting determines whether the username is displayed during sign-in. It works with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile. #### Windows 10 in S mode -We’ve continued to work on the **Current threats** area in [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: +We've continued to work on the **Current threats** area in [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: -> [!div class="mx-imgBorder"] ->  +:::image type="content" source="../images/virus-and-threat-protection.png" alt-text="Screenshot of the Virus & threat protection settings in Windows."::: ## Deployment ### MBR2GPT.EXE -MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise LTSC 2019 (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS). +MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise LTSC 2019 (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool runs from a Windows Preinstallation Environment (Windows PE) command prompt, but can also run from the full Windows 10 operating system. -The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports additional partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk. +The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports other partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk. -Additional security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock. +Other security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock. -For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt). +For more information, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt). ### DISM The following new DISM commands have been added to manage feature updates: -- **DISM /Online /Initiate-OSUninstall** - - Initiates an OS uninstall to take the computer back to the previous installation of windows. +- `DISM /Online /Initiate-OSUninstall`: Initiates an OS uninstall to take the computer back to the previous installation of windows. -- **DISM /Online /Remove-OSUninstall** - - Removes the OS uninstall capability from the computer. +- `DISM /Online /Remove-OSUninstall`: Removes the OS uninstall capability from the computer. -- **DISM /Online /Get-OSUninstallWindow** - - Displays the number of days after upgrade during which uninstall can be performed. +- `DISM /Online /Get-OSUninstallWindow`: Displays the number of days after upgrade during which uninstall can be performed. -- **DISM /Online /Set-OSUninstallWindow** - - Sets the number of days after upgrade during which uninstall can be performed. +- `DISM /Online /Set-OSUninstallWindow`: Sets the number of days after upgrade during which uninstall can be performed. For more information, see [DISM operating system uninstall command-line options](/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options). @@ -303,129 +285,106 @@ For more information, see [DISM operating system uninstall command-line options] You can now run your own custom actions or scripts in parallel with Windows Setup. Setup will also migrate your scripts to next feature release, so you only need to add them once. -Prerequisites: +Prerequisites: + - Windows 10, version 1803 or Windows 10 Enterprise LTSC 2019, or later. - Windows 10 Enterprise or Pro For more information, see [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions). -It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option. +It's also now possible to run a script if the user rolls back their version of Windows using the PostRollback option. `/PostRollback [\setuprollback.cmd] [/postrollback {system / admin}]` -For more information, see [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21). +For more information, see [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#postrollback). New command-line switches are also available to control BitLocker: -- **Setup.exe /BitLocker AlwaysSuspend** - - Always suspend BitLocker during upgrade. +- `Setup.exe /BitLocker AlwaysSuspend`: Always suspend BitLocker during upgrade. -- **Setup.exe /BitLocker TryKeepActive** - - Enable upgrade without suspending BitLocker, but if upgrade does not work, then suspend BitLocker and complete the upgrade. +- `Setup.exe /BitLocker TryKeepActive`: Enable upgrade without suspending BitLocker, but if upgrade doesn't work, then suspend BitLocker and complete the upgrade. -- **Setup.exe /BitLocker ForceKeepActive** - - Enable upgrade without suspending BitLocker, but if upgrade does not work, fail the upgrade. +- `Setup.exe /BitLocker ForceKeepActive`: Enable upgrade without suspending BitLocker, but if upgrade doesn't work, fail the upgrade. -For more information, see [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33). +For more information, see [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#bitlocker). ### Feature update improvements -Portions of the work done during the offline phases of a Windows update have been moved to the online phase. This has resulted in a significant reduction of offline time when installing updates. For more information, see [We're listening to you](https://insider.windows.com/en-us/articles/were-listening-to-you/). +Portions of the work done during the offline phases of a Windows update have been moved to the online phase. This change results in a significant reduction of offline time when installing updates. For more information, see [We're listening to you](https://insider.windows.com/articles/were-listening-to-you/). ### SetupDiag [SetupDiag](/windows/deployment/upgrade/setupdiag) is a new command-line tool that can help diagnose why a Windows 10 update failed. -SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. +SetupDiag works by searching Windows Setup log files. When it searches log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. ## Sign-in ### Faster sign-in to a Windows 10 shared pc -If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](/windows/configuration/set-up-shared-or-guest-pc) in a flash! +If you have shared devices deployed in your work place, **Fast sign-in** enables users to quickly sign in to a [shared Windows 10 PC](/windows/configuration/set-up-shared-or-guest-pc). -**To enable fast sign-in:** +#### To enable fast sign-in 1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise LTSC 2019. 2. Set the Policy CSP, and the **Authentication** and **EnableFastFirstSignIn** policies to enable fast sign-in. -3. Sign-in to a shared PC with your account. You'll notice the difference! +3. Sign-in to a shared PC with your account. -  + :::image type="content" source="../images/fastsignin.png" alt-text="An animated image that demonstrates the fast sign-in feature."::: ### Web sign-in to Windows 10 -Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing “web sign-in,” a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML). +Until now, Windows sign-in only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We're introducing "web sign-in," a new way of signing into your Windows PC. Web Sign-in enables Windows sign-in support for non-ADFS federated providers (e.g.SAML). -**To try out web sign-in:** +#### Try out web sign-in 1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs). -2. Set the Policy CSP, and the Authentication and EnableWebSignIn policies to enable web sign-in. +2. Set the Policy CSP, and the Authentication and EnableWebSignIn policies to enable web sign-in. 3. On the lock screen, select web sign-in under sign-in options. -4. Click the “Sign in” button to continue. - +4. Select "Sign in" to continue. -## Windows Analytics + :::image type="content" source="../images/websignin.png" alt-text="A screenshot of the Windows sign-in screen that highlights the web sign-in feature."::: -### Upgrade Readiness - ->[!IMPORTANT] ->Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a General Availability Channel release. - -Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017. - -The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled. - -For more information about Upgrade Readiness, see the following topics: - -- [Windows Analytics blog](/archive/blogs/upgradeanalytics/) -- [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness) - -Upgrade Readiness provides insights into application and driver compatibility issues. New capabilities include better app coverage, post-upgrade health reports, and enhanced report filtering capabilities. For more information, see [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). - -### Update Compliance +## Update Compliance Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date. Update Compliance is a solution built using OMS Log Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues. +New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. + For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](/windows/deployment/update/update-compliance-monitor). -New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Microsoft Defender Antivirus with Update Compliance](/windows/deployment/update/update-compliance-monitor). - -### Device Health - -Maintaining devices is made easier with Device Health, a new, premium analytic tool that identifies devices and drivers that crash frequently and might need to be rebuilt or replaced. For more information, see [Monitor the health of devices with Device Health](/windows/deployment/update/device-health-monitor). - -## Accessibility and Privacy +## Accessibility and privacy ### Accessibility -"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/), a blog post. +"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in [What's new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/). ### Privacy -In the Feedback and Settings page under Privacy Settings you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the [Diagnostic Data Viewer](/windows/configuration/diagnostic-data-viewer-overview) app. +In the Feedback and Settings page under Privacy Settings you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the [Diagnostic Data Viewer](/windows/privacy/diagnostic-data-viewer-overview) app. ## Configuration ### Kiosk configuration -The new chromium-based Microsoft Edge has many improvements specifically targeted to Kiosks. However, it is not included in the LTSC release of Windows 10. You can download and install Microsoft Edge separately [here](https://www.microsoft.com/edge/business/download). +The new chromium-based Microsoft Edge has many improvements targeted to kiosks. However, it's not included in the LTSC release of Windows 10. You can download and install Microsoft Edge separately. For more information, see [Download and deploy Microsoft Edge for business](https://www.microsoft.com/edge/business/download). -Internet Explorer is included in Windows 10 LTSC releases as its feature set is not changing, and it will continue to get security fixes for the life of a Windows 10 LTSC release. +Internet Explorer is included in Windows 10 LTSC releases as its feature set isn't changing, and it will continue to get security fixes for the life of a Windows 10 LTSC release. -If you wish to take advantage of [Kiosk capabilities in Edge](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy), consider [Kiosk mode](/windows/configuration/kiosk-methods) with a semi-annual release channel. +If you wish to take advantage of [Kiosk capabilities in Microsoft Edge](/previous-versions/windows/edge-legacy/microsoft-edge-kiosk-mode-deploy), consider [Kiosk mode](/windows/configuration/kiosk-methods) with a semi-annual release channel. ### Co-management -Intune and Microsoft Endpoint Manager policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management. +Intune and Microsoft Endpoint Configuration Manager policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management. -For more information, see [What's New in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803). +For more information, see [What's New in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management). ### OS uninstall period @@ -435,72 +394,70 @@ The OS uninstall period is a length of time that users are given when they can o Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards. - - ### Windows Spotlight -The following new Group Policy and mobile device management (MDM) settings are added to help you configure Windows Spotlight user experiences: +The following new group policy and mobile device management (MDM) settings are added to help you configure Windows Spotlight user experiences: - **Turn off the Windows Spotlight on Action Center** - **Do not use diagnostic data for tailored experiences** - **Turn off the Windows Welcome Experience** -[Learn more about Windows Spotlight.](/windows/configuration/windows-spotlight) +For more information, see [Configure Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight). ### Start and taskbar layout Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10 Enterprise LTSC 2019 adds support for customized taskbars to [MDM](/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management). -[Additional MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include: +[More MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include: - Settings for the User tile: [**Start/HideUserTile**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) - Settings for Power: [**Start/HidePowerButton**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesleep) -- Additional new settings: [**Start/HideFrequentlyUsedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](/windows/client-management/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](/windows/client-management/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideapplist). +- Other new settings: [**Start/HideFrequentlyUsedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](/windows/client-management/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](/windows/client-management/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideapplist). ## Windows Update ### Windows Insider for Business -We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (Azure AD). By enrolling devices in Azure AD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](https://insider.windows.com/for-business). +We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (Azure AD). By enrolling devices in Azure AD, you increase the visibility of feedback submitted by users in your organization - especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](https://insider.windows.com/for-business). You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](https://insider.windows.com/for-business). - ### Optimize update delivery -With changes delivered in Windows 10 Enterprise LTSC 2019, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with Microsoft Endpoint Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](/windows-server/administration/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS. +With changes delivered in Windows 10 Enterprise LTSC 2019, [express updates](/windows/deployment/do/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with Configuration Manager. It's also supported with other third-party updating and management products that [implement this new functionality](/windows-server/administration/windows-server-update-services/deploy/express-update-delivery-isv-support). This support is in addition to current express support on Windows Update, Windows Update for Business and WSUS. >[!NOTE] > The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update. -Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios. +Delivery Optimization policies now enable you to configure other restrictions to have more control in various scenarios. Added policies include: -- [Allow uploads while the device is on battery while under set Battery level](/windows/deployment/update/waas-delivery-optimization#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) -- [Enable Peer Caching while the device connects via VPN](/windows/deployment/update/waas-delivery-optimization#enable-peer-caching-while-the-device-connects-via-vpn) -- [Minimum RAM (inclusive) allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-ram-allowed-to-use-peer-caching) -- [Minimum disk size allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-disk-size-allowed-to-use-peer-caching) -- [Minimum Peer Caching Content File Size](/windows/deployment/update/waas-delivery-optimization#minimum-peer-caching-content-file-size) -To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](/windows/deployment/update/waas-delivery-optimization). +- [Allow uploads while the device is on battery while under set Battery level](/windows/deployment/do/waas-delivery-optimization-reference#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) +- [Enable Peer Caching while the device connects via VPN](/windows/deployment/do/waas-delivery-optimization-reference#enable-peer-caching-while-the-device-connects-via-vpn) +- [Minimum RAM (inclusive) allowed to use Peer Caching](/windows/deployment/do/waas-delivery-optimization-reference#minimum-ram-allowed-to-use-peer-caching) +- [Minimum disk size allowed to use Peer Caching](/windows/deployment/do/waas-delivery-optimization-reference#minimum-disk-size-allowed-to-use-peer-caching) +- [Minimum Peer Caching Content File Size](/windows/deployment/do/waas-delivery-optimization-reference#minimum-peer-caching-content-file-size) + +For more information, see [Configure Delivery Optimization for Windows updates](/windows/deployment/do/waas-delivery-optimization). ### Uninstalled in-box apps no longer automatically reinstall Starting with Windows 10 Enterprise LTSC 2019, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process. -Additionally, apps de-provisioned by admins on Windows 10 Enterprise LTSC 2019 machines will stay de-provisioned after future feature update installations. This will not apply to the update from Windows 10 Enterprise LTSC 2016 (or earlier) to Windows 10 Enterprise LTSC 2019. +Additionally, apps de-provisioned by admins on Windows 10 Enterprise LTSC 2019 machines will stay de-provisioned after future feature update installations. This behavior won't apply to the update from Windows 10 Enterprise LTSC 2016 (or earlier) to Windows 10 Enterprise LTSC 2019. ## Management ### New MDM capabilities -Windows 10 Enterprise LTSC 2019 adds many new [configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful Group Policy settings via MDM - see [Policy CSP - ADMX-backed policies](/windows/client-management/mdm/policy-configuration-service-provider). +Windows 10 Enterprise LTSC 2019 adds many new [configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful group policy settings via MDM. For more information, see [Policy CSP - ADMX-backed policies](/windows/client-management/mdm/policy-configuration-service-provider). Some of the other new CSPs are: -- The [DynamicManagement CSP](/windows/client-management/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs. +- The [DynamicManagement CSP](/windows/client-management/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device isn't within the corporate building or campus. Once configured, these settings will be enforced even if the device can't reach the management server when the location or network changes. The dynamic management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs. - The [CleanPC CSP](/windows/client-management/mdm/cleanpc-csp) allows removal of user-installed and pre-installed applications, with the option to persist user data. @@ -512,13 +469,11 @@ Some of the other new CSPs are: - The [EnterpriseAppVManagement CSP](/windows/client-management/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM. -IT pros can use the new [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents. +For more information, see [What's new in mobile device enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management). -[Learn more about new MDM capabilities.](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew10) +MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group policy can be used with Active Directory joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy). -MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group Policy can be used with Active Directory joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy). - -Multiple new configuration items are also added. For more information, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1709). +Multiple new configuration items are also added. For more information, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management). ### Mobile application management support for Windows 10 @@ -528,13 +483,14 @@ For more info, see [Implement server-side support for mobile application managem ### MDM diagnostics -In Windows 10 Enterprise LTSC 2019, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](/message-analyzer/microsoft-message-analyzer-operating-guide) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost. +In Windows 10 Enterprise LTSC 2019, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we're introducing [Microsoft Message Analyzer](/message-analyzer/microsoft-message-analyzer-operating-guide) as another tool to help support personnel quickly reduce issues to their root cause, while saving time and cost. ### Application Virtualization for Windows (App-V) -Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10 Enterprise LTSC 2019 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically clean up your unpublished packages after a device restart. +Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10 Enterprise LTSC 2019 introduces two new PowerShell cmdlets, **New-AppVSequencerVM** and **Connect-AppvSequencerVM**. These cmdlets automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (`.appvt`) file, and letting you use PowerShell or group policy settings to automatically clean up your unpublished packages after a device restart. + +For more information, see the following articles: -For more info, see the following topics: - [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-provision-a-vm) - [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-sequencing) - [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-updating) @@ -544,16 +500,16 @@ For more info, see the following topics: Learn more about the diagnostic data that's collected at the Basic level and some examples of the types of data that is collected at the Full level. -- [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703) -- [Windows 10, version 1703 Diagnostic Data](/windows/configuration/windows-diagnostic-data-1703) +- [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703) +- [Windows 10, version 1703 diagnostic data](/windows/privacy/windows-diagnostic-data-1703) -### Group Policy spreadsheet +### Group policy spreadsheet -Learn about the new Group Policies that were added in Windows 10 Enterprise LTSC 2019. +Learn about the new group policies that were added in Windows 10 Enterprise LTSC 2019. -- [Group Policy Settings Reference for Windows and Windows Server](https://www.microsoft.com/download/details.aspx?id=25250) +- [Group policy settings reference for Windows and Windows Server](https://www.microsoft.com/download/details.aspx?id=25250) -### Mixed Reality Apps +### Mixed reality apps This version of Windows 10 introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/). Organizations that use WSUS must take action to enable Windows Mixed Reality. You can also prohibit use of Windows Mixed Reality by blocking installation of the Mixed Reality Portal. For more information, see [Enable or block Windows Mixed Reality apps in the enterprise](/windows/application-management/manage-windows-mixed-reality). @@ -561,7 +517,7 @@ This version of Windows 10 introduces [Windows Mixed Reality](https://blogs.wind ### Network stack -Several network stack enhancements are available in this release. Some of these features were also available in Windows 10, version 1703. For more information, see [Core Network Stack Features in the Creators Update for Windows 10](https://blogs.technet.microsoft.com/networking/2017/07/13/core-network-stack-features-in-the-creators-update-for-windows-10/). +Several network stack enhancements are available in this release. Some of these features were also available in Windows 10, version 1703. For more information, see [Core network stack features in the Creators Update for Windows 10](https://techcommunity.microsoft.com/t5/networking-blog/core-network-stack-features-in-the-creators-update-for-windows/ba-p/339676). ### Miracast over Infrastructure @@ -569,47 +525,47 @@ In this version of Windows 10, Microsoft has extended the ability to send a Mira #### How it works -Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection. +Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS and multicast DNS (mDNS). If the name isn't resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection. -#### Miracast over Infrastructure offers a number of benefits +#### Miracast over Infrastructure offers many benefits - Windows automatically detects when sending the video stream over this path is applicable. - Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network. -- Users do not have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections. +- Users don't have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections. - No changes to current wireless drivers or PC hardware are required. -- It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct. -- It leverages an existing connection that both reduces the time to connect and provides a very stable stream. +- It works well with older wireless hardware that isn't optimized for Miracast over Wi-Fi Direct. +- It uses an existing connection that reduces the time to connect and provides a stable stream. #### Enabling Miracast over Infrastructure -If you have a device that has been updated to Windows 10 Enterprise LTSC 2019, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment: +If you have a device that has been updated to Windows 10 Enterprise LTSC 2019, then you automatically have this new feature. To take advantage of it in your environment, you need to make sure the following requirement exist within your deployment: - The device (PC or Surface Hub) needs to be running Windows 10, version 1703, Windows 10 Enterprise LTSC 2019, or a later OS. - A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows device can act as a Miracast over Infrastructure *source*. - - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself. + - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection. For example, using either WPA2-PSK or WPA2-Enterprise security. If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself. - As a Miracast source, the device must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. -- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname. +- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this configuration by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname. - Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. > [!IMPORTANT] -> Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method. +> Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don't have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method. ## Registry editor improvements -We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word. +We added a dropdown that displays while you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word. - +:::image type="content" source="../images/regeditor.png" alt-text="Screenshot of Registry Editor showing list of path completion."::: ## Remote Desktop with Biometrics Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session. -To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click **Connect**. +To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and select **Connect**. -- Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click **More choices** to choose alternate credentials. +- Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also select **More choices** to choose alternate credentials. - Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN. @@ -619,6 +575,6 @@ See the following example:   -## See Also +## See also [Windows 10 Enterprise LTSC](index.md): A short description of the LTSC servicing channel with links to information about each release. diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md index 1e10461eea..6faf817654 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md @@ -4,10 +4,7 @@ ms.reviewer: manager: dougeby ms.author: aaroncz description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2021. -keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise LTSC 2021"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: low ms.topic: article @@ -142,7 +139,7 @@ Windows Hello enhancements include: - Windows Hello is now supported as Fast Identity Online 2 (FIDO2) authenticator across all major browsers including Chrome and Firefox. - You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN. - Windows Hello PIN sign-in support is [added to Safe mode](/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995). -- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (MSA). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894). +- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (Microsoft account). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894). - With specialized hardware and software components available on devices shipping with Windows 10, version 20H2 configured out of factory, Windows Hello now offers added support for virtualization-based security with supporting fingerprint and face sensors. This feature isolates and secures a user's biometric authentication data. - Windows Hello multi-camera support is added, allowing users to choose an external camera priority when both external and internal Windows Hello-capable cameras are present. - [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less login for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD. diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md index e7ad13d805..8190b90e04 100644 --- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md +++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md @@ -1,16 +1,14 @@ --- title: What's new in Windows 10, versions 1507 and 1511 (Windows 10) description: What's new in Windows 10 for Windows 10 (versions 1507 and 1511). -ms.assetid: 75F285B0-09BE-4821-9B42-37B9BE54CEC6 ms.reviewer: ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski manager: dougeby ms.author: aaroncz -ms.localizationpriority: high +ms.localizationpriority: medium ms.topic: article +ROBOTS: NOINDEX --- # What's new in Windows 10, versions 1507 and 1511 for IT Pros diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md index 509b7d10a0..48342fd24c 100644 --- a/windows/whats-new/whats-new-windows-10-version-1607.md +++ b/windows/whats-new/whats-new-windows-10-version-1607.md @@ -1,16 +1,14 @@ --- title: What's new in Windows 10, version 1607 (Windows 10) description: What's new in Windows 10 for Windows 10 (version 1607). -keywords: ["What's new in Windows 10", "Windows 10", "anniversary update"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: high +ms.localizationpriority: medium ms.reviewer: author: aczechowski manager: dougeby ms.author: aaroncz ms.topic: article +ROBOTS: NOINDEX --- # What's new in Windows 10, version 1607 for IT Pros diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index a62e914365..df0bb338ac 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -1,17 +1,14 @@ --- title: What's new in Windows 10, version 1703 description: New and updated features in Windows 10, version 1703 (also known as the Creators Updated). -keywords: ["What's new in Windows 10", "Windows 10", "creators update"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: high -ms.assetid: dca7c655-c4f6-45f8-aa02-64187b202617 +ms.localizationpriority: medium ms.reviewer: author: aczechowski manager: dougeby ms.author: aaroncz ms.topic: article +ROBOTS: NOINDEX --- # What's new in Windows 10, version 1703 for IT Pros @@ -44,8 +41,6 @@ Both the desktop and kiosk wizards include an option to remove pre-installed sof Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards. - - ### Windows Spotlight @@ -232,7 +227,6 @@ Some of the other new CSPs are: - The [EnterpriseAppVManagement CSP](/windows/client-management/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM. -IT pros can use the new [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents. [Learn more about new MDM capabilities.](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew10) diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md index 905d4ff2dd..ad9ebb3782 100644 --- a/windows/whats-new/whats-new-windows-10-version-1709.md +++ b/windows/whats-new/whats-new-windows-10-version-1709.md @@ -1,16 +1,14 @@ --- title: What's new in Windows 10, version 1709 description: New and updated features in Windows 10, version 1709 (also known as the Fall Creators Update). -keywords: ["What's new in Windows 10", "Windows 10", "Fall Creators Update"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library ms.reviewer: author: aczechowski manager: dougeby ms.author: aaroncz -ms.localizationpriority: high +ms.localizationpriority: medium ms.topic: article +ROBOTS: NOINDEX --- # What's new in Windows 10, version 1709 for IT Pros diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md index f2f4dc5964..d8903b9bbb 100644 --- a/windows/whats-new/whats-new-windows-10-version-1803.md +++ b/windows/whats-new/whats-new-windows-10-version-1803.md @@ -1,16 +1,14 @@ --- title: What's new in Windows 10, version 1803 description: New and updated features in Windows 10, version 1803 (also known as the Windows 10 April 2018 Update). -keywords: ["What's new in Windows 10", "Windows 10", "April 2018 Update"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library ms.reviewer: author: aczechowski manager: dougeby ms.author: aaroncz -ms.localizationpriority: high +ms.localizationpriority: medium ms.topic: article +ROBOTS: NOINDEX --- # What's new in Windows 10, version 1803 for IT Pros @@ -147,7 +145,7 @@ The OS uninstall period is a length of time that users are given when they can o - Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/). - Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions. - Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off. -- You can set up Windows Hello from lock screen for MSA accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options. +- You can set up Windows Hello from lock screen for Microsoft accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options. - New [public API](/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider. - It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off). diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md index 9ce31284cc..d14888637d 100644 --- a/windows/whats-new/whats-new-windows-10-version-1809.md +++ b/windows/whats-new/whats-new-windows-10-version-1809.md @@ -2,15 +2,13 @@ title: What's new in Windows 10, version 1809 ms.reviewer: description: Learn about features for Windows 10, version 1809, including features and fixes included in previous cumulative updates to Windows 10, version 1803. -keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 October 2018 Update"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski manager: dougeby ms.author: aaroncz -ms.localizationpriority: high +ms.localizationpriority: medium ms.topic: article +ROBOTS: NOINDEX --- # What's new in Windows 10, version 1809 for IT Pros diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md index 35ed9f16c3..30dde72ade 100644 --- a/windows/whats-new/whats-new-windows-10-version-1903.md +++ b/windows/whats-new/whats-new-windows-10-version-1903.md @@ -1,16 +1,13 @@ --- title: What's new in Windows 10, version 1903 description: New and updated features in Windows 10, version 1903 (also known as the Windows 10 May 2019 Update). -keywords: ["What's new in Windows 10", "Windows 10", "May 2019 Update"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: aczechowski ms.author: aaroncz manager: dougeby -ms.localizationpriority: high +ms.localizationpriority: medium ms.topic: article +ROBOTS: NOINDEX --- # What's new in Windows 10, version 1903 for IT Pros diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md index 3b33b31e96..7f89949678 100644 --- a/windows/whats-new/whats-new-windows-10-version-1909.md +++ b/windows/whats-new/whats-new-windows-10-version-1909.md @@ -1,16 +1,13 @@ --- title: What's new in Windows 10, version 1909 description: New and updated features in Windows 10, version 1909 (also known as the Windows 10 November 2019 Update). -keywords: ["What's new in Windows 10", "Windows 10", "November 2019 Update"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: aczechowski ms.author: aaroncz manager: dougeby -ms.localizationpriority: high +ms.localizationpriority: medium ms.topic: article +ROBOTS: NOINDEX --- # What's new in Windows 10, version 1909 for IT Pros diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md index 726580724f..a00b411668 100644 --- a/windows/whats-new/whats-new-windows-10-version-2004.md +++ b/windows/whats-new/whats-new-windows-10-version-2004.md @@ -1,16 +1,13 @@ --- title: What's new in Windows 10, version 2004 description: New and updated features in Windows 10, version 2004 (also known as the Windows 10 May 2020 Update). -keywords: ["What's new in Windows 10", "Windows 10", "May 2020 Update"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: aczechowski ms.author: aaroncz manager: dougeby -ms.localizationpriority: high +ms.localizationpriority: medium ms.topic: article +ROBOTS: NOINDEX --- # What's new in Windows 10, version 2004 for IT Pros @@ -35,7 +32,7 @@ To download and install Windows 10, version 2004, use Windows Update (**Settings - Windows Hello PIN sign-in support is [added to Safe mode](/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995). -- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (MSA). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894). +- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (Microsoft account). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894). ### Windows Defender System Guard diff --git a/windows/whats-new/whats-new-windows-10-version-20H2.md b/windows/whats-new/whats-new-windows-10-version-20H2.md index 436dc92f0d..b3f400dbeb 100644 --- a/windows/whats-new/whats-new-windows-10-version-20H2.md +++ b/windows/whats-new/whats-new-windows-10-version-20H2.md @@ -1,11 +1,7 @@ --- title: What's new in Windows 10, version 20H2 description: New and updated features in Windows 10, version 20H2 (also known as the Windows 10 October 2020 Update). -keywords: ["What's new in Windows 10", "Windows 10", "October 2020 Update"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: aczechowski ms.author: aaroncz manager: dougeby diff --git a/windows/whats-new/whats-new-windows-10-version-21H1.md b/windows/whats-new/whats-new-windows-10-version-21H1.md index 2fdba9bd26..f598d1913b 100644 --- a/windows/whats-new/whats-new-windows-10-version-21H1.md +++ b/windows/whats-new/whats-new-windows-10-version-21H1.md @@ -1,11 +1,7 @@ --- title: What's new in Windows 10, version 21H1 description: New and updated features in Windows 10, version 21H1 (also known as the Windows 10 May 2021 Update). -keywords: ["What's new in Windows 10", "Windows 10", "May 2021 Update"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: aczechowski ms.author: aaroncz manager: dougeby diff --git a/windows/whats-new/whats-new-windows-10-version-21H2.md b/windows/whats-new/whats-new-windows-10-version-21H2.md index d536eb04eb..da72022d30 100644 --- a/windows/whats-new/whats-new-windows-10-version-21H2.md +++ b/windows/whats-new/whats-new-windows-10-version-21H2.md @@ -3,9 +3,6 @@ title: What's new in Windows 10, version 21H2 for IT pros description: Learn more about what's new in Windows 10 version 21H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more. manager: dougeby ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: mobile ms.author: aaroncz author: aczechowski ms.localizationpriority: medium diff --git a/windows/whats-new/windows-10-insider-preview.md b/windows/whats-new/windows-10-insider-preview.md index 2e6f2191f7..61a499904f 100644 --- a/windows/whats-new/windows-10-insider-preview.md +++ b/windows/whats-new/windows-10-insider-preview.md @@ -2,8 +2,6 @@ title: Documentation for Windows 10 Insider Preview (Windows 10) description: Preliminary documentation for some Windows 10 features in Insider Preview. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: dansimp ms.date: 04/14/2017 ms.reviewer: diff --git a/windows/whats-new/windows-11-overview.md b/windows/whats-new/windows-11-overview.md index 623e6caba5..ec5cd6f23f 100644 --- a/windows/whats-new/windows-11-overview.md +++ b/windows/whats-new/windows-11-overview.md @@ -3,14 +3,10 @@ title: Windows 11 overview for administrators description: Learn more about Windows 11. Read about the features IT professionals and administrators should know about Windows 11, including security, using apps, using Android apps, the new desktop, and deploying and servicing PCs. ms.reviewer: manager: dougeby -ms.audience: itpro author: aczechowski ms.author: aaroncz ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library ms.localizationpriority: medium -audience: itpro ms.topic: article ms.collection: highpri ms.custom: intro-overview diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md index 91a6d66855..7f67c4a774 100644 --- a/windows/whats-new/windows-11-plan.md +++ b/windows/whats-new/windows-11-plan.md @@ -1,10 +1,7 @@ --- title: Plan for Windows 11 description: Windows 11 deployment planning, IT Pro content. -keywords: ["get started", "windows 11", "plan"] ms.prod: w11 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.author: aaroncz manager: dougeby diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index 262bf50024..532493e1e3 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -1,10 +1,7 @@ --- title: Prepare for Windows 11 description: Prepare your infrastructure and tools to deploy Windows 11, IT Pro content. -keywords: ["get started", "windows 11"] ms.prod: w11 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.author: aaroncz manager: dougeby diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md index 8384e85778..b2aef79c6d 100644 --- a/windows/whats-new/windows-11-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -2,14 +2,10 @@ title: Windows 11 requirements description: Hardware requirements to deploy Windows 11 manager: dougeby -ms.audience: itpro author: aczechowski ms.author: aaroncz ms.prod: w11 -ms.mktglfcycl: deploy -ms.sitesec: library ms.localizationpriority: medium -audience: itpro ms.topic: article ms.custom: seo-marvel-apr2020 ms.collection: highpri
Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you don't get this statement, it's possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. +>Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.
Care must be taken to get a support statement from the software provider that their app is safe with Windows Information Protection before adding it to your **App rules** list. If you don't get this statement, it's possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. ### Add a store app rule to your policy For this example, we're going to add Microsoft OneNote, a store app, to the **App Rules** list. @@ -278,7 +278,7 @@ For this example, we're going to add an AppLocker XML file to the **App Rules** The file is imported and the apps are added to your **App Rules** list. ### Exempt apps from WIP restrictions -If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak. +If you're running into compatibility issues where your app is incompatible with Windows Information Protection (WIP), but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak. **To exempt a store app, a desktop app, or an AppLocker policy file app rule** diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md index a1dba47f5e..21a45af6ca 100644 --- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md +++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md @@ -37,7 +37,7 @@ Apps can be enlightened or unenlightened: - Windows **Save As** experiences only allow you to save your files as enterprise. -- **WIP-work only apps** are unenlightened line-of-business apps that have been tested and deemed safe for use in an enterprise with WIP and Mobile App Management (MAM) solutions without device enrollment. Unenlightened apps that are targeted by WIP without enrollment run under personal mode. +- **Windows Information Protection-work only apps** are unenlightened line-of-business apps that have been tested and deemed safe for use in an enterprise with WIP and Mobile App Management (MAM) solutions without device enrollment. Unenlightened apps that are targeted by WIP without enrollment run under personal mode. ## List of enlightened Microsoft apps Microsoft has made a concerted effort to enlighten several of our more popular apps, including the following: @@ -75,10 +75,10 @@ Microsoft has made a concerted effort to enlighten several of our more popular a - Microsoft To Do > [!NOTE] -> Microsoft Visio, Microsoft Office Access, Microsoft Project, and Microsoft Publisher are not enlightened apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioning. +> Microsoft Visio, Microsoft Office Access, Microsoft Project, and Microsoft Publisher are not enlightened apps and need to be exempted from Windows Information Protection policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioning. ## List of WIP-work only apps from Microsoft -Microsoft still has apps that are unenlightened, but which have been tested and deemed safe for use in an enterprise with WIP and MAM solutions. +Microsoft still has apps that are unenlightened, but which have been tested and deemed safe for use in an enterprise with Windows Information Protection and MAM solutions. - Skype for Business @@ -102,7 +102,7 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li | PowerPoint Mobile | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`**Product Name:** Microsoft.Office.PowerPoint**App Type:** Universal app | | OneNote | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`**Product Name:** Microsoft.Office.OneNote**App Type:** Universal app | | Outlook Mail and Calendar | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`**Product Name:** microsoft.windowscommunicationsapps**App Type:** Universal app | -| Microsoft 365 Apps for enterprise and Office 2019 Professional Plus | Microsoft 365 Apps for enterprise and Office 2019 Professional Plus apps are set up as a suite. You must use the [O365 ProPlus - Allow and Exempt AppLocker policy files (.zip files)](https://download.microsoft.com/download/7/0/D/70D72459-D72D-4673-B309-F480E3BEBCC9/O365%20ProPlus%20-%20WIP%20Enterprise%20AppLocker%20Policy%20Files.zip) to turn the suite on for WIP.We don't recommend setting up Office by using individual paths or publisher rules. | +| Microsoft 365 Apps for enterprise and Office 2019 Professional Plus | Microsoft 365 Apps for enterprise and Office 2019 Professional Plus apps are set up as a suite. You must use the [O365 ProPlus - Allow and Exempt AppLocker policy files (.zip files)](https://download.microsoft.com/download/7/0/D/70D72459-D72D-4673-B309-F480E3BEBCC9/O365%20ProPlus%20-%20WIP%20Enterprise%20AppLocker%20Policy%20Files.zip) to turn the suite on for Windows Information Protection.We don't recommend setting up Office by using individual paths or publisher rules. | | Microsoft Photos | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`**Product Name:** Microsoft.Windows.Photos**App Type:** Universal app | | Groove Music | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`**Product Name:** Microsoft.ZuneMusic**App Type:** Universal app | | Microsoft Movies & TV | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`**Product Name:** Microsoft.ZuneVideo**App Type:** Universal app | diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md index 5462ca7f17..18726f1c02 100644 --- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md @@ -22,7 +22,7 @@ ms.localizationpriority: medium **Applies to:** - Windows 10, version 1607 and later -This following list provides info about the most common problems you might encounter while running WIP in your organization. +This following list provides info about the most common problems you might encounter while running Windows Information Protection in your organization. - **Limitation**: Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration. - **How it appears**: @@ -33,12 +33,12 @@ This following list provides info about the most common problems you might encou We strongly recommend educating employees about how to limit or eliminate the need for this decryption. -- **Limitation**: Direct Access is incompatible with WIP. - - **How it appears**: Direct Access might experience problems with how WIP enforces app behavior and data movement because of how WIP determines what is and isn’t a corporate network resource. +- **Limitation**: Direct Access is incompatible with Windows Information Protection. + - **How it appears**: Direct Access might experience problems with how Windows Information Protection enforces app behavior and data movement because of how WIP determines what is and isn’t a corporate network resource. - **Workaround**: We recommend that you use VPN for client access to your intranet resources. > [!NOTE] - > VPN is optional and isn’t required by WIP. + > VPN is optional and isn’t required by Windows Information Protection. - **Limitation**: **NetworkIsolation** Group Policy setting takes precedence over MDM Policy settings. - **How it appears**: The **NetworkIsolation** Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured. @@ -48,7 +48,7 @@ This following list provides info about the most common problems you might encou - **How it appears**: If Cortana is on the allowed list, some files might become unexpectedly encrypted after an employee performs a search using Cortana. Your employees will still be able to use Cortana to search and provide results on enterprise documents and locations, but results might be sent to Microsoft. - **Workaround**: We don’t recommend adding Cortana to your allowed apps list. However, if you wish to use Cortana and don't mind whether the results potentially go to Microsoft, you can make Cortana an Exempt app. -- **Limitation**: WIP is designed for use by a single user per device. +- **Limitation**: Windows Information Protection is designed for use by a single user per device. - **How it appears**: A secondary user on a device might experience app compatibility issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled user’s content can be revoked during the unenrollment process. - **Workaround**: We recommend only having one user per managed device. @@ -67,14 +67,14 @@ This following list provides info about the most common problems you might encou - **Limitation**: Changing your primary Corporate Identity isn’t supported. - **How it appears**: You might experience various instabilities, including but not limited to network and file access failures, and potentially granting incorrect access. - - **Workaround**: Turn off WIP for all devices before changing the primary Corporate Identity (first entry in the list), restarting, and finally redeploying. + - **Workaround**: Turn off Windows Information Protection for all devices before changing the primary Corporate Identity (first entry in the list), restarting, and finally redeploying. -- **Limitation**: Redirected folders with Client-Side Caching are not compatible with WIP. +- **Limitation**: Redirected folders with Client-Side Caching are not compatible with Windows Information Protection. - **How it appears**: Apps might encounter access errors while attempting to read a cached, offline file. - **Workaround**: Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business. > [!NOTE] - > For more info about Work Folders and Offline Files, see the [Work Folders and Offline Files support for Windows Information Protection blog](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and WIP, see [Can't open files offline when you use Offline Files and Windows Information Protection](/troubleshoot/windows-client/networking/error-open-files-offline-offline-files-wip). + > For more info about Work Folders and Offline Files, see the [Work Folders and Offline Files support for Windows Information Protection blog](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and Windows Information Protection, see [Can't open files offline when you use Offline Files and Windows Information Protection](/troubleshoot/windows-client/networking/error-open-files-offline-offline-files-wip). - **Limitation**: An unmanaged device can use Remote Desktop Protocol (RDP) to connect to a WIP-managed device. - **How it appears**: @@ -83,23 +83,23 @@ This following list provides info about the most common problems you might encou - Local **Work** data copied to the WIP-managed device remains **Work** data. - **Work** data that is copied between two apps in the same session remains ** data. - - **Workaround**: Disable RDP to prevent access because there is no way to restrict access to only devices managed by WIP. RDP is disabled by default. + - **Workaround**: Disable RDP to prevent access because there is no way to restrict access to only devices managed by Windows Information Protection. RDP is disabled by default. - **Limitation**: You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer. - **How it appears**: A message appears stating that the content is marked as **Work** and the user isn't given an option to override to **Personal**. - **Workaround**: Open File Explorer and change the file ownership to **Personal** before you upload. - **Limitation**: ActiveX controls should be used with caution. - - **How it appears**: Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using WIP. + - **How it appears**: Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using Windows Information Protection. - **Workaround**: We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology. For more info, see [Out-of-date ActiveX control blocking](/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking). -- **Limitation**: Resilient File System (ReFS) isn't currently supported with WIP. - - **How it appears**:Trying to save or transfer WIP files to ReFS will fail. +- **Limitation**: Resilient File System (ReFS) isn't currently supported with Windows Information Protection. + - **How it appears**:Trying to save or transfer Windows Information Protection files to ReFS will fail. - **Workaround**: Format drive for NTFS, or use a different drive. -- **Limitation**: WIP isn’t turned on if any of the following folders have the **MakeFolderAvailableOfflineDisabled** option set to **False**: +- **Limitation**: Windows Information Protection isn’t turned on if any of the following folders have the **MakeFolderAvailableOfflineDisabled** option set to **False**: - AppDataRoaming - Desktop - StartMenu @@ -116,10 +116,10 @@ This following list provides info about the most common problems you might encou - - **How it appears**: WIP isn’t turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using Microsoft Endpoint Configuration Manager. + - **How it appears**: Windows Information Protection isn’t turned on for employees in your organization. Error code 0x807c0008 will result if Windows Information Protection is deployed by using Microsoft Endpoint Configuration Manager. - **Workaround**: Don’t set the **MakeFolderAvailableOfflineDisabled** option to **False** for any of the specified folders. You can configure this parameter, as described [Disable Offline Files on individual redirected folders](/windows-server/storage/folder-redirection/disable-offline-files-on-folders). - If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. + If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports Windows Information Protection, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after Windows Information Protection is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](/troubleshoot/windows-client/networking/error-open-files-offline-offline-files-wip). @@ -134,7 +134,7 @@ This following list provides info about the most common problems you might encou - **How it appears**: Any attempt to encrypt a file in the Windows directory will return a file access denied error. But if you copy or drag and drop an encrypted file to the Windows directory, it will retain encryption to honor the intent of the owner. - **Workaround**: If you need to save an encrypted file in the Windows directory, create and encrypt the file in a different directory and copy it. -- **Limitation**: OneNote notebooks on OneDrive for Business must be properly configured to work with WIP. +- **Limitation**: OneNote notebooks on OneDrive for Business must be properly configured to work with Windows Information Protection. - **How it appears**: OneNote might encounter errors syncing a OneDrive for Business notebook and suggest changing the file ownership to Personal. Attempting to view the notebook in OneNote Online in the browser will show an error and unable to view it. - **Workaround**: OneNote notebooks that are newly copied into the OneDrive for Business folder from File Explorer should get fixed automatically. To do this, follow these steps: @@ -150,6 +150,6 @@ This following list provides info about the most common problems you might encou > [!NOTE] > -> - When corporate data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. One caveat to keep in mind is that the Preview Pane in File Explorer will not work for encrypted files. +> - When corporate data is written to disk, Windows Information Protection uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. One caveat to keep in mind is that the Preview Pane in File Explorer will not work for encrypted files. > > - Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to our content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md index daf5a9fac0..6c2ccfde53 100644 --- a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md @@ -27,7 +27,7 @@ This list provides all of the tasks and settings that are required for the opera |Task|Description| |----|-----------| |Add at least one app of each type (Store and Desktop) to the **Protected apps** list in your WIP policy.|You must have at least one Store app and one Desktop app added to your **Protected apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Protected apps list** section of the policy creation topics. | -|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the [Manage the WIP protection mode for your enterprise data](./create-wip-policy-using-configmgr.md#manage-the-wip-protection-level-for-your-enterprise-data) section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| +|Choose your Windows Information Protection protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the [Manage Windows Information Protection mode for your enterprise data](./create-wip-policy-using-configmgr.md#manage-the-wip-protection-level-for-your-enterprise-data) section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| |Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if it’s incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics. |Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.| |Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.| diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md index aabc6b7080..89d703af97 100644 --- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md +++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md @@ -31,14 +31,14 @@ With the increase of employee-owned devices in the enterprise, there’s also an Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Finally, another data protection technology, Azure Rights Management also works alongside WIP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client. >[!IMPORTANT] ->While WIP can stop accidental data leaks from honest employees, it is not intended to stop malicious insiders from removing enterprise data. For more details about the benefits WIP provides, see [Why use WIP?](#why-use-wip) later in this topic. +>While Windows Information Protection can stop accidental data leaks from honest employees, it is not intended to stop malicious insiders from removing enterprise data. For more details about the benefits WIP provides, see [Why use WIP?](#why-use-wip) later in this topic. ## Video: Protect enterprise data from being accidentally copied to the wrong place > [!Video https://www.microsoft.com/videoplayer/embed/RE2IGhh] ## Prerequisites -You’ll need this software to run WIP in your enterprise: +You’ll need this software to run Windows Information Protection in your enterprise: |Operating system | Management solution | |-----------------|---------------------| @@ -70,7 +70,7 @@ After the type of protection is set, the creating app encrypts the document so t Finally, there’s the risk of data leaking from your company when an employee leaves or unenrolls a device. Previously, you would simply erase all of the corporate data from the device, along with any other personal data on the device. ## Benefits of WIP -WIP provides: +Windows Information Protection provides: - Obvious separation between personal and corporate data, without requiring employees to switch environments or apps. - Additional data protection for existing line-of-business apps without a need to update the apps. @@ -79,12 +79,12 @@ WIP provides: - Use of audit reports for tracking issues and remedial actions. -- Integration with your existing management system (Microsoft Intune, Microsoft Endpoint Configuration Manager, or your current mobile device management (MDM) system) to configure, deploy, and manage WIP for your company. +- Integration with your existing management system (Microsoft Intune, Microsoft Endpoint Configuration Manager, or your current mobile device management (MDM) system) to configure, deploy, and manage Windows Information Protection for your company. ## Why use WIP? -WIP is the mobile application management (MAM) mechanism on Windows 10. WIP gives you a new way to manage data policy enforcement for apps and documents on Windows 10 desktop operating systems, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune). +Windows Information Protection is the mobile application management (MAM) mechanism on Windows 10. WIP gives you a new way to manage data policy enforcement for apps and documents on Windows 10 desktop operating systems, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune). -- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. WIP helps protect enterprise on both corporate and employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data. +- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. Windows Information Protection helps protect enterprise on both corporate and employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data. - **Manage your enterprise documents, apps, and encryption modes.** @@ -99,21 +99,21 @@ WIP is the mobile application management (MAM) mechanism on Windows 10. WIP give - **Deciding your level of data access.** WIP lets you block, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your protected apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). - - **Data encryption at rest.** WIP helps protect enterprise data on local files and on removable media. + - **Data encryption at rest.** Windows Information Protection helps protect enterprise data on local files and on removable media. - Apps such as Microsoft Word work with WIP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens WIP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies WIP to the new document. + Apps such as Microsoft Word work with WIP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens WIP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies Windows Information Protection to the new document. - - **Helping prevent accidental data disclosure to public spaces.** WIP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your protected apps list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your protected apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally. + - **Helping prevent accidental data disclosure to public spaces.** Windows Information Protection helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your protected apps list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your protected apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally. - - **Helping prevent accidental data disclosure to removable media.** WIP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t. + - **Helping prevent accidental data disclosure to removable media.** Windows Information Protection helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t. -- **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable. +- **Remove access to enterprise data from enterprise-protected devices.** Windows Information Protection gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable. >[!NOTE] >For management of Surface devices it is recommended that you use the Current Branch of Microsoft Endpoint Configuration Manager.Microsoft Endpoint Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device. ## How WIP works -WIP helps address your everyday challenges in the enterprise. Including: +Windows Information Protection helps address your everyday challenges in the enterprise. Including: - Helping to prevent enterprise data leaks, even on employee-owned devices that can't be locked down. @@ -124,7 +124,7 @@ WIP helps address your everyday challenges in the enterprise. Including: - Helping control the network and data access and data sharing for apps that aren’t enterprise aware ### Enterprise scenarios -WIP currently addresses these enterprise scenarios: +Windows Information Protection currently addresses these enterprise scenarios: - You can encrypt enterprise data on employee-owned and corporate-owned devices. - You can remotely wipe enterprise data off managed computers, including employee-owned computers, without affecting the personal data. @@ -134,21 +134,21 @@ WIP currently addresses these enterprise scenarios: - Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isn’t required. ### WIP-protection modes -Enterprise data is automatically encrypted after it’s loaded on a device from an enterprise source or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. +Enterprise data is automatically encrypted after it’s loaded on a device from an enterprise source or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, Windows Information Protection uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. -Your WIP policy includes a list of trusted apps that are protected to access and process corporate data. This list of apps is implemented through the [AppLocker](/windows/device-security/applocker/applocker-overview) functionality, controlling what apps are allowed to run and letting the Windows operating system know that the apps can edit corporate data. Apps included on this list don’t have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant them access. However, new for Windows 10, app developers can use a new set of application programming interfaces (APIs) to create *enlightened* apps that can use and edit both enterprise and personal data. A huge benefit to working with enlightened apps is that dual-use apps, like Microsoft Word, can be used with less concern about encrypting personal data by mistake because the APIs allow the app to determine whether data is owned by the enterprise or if it’s personally owned. +Your Windows Information Protection policy includes a list of trusted apps that are protected to access and process corporate data. This list of apps is implemented through the [AppLocker](/windows/device-security/applocker/applocker-overview) functionality, controlling what apps are allowed to run and letting the Windows operating system know that the apps can edit corporate data. Apps included on this list don’t have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant them access. However, new for Windows 10, app developers can use a new set of application programming interfaces (APIs) to create *enlightened* apps that can use and edit both enterprise and personal data. A huge benefit to working with enlightened apps is that dual-use apps, like Microsoft Word, can be used with less concern about encrypting personal data by mistake because the APIs allow the app to determine whether data is owned by the enterprise or if it’s personally owned. >[!NOTE] >For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). -You can set your WIP policy to use 1 of 4 protection and management modes: +You can set your Windows Information Protection policy to use 1 of 4 protection and management modes: |Mode|Description| |----|-----------| -|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.| -|Allow overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.| -|Silent |WIP runs silently, logging inappropriate data sharing, without stopping anything that would’ve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.| -|Off |WIP is turned off and doesn't help to protect or audit your data.
After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on. | +|Block |Windows Information Protection looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.| +|Allow overrides |Windows Information Protection looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.| +|Silent |Windows Information Protection runs silently, logging inappropriate data sharing, without stopping anything that would’ve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.| +|Off |Windows Information Protection is turned off and doesn't help to protect or audit your data.
After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn Windows Information Protection back on. | ## Turn off WIP You can turn off all Windows Information Protection and restrictions, decrypting all devices managed by WIP and reverting to where you were pre-WIP, with no data loss. However, this isn’t recommended. If you choose to turn WIP off, you can always turn it back on, but your decryption and policy info won’t be automatically reapplied. diff --git a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md index d5400291be..c55f4fe75b 100644 --- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md @@ -25,7 +25,7 @@ ms.reviewer: >Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). -We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings when you create a WIP policy. If you are using Intune, the SharePoint entries may be added automatically. +We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings when you create a Windows Information Protection policy. If you are using Intune, the SharePoint entries may be added automatically. ## Recommended Enterprise Cloud Resources diff --git a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md index cd707f5044..84dae48f11 100644 --- a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md +++ b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md @@ -29,7 +29,7 @@ Use Task Manager to check the context of your apps while running in Windows Info ## Viewing the Enterprise Context column in Task Manager You need to add the Enterprise Context column to the **Details** tab of the Task Manager. -1. Make sure that you have an active WIP policy deployed and turned on in your organization. +1. Make sure that you have an active Windows Information Protection policy deployed and turned on in your organization. 2. Open the Task Manager (taskmgr.exe), click the **Details** tab, right-click in the column heading area, and click **Select columns**. @@ -50,7 +50,7 @@ The **Enterprise Context** column shows you what each app can do with your enter - **Personal.** Shows the text, *Personal*. This app is considered non-work-related and can't touch any work data or resources. -- **Exempt.** Shows the text, *Exempt*. WIP policies don't apply to these apps (such as, system components). +- **Exempt.** Shows the text, *Exempt*. Windows Information Protection policies don't apply to these apps (such as, system components). > [!Important] > Enlightened apps can change between Work and Personal, depending on the data being touched. For example, Microsoft Word 2016 shows as **Personal** when an employee opens a personal letter, but changes to **Work** when that same employee opens the company financials. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index e99bc8205f..e423ab56b2 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -9,7 +9,6 @@ metadata: ms.localizationpriority: medium author: denisebmsft ms.author: deniseb - ms.date: 03/14/2022 ms.reviewer: manager: dansimp ms.custom: asr @@ -45,7 +44,7 @@ sections: To make sure the FQDNs (Fully Qualified Domain Names) for the “PAC file” and the “proxy servers the PAC file redirects to” are added as Neutral Resources in the Network Isolation policies used by Application Guard, you can: - Verify this by going to edge://application-guard-internals/#utilities and entering the FQDN for the pac/proxy in the “check url trust” field and verifying that it says “Neutral”. - - It must be a FQDN. A simple IP address will not work. + - It must be an FQDN. A simple IP address won't work. - Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the Enterprise IP Ranges in the Network Isolation policies used by Application Guard. - question: | @@ -54,7 +53,7 @@ sections: Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition, version 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune. - question: | - Which Input Method Editors (IME) in 19H1 are not supported? + Which Input Method Editors (IME) in 19H1 aren't supported? answer: | The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard: @@ -74,7 +73,7 @@ sections: - question: | I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering? answer: | - This feature is currently experimental only and is not functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature. + This feature is currently experimental only and isn't functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature. - question: | What is the WDAGUtilityAccount local account? @@ -83,7 +82,7 @@ sections: **Error: 0x80070569, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error: 0x00000000 Location: 0x00000000** - We recommend that you do not modify this account. + We recommend that you don't modify this account. - question: | How do I trust a subdomain in my site list? @@ -93,35 +92,35 @@ sections: - question: | Are there differences between using Application Guard on Windows Pro vs Windows Enterprise? answer: | - When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md). + When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode doesn't. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md). - question: | Is there a size limit to the domain lists that I need to configure? answer: | - Yes, both the Enterprise Resource domains that are hosted in the cloud and the domains that are categorized as both work and personal have a 16383-B limit. + Yes, both the Enterprise Resource domains that are hosted in the cloud and the domains that are categorized as both work and personal have a 1,6383-byte limit. - question: | Why does my encryption driver break Microsoft Defender Application Guard? answer: | - Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). + Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard doesn't work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). - question: | Why do the Network Isolation policies in Group Policy and CSP look different? answer: | - There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP. + There's not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP. - Mandatory network isolation GP policy to deploy Application Guard: **DomainSubnets or CloudResources** - Mandatory network isolation CSP policy to deploy Application Guard: **EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)** - - For EnterpriseNetworkDomainNames, there is no mapped CSP policy. + - For EnterpriseNetworkDomainNames, there's no mapped CSP policy. - Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). + Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard doesn't work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). - question: | Why did Application Guard stop working after I turned off hyperthreading? answer: | - If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements. + If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there's a possibility Application Guard no longer meets the minimum requirements. - question: | Why am I getting the error message "ERROR_VIRTUAL_DISK_LIMITATION"? diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md index 2b7a3193ab..ffd97aa5cd 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md @@ -2,12 +2,9 @@ title: Microsoft Defender Application Guard Extension description: Learn about the Microsoft Defender Application Guard browser extension, which extends Application Guard's protection to more web browsers. ms.prod: m365-security -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium -author: martyav -ms.author: v-maave +author: aczechowski +ms.author: aaroncz ms.date: 09/09/2021 ms.reviewer: manager: dansimp @@ -60,24 +57,24 @@ Both Chrome and Firefox have their own browser-specific group policies. We recom #### Chrome policies -These policies can be found along the filepath, *Software\Policies\Google\Chrome\\*, with each policy name corresponding to the file name (e.g., IncognitoModeAvailability is located at *Software\Policies\Google\Chrome\IncognitoModeAvailability*). +These policies can be found along the filepath, `Software\Policies\Google\Chrome\`, with each policy name corresponding to the file name. For example, `IncognitoModeAvailability` is located at `Software\Policies\Google\Chrome\IncognitoModeAvailability`. Policy name | Values | Recommended setting | Reason -|-|-|- -[IncognitoModeAvailability](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=IncognitoModeAvailability) | `0` = Enabled `1` = Disabled `2` = Forced (i.e. forces pages to only open in Incognito mode) | Disabled | This policy allows users to start Chrome in Incognito mode. In this mode, all extensions are turned off by default. -[BrowserGuestModeEnabled](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=BrowserGuestModeEnabled) | `false` or `0` = Disabled `true`, `1`, or not configured = Enabled | Disabled | This policy allows users to login as *Guest*, which opens a session in Incognito mode. In this mode, all extensions are turned off by default. -[BackgroundModeEnabled](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=BackgroundModeEnabled) | `false` or `0` = Disabled `true` or `1` = Enabled **Note:** If this policy is not set, the user can enable or disable background mode through local browser settings. | Enabled | This policy keeps Chrome running in the background, ensuring that navigation is always passed to the extension. +[IncognitoModeAvailability](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=IncognitoModeAvailability) | `0` = Enabled `1` = Disabled `2` = Forces pages to only open in Incognito mode | Disabled | This policy allows users to start Chrome in Incognito mode. In this mode, all extensions are turned off by default. +[BrowserGuestModeEnabled](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=BrowserGuestModeEnabled) | `false` or `0` = Disabled `true`, `1`, or not configured = Enabled | Disabled | This policy allows users to sign in as *Guest*, which opens a session in Incognito mode. In this mode, all extensions are turned off by default. +[BackgroundModeEnabled](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=BackgroundModeEnabled) | `false` or `0` = Disabled `true` or `1` = Enabled **Note:** If this policy isn't set, the user can enable or disable background mode through local browser settings. | Enabled | This policy keeps Chrome running in the background, ensuring that navigation is always passed to the extension. [ExtensionSettings](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=ExtensionSettings) | This policy accepts a dictionary that configures multiple other management settings for Chrome. See the [Google Cloud documentation](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=ExtensionSettings) for complete schema. | Include an entry for `force_installed` | This policy prevents users from manually removing the extension. #### Firefox policies -These policies can be found along the filepath, *Software\Policies\Mozilla\Firefox\\*, with each policy name corresponding to the file name (e.g., DisableSafeMode is located at *Software\Policies\Mozilla\Firefox\DisableSafeMode*). +These policies can be found along the filepath, `Software\Policies\Mozilla\Firefox\`, with each policy name corresponding to the file name. Foe example, `DisableSafeMode` is located at `Software\Policies\Mozilla\Firefox\DisableSafeMode`. Policy name | Values | Recommended setting | Reason -|-|-|- -[DisableSafeMode](https://github.com/mozilla/policy-templates/blob/master/README.md#DisableSafeMode) | `false` or `0` = Safe mode is enabled `true` or `1` = Safe mode is disabled | True (i.e. the policy is enabled and Safe mode is *not* allowed to run) | Safe mode can allow users to circumvent Application Guard -[BlockAboutConfig](https://github.com/mozilla/policy-templates/blob/master/README.md#BlockAboutConfig) | `false` or `0` = User access to *about:config* is allowed `true` or `1` = User access to *about:config* is not allowed | True (i.e. the policy is enabled and access to about:config is *not* allowed) | *About:config* is a special page within Firefox that offers control over many settings that may compromise security -[Extensions - Locked](https://github.com/mozilla/policy-templates/blob/master/README.md#Extensions) | This setting accepts a list of UUIDs for extensions (these can be found by searching `extensions.webextensions.uuids` within the about:config page) | Software\Policies\Mozilla\Firefox\Extensions\Locked\1 = "`ApplicationGuardRel@microsoft.com`" | This setting allows you to lock the extension, so the user cannot disable or uninstall it. +[DisableSafeMode](https://github.com/mozilla/policy-templates/blob/master/README.md#DisableSafeMode) | `false` or `0` = Safe mode is enabled `true` or `1` = Safe mode is disabled | The policy is enabled and Safe mode isn't allowed to run. | Safe mode can allow users to circumvent Application Guard +[BlockAboutConfig](https://github.com/mozilla/policy-templates/blob/master/README.md#BlockAboutConfig) | `false` or `0` = User access to `about:config` is allowed `true` or `1` = User access to `about:config` isn't allowed | The policy is enabled and access to `about:config` isn't allowed. | `About:config` is a special page within Firefox that offers control over many settings that may compromise security +[Extensions - Locked](https://github.com/mozilla/policy-templates/blob/master/README.md#Extensions) | This setting accepts a list of UUIDs for extensions. You can find these extensions by searching `extensions.webextensions.uuids` within the `about:config` page) | Software\Policies\Mozilla\Firefox\Extensions\Locked\1 = "`ApplicationGuardRel@microsoft.com`" | This setting allows you to lock the extension, so the user can't disable or uninstall it. ## Troubleshooting guide @@ -85,15 +82,15 @@ Policy name | Values | Recommended setting | Reason Error message | Cause | Actions -|-|- -Application Guard undetermined state | The extension was unable to communicate with the companion app during the last information request. | 1. Install the [companion app](https://www.microsoft.com/p/windows-defender-application-guard-companion/9n8gnlc8z9c8?activetab=pivot:overviewtab) and reboot 2. If the companion app is already installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and re-install the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser +Application Guard undetermined state | The extension was unable to communicate with the companion app during the last information request. | 1. Install the [companion app](https://www.microsoft.com/p/windows-defender-application-guard-companion/9n8gnlc8z9c8?activetab=pivot:overviewtab) and reboot 2. If the companion app is already installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and reinstall the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser ExceptionThrown | An unexpected exception was thrown. | 1. [File a bug](https://aka.ms/wdag-fb) 2. Retry the operation Failed to determine if Application Guard is enabled | The extension was able to communicate with the companion app, but the information request failed in the app. | 1. Restart the browser 2. Check for updates in both the Microsoft store and the respective web store for the affected browser -Launch in WDAG failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This can be caused by the companion app being uninstalled while Chrome was running. | 1. Make sure the companion app is installed 2. If the companion app is installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and re-install the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser +Launch in WDAG failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This error can be caused by the companion app being uninstalled while Chrome was running. | 1. Make sure the companion app is installed 2. If the companion app is installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and reinstall the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser Main page navigation caught an unexpected error | An unexpected exception was thrown during the main page navigation. | 1. [File a bug](https://aka.ms/wdag-fb) 2. Retry the operation -Process trust response failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This can be caused by the companion app being uninstalled while Chrome was running.| 1. Make sure the companion app is installed. 2. If the companion app is installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and re-install the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser -Protocol out of sync | The extension and native app cannot communicate with each other. This is likely caused by one being updated without supporting the protocol of the other. | Check for updates in both the Microsoft store, and the web store for the affected browser -Security patch level does not match | Microsoft determined that there was a security issue with either the extension or the companion app, and has issued a mandatory update. | Check for updates in both the Microsoft store, and the web store for the affected browser -Unexpected response while processing trusted state | The extension was able to communicate with the companion app, but the API failed and a failure response code was sent back to the extension. | 1. [File a bug](https://aka.ms/wdag-fb) 2. Check if Edge is working 3. Retry the operation +Process trust response failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This error can be caused by the companion app being uninstalled while Chrome was running.| 1. Make sure the companion app is installed. 2. If the companion app is installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and reinstall the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser +Protocol out of sync | The extension and native app can't communicate with each other. This error is likely caused by one being updated without supporting the protocol of the other. | Check for updates in both the Microsoft store, and the web store for the affected browser +Security patch level doesn't match | Microsoft determined that there was a security issue with either the extension or the companion app, and has issued a mandatory update. | Check for updates in both the Microsoft store, and the web store for the affected browser +Unexpected response while processing trusted state | The extension was able to communicate with the companion app, but the API failed and a failure response code was sent back to the extension. | 1. [File a bug](https://aka.ms/wdag-fb) 2. Check if Microsoft Edge is working 3. Retry the operation ## Related articles diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md index eec6f18251..5901726822 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md @@ -14,7 +14,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 09/21/2017 ms.technology: windows-sec --- @@ -24,10 +23,10 @@ ms.technology: windows-sec - Windows 10 - Windows 11 -- Windows Server 2016 and above +- Windows Server 2012 R2 and later ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes how to import an AppLocker policy. @@ -35,11 +34,14 @@ Before completing this procedure, you should have exported an AppLocker policy. Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. ->**Caution:** Importing a policy will overwrite the existing policy on that computer. +> **Caution:** Importing a policy will overwrite the existing policy on that computer. **To import an AppLocker policy** 1. From the AppLocker console, right-click **AppLocker**, and then click **Import Policy**. + 2. In the **Import Policy** dialog box, locate the file that you exported, and then click **Open**. + 3. The **Import Policy** dialog box will warn you that importing a policy will overwrite the existing rules and enforcement settings. If acceptable, click **OK** to import and overwrite the policy. + 4. The **AppLocker** dialog box will notify you of how many rules were overwritten and imported. Click **OK**. diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md index 3203610df6..d7e1d5636c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md @@ -14,7 +14,6 @@ author: jgeurten ms.reviewer: jsuther1974 ms.author: dansimp manager: dansimp -ms.date: 03/22/2022 ms.technology: windows-sec --- @@ -45,6 +44,9 @@ To create effective WDAC deny policies, it's crucial to understand how WDAC pars 5. If no rule exists for the file and it's not allowed based on ISG or MI, then the file is blocked implicitly. +> [!NOTE] +> If your WDAC policy does not have an explicit rule to allow or deny a binary to run, then WDAC will make a call to the cloud to determine whether the binary is familiar and safe. However, if your policy already authorizes or denies the binary, then WDAC will not make a call to the cloud. For more details, see [How does the integration between WDAC and the Intelligent Security Graph work?](use-windows-defender-application-control-with-intelligent-security-graph.md#how-does-the-integration-between-wdac-and-the-intelligent-security-graph-work). + ## Interaction with Existing Policies ### Adding Allow Rules diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md index 36aa766318..3e1dfaea27 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md @@ -14,7 +14,6 @@ author: jsuther1974 ms.reviewer: isbrahm ms.author: dansimp manager: dansimp -ms.date: 07/15/2021 ms.technology: windows-sec --- @@ -24,7 +23,7 @@ ms.technology: windows-sec - Windows 10 - Windows 11 -- Windows Server 2016 and above +- Windows Server 2019 and above > [!NOTE] > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml index 9e25d09647..dc42004f13 100644 --- a/windows/whats-new/TOC.yml +++ b/windows/whats-new/TOC.yml @@ -20,23 +20,3 @@ href: whats-new-windows-10-version-21H1.md - name: What's new in Windows 10, version 20H2 href: whats-new-windows-10-version-20H2.md - - name: What's new in Windows 10, version 2004 - href: whats-new-windows-10-version-2004.md - - name: What's new in Windows 10, version 1909 - href: whats-new-windows-10-version-1909.md - - name: What's new in Windows 10, version 1903 - href: whats-new-windows-10-version-1903.md -- name: Previous versions - items: - - name: What's new in Windows 10, version 1809 - href: whats-new-windows-10-version-1809.md - - name: What's new in Windows 10, version 1803 - href: whats-new-windows-10-version-1803.md - - name: What's new in Windows 10, version 1709 - href: whats-new-windows-10-version-1709.md - - name: What's new in Windows 10, version 1703 - href: whats-new-windows-10-version-1703.md - - name: What's new in Windows 10, version 1607 - href: whats-new-windows-10-version-1607.md - - name: What's new in Windows 10, versions 1507 and 1511 - href: whats-new-windows-10-version-1507-and-1511.md \ No newline at end of file diff --git a/windows/whats-new/contribute-to-a-topic.md b/windows/whats-new/contribute-to-a-topic.md index b99b7a48ad..77dfd79528 100644 --- a/windows/whats-new/contribute-to-a-topic.md +++ b/windows/whats-new/contribute-to-a-topic.md @@ -1,10 +1,7 @@ --- title: Edit an existing topic using the Edit link description: Instructions about how to edit an existing topic by using the Edit link on docs.microsoft.com. -keywords: contribute, edit a topic ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library ms.date: 10/13/2017 ms.reviewer: manager: dansimp diff --git a/windows/whats-new/get-started-with-1709.md b/windows/whats-new/get-started-with-1709.md deleted file mode 100644 index c2522f3e4c..0000000000 --- a/windows/whats-new/get-started-with-1709.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -title: Get started with Windows 10, version 1709 -description: Learn about features, review requirements, and plan your deployment of Windows 10, version 1709, including IT Pro content, release information, and history. -keywords: ["get started", "windows 10", "fall creators update", "1709"] -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: dansimp -ms.author: dansimp -ms.date: 10/16/2017 -ms.reviewer: -manager: dansimp -ms.localizationpriority: high -ms.topic: article ---- - -# Get started with Windows 10, version 1709 - -**Applies to** - -- Windows 10 - -> **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -Welcome to Windows 10, version 1709, also known as the Fall Creators Update. Use the following information to learn about new features, review system requirements, and plan your deployment of the latest version of Windows 10. - -## Specification and systems requirements - -Before you install any version of Windows 10, make sure you visit the [Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/windows/windows-10-specifications) page. This page contains the minimum systems requirements and important notes to install Windows 10, as well as feature deprecation information and additional requirements to use certain features. - -## What's new in Windows 10, version 1709 IT Pro content - -Take a look at the [What's new in Windows 10, version 1709 IT Pro content](whats-new-windows-10-version-1709.md), for the latest updates in content. Use this topic to easily navigate the documentation for the new features in Windows 10, version 1709. - -## Windows 10 release information and update history - -To view availability dates and servicing options for each version and update of Windows, including version 1709, visit the [Windows 10 release information](https://technet.microsoft.com/windows/mt679505.aspx) page. For further details on each update, go to the [Windows 10 update history](https://support.microsoft.com/help/4018124/windows-10-update-history) page. - -## Windows 10 Roadmap - -If you'd like to gain some insight into preview, or in-development features, visit the [Windows 10 Roadmap](https://www.microsoft.com/WindowsForBusiness/windows-roadmap) page. You'll be able to filter by feature state and product category, to make this information easier to navigate. - -## Top support solutions for Windows 10 - -Having problems with your latest deployment of Windows 10, version 1709? Check out the [Top support solutions for Windows 10](/windows/client-management/windows-10-support-solutions) topic, where we've collected the top Microsoft Support solutions for the most common issues experienced when using Windows 10 in an enterprise or IT pro environment. - -> Want even more information? Visit the [Windows 10 lifecycle page](https://www.microsoft.com/itpro/windows-10) on the [Windows IT Pro Center](https://itpro.windows.com). - -Ready to get started with Windows 10, version 1709? -> [!div class="nextstepaction"] -> [Deploy and Update Windows 10](/windows/deployment) diff --git a/windows/whats-new/images/bulk-token.PNG b/windows/whats-new/images/bulk-token.PNG deleted file mode 100644 index b0d2221824..0000000000 Binary files a/windows/whats-new/images/bulk-token.PNG and /dev/null differ diff --git a/windows/whats-new/images/wdatp.png b/windows/whats-new/images/wdatp.png deleted file mode 100644 index 79410f493f..0000000000 Binary files a/windows/whats-new/images/wdatp.png and /dev/null differ diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml index 615251c635..3d11bd96e3 100644 --- a/windows/whats-new/index.yml +++ b/windows/whats-new/index.yml @@ -1,76 +1,67 @@ ### YamlMime:Landing -title: What's new in Windows # < 60 chars -summary: Find out about new features and capabilities in the latest release of Windows 10 and Windows 11. # < 160 chars +title: What's new in Windows +summary: Find out about new features and capabilities in the latest release of Windows 10 and Windows 11. metadata: - title: What's new in Windows # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Find out about new features and capabilities in the latest release of Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars. + title: What's new in Windows + description: Find out about new features and capabilities in the latest release of Windows 10 and Windows 11. services: windows-10 - ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. + ms.service: windows-10 ms.subservice: subservice - ms.topic: landing-page # Required + ms.topic: landing-page ms.collection: - windows-10 - highpri author: aczechowski ms.author: aaroncz manager: dougeby - ms.date: 06/24/2021 #Required; mm/dd/yyyy format. + ms.date: 06/03/2022 localization_priority: medium - -# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new landingContent: -# Cards and links should be based on top customer tasks or top subjects -# Start card title with a verb - # Card (optional) - title: Windows 11 linkLists: - linkListType: overview links: - text: Windows 11 overview - url: windows-11-overview.md + url: windows-11-overview.md - text: Windows 11 requirements url: windows-11-requirements.md - - text: Plan for Windows 11 + - text: Plan for Windows 11 url: windows-11-plan.md - - text: Prepare for Windows 11 + - text: Prepare for Windows 11 url: windows-11-prepare.md - title: Windows 10 linkLists: - linkListType: overview links: + - text: What's new in Windows 10, version 21H2 + url: whats-new-windows-10-version-21h2.md - text: What's new in Windows 10, version 21H1 - url: whats-new-windows-10-version-21h1.md + url: whats-new-windows-10-version-21h1.md - text: What's new in Windows 10, version 20H2 - url: whats-new-windows-10-version-20H2.md - - text: What's new in Windows 10, version 2004 - url: whats-new-windows-10-version-2004.md - - text: What's new in Windows 10, version 1909 - url: whats-new-windows-10-version-1909.md - - text: What's new in Windows 10, version 1903 - url: whats-new-windows-10-version-1903.md + url: whats-new-windows-10-version-20h2.md - - # Card (optional) - title: Learn more linkLists: - linkListType: overview links: - - text: Windows release information - url: /windows/release-health/release-information + - text: Windows 11 release information + url: /windows/release-health/windows11-release-information - text: Windows release health dashboard - url: /windows/release-information/ - - text: Windows update history - url: https://support.microsoft.com/topic/windows-10-update-history-7dd3071a-3906-fa2c-c342-f7f86728a6e3 - - text: Windows 10 features we’re no longer developing + url: /windows/release-health/ + - text: Windows 11 update history + url: https://support.microsoft.com/topic/windows-11-update-history-a19cd327-b57f-44b9-84e0-26ced7109ba9 + - text: Windows 10 update history + url: https://support.microsoft.com/topic/windows-10-update-history-857b8ccb-71e4-49e5-b3f6-7073197d98fb + - text: Windows 10 features we're no longer developing url: /windows/deployment/planning/windows-10-deprecated-features - text: Features and functionality removed in Windows 10 url: /windows/deployment/planning/windows-10-removed-features - text: Compare Windows 10 Editions - url: https://go.microsoft.com/fwlink/p/?LinkId=690485 + url: https://www.microsoft.com/windowsforbusiness/compare - text: Windows 10 Enterprise LTSC url: ltsc/index.md diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md index dfb0df5731..5d691021f8 100644 --- a/windows/whats-new/ltsc/index.md +++ b/windows/whats-new/ltsc/index.md @@ -1,11 +1,7 @@ --- title: Windows 10 Enterprise LTSC description: New and updated IT Pro content about new features in Windows 10, LTSC (also known as Windows 10 LTSB). -keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 LTSC", "Windows 10 LTSB"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: aczechowski ms.author: aaroncz manager: dougeby @@ -30,9 +26,9 @@ This topic provides links to articles with information about what's new in each ## The Long-Term Servicing Channel (LTSC) -The following table summarizes equivalent feature update versions of Windows 10 LTSC and General Availability Channel (SAC) releases. +The following table summarizes equivalent feature update versions of Windows 10 LTSC and General Availability Channel (GA Channel) releases. -| LTSC release | Equivalent SAC release | Availability date | +| LTSC release | Equivalent GA Channel release | Availability date | | --- | --- | --- | | Windows 10 Enterprise LTSC 2015 | Windows 10, Version 1507 | 7/29/2015 | | Windows 10 Enterprise LTSC 2016 | Windows 10, Version 1607 | 8/2/2016 | diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md index c1c29d8f63..6e75a1fb9f 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md @@ -4,13 +4,9 @@ ms.reviewer: manager: dougeby ms.author: aaroncz description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2015 (also known as Windows 10 Enterprise 2015 LTSB). -keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise LTSC 2015"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: aczechowski -ms.localizationpriority: low +ms.localizationpriority: medium ms.topic: article --- @@ -21,9 +17,6 @@ ms.topic: article This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md). -> [!NOTE] -> Features in Windows 10 Enterprise LTSC 2015 are equivalent to [Windows 10, version 1507](../whats-new-windows-10-version-1507-and-1511.md). - ## Deployment ### Provisioning devices using Windows Imaging and Configuration Designer (ICD) diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md index 354488f563..7ee18df927 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md @@ -4,11 +4,7 @@ ms.reviewer: manager: dougeby ms.author: aaroncz description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2016 (also known as Windows 10 Enterprise 2016 LTSB). -keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise LTSC 2016"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: aczechowski ms.localizationpriority: low ms.topic: article diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index 40a615660a..034ffc1f83 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -4,12 +4,9 @@ ms.reviewer: manager: dougeby ms.author: aaroncz description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2019 (also known as Windows 10 Enterprise 2019 LTSB). -keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise LTSC 2019"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski -ms.localizationpriority: low +ms.localizationpriority: medium ms.topic: article --- @@ -21,22 +18,23 @@ ms.topic: article This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2019, compared to Windows 10 Enterprise LTSC 2016 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md). >[!NOTE] ->Features in Windows 10 Enterprise LTSC 2019 are equivalent to Windows 10, version 1809. +>Features in Windows 10 Enterprise LTSC 2019 are equivalent to Windows 10, version 1809. Windows 10 Enterprise LTSC 2019 builds on Windows 10 Pro, version 1809 adding premium features designed to address the needs of large and mid-size organizations (including large academic institutions), such as: -- Advanced protection against modern security threats + +- Advanced protection against modern security threats - Full flexibility of OS deployment - Updating and support options - Comprehensive device and app management and control capabilities -The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC users because it includes the cumulative enhancements provided in Windows 10 versions 1703, 1709, 1803, and 1809. Details about these enhancements are provided below. +The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC users because it includes the cumulative enhancements provided in Windows 10 versions 1703, 1709, 1803, and 1809. Details about these enhancements are provided below. >[!IMPORTANT] >The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the General Availability Channel release of Windows 10 might be limited. ## Microsoft Intune -Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. However, note that Windows 10 Update Rings Device profiles do not support LTSC releases, therefore you should use [Policy configuration service provider](/windows/client-management/mdm/policy-csp-update), WSUS, or Configuration Manager for patching. +Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. However, Windows 10 update rings device profiles don't support LTSC releases. For installing software updates, use the [policy configuration service provider (CSP)](/windows/client-management/mdm/policy-csp-update), Windows Server Update Services (WSUS), or Microsoft Endpoint Configuration Manager. ## Security @@ -46,37 +44,36 @@ This version of Windows 10 includes security improvements for threat protection, #### Microsoft Defender for Endpoint -The [Microsoft Defender for Endpoint](/windows/security/threat-protection/index) platform includes the security pillars shown in the following diagram. In this version of Windows, Defender for Endpoint includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. +The [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/) platform includes multiple security pillars. In this version of Windows, Defender for Endpoint includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. -[  ](../images/wdatp.png#lightbox) - -##### Attack surface reduction +##### Attack surface reduction Attack surface reduction includes host-based intrusion prevention systems such as [controlled folder access]/microsoft-365/security/defender-endpoint/enable-controlled-folders). -- This feature can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether. +- This feature can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We've made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether. -- When an app is blocked, it will appear in a recently blocked apps list, which you can get to by clicking **Manage settings** under the **Ransomware protection** heading. Click **Allow an app through Controlled folder access**. After the prompt, click the **+** button and choose **Recently blocked apps**. Select any of the apps to add them to the allowed list. You can also browse for an app from this page. +- When an app is blocked, it will appear in a recently blocked apps list, which you can get to by clicking **Manage settings** under the **Ransomware protection** heading. Select **Allow an app through Controlled folder access**. After the prompt, select the **+** button and choose **Recently blocked apps**. Select any of the apps to add them to the allowed list. You can also browse for an app from this page. -###### Windows Defender Firewall +###### Windows Defender Firewall -Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes. You can add specific rules for a WSL process just as you would for any Windows process. Also, Windows Defender Firewall now supports notifications for WSL processes. For example, when a Linux tool wants to allow access to a port from the outside (like SSH or a web server like nginx), Windows Defender Firewall will prompt to allow access just like it would for a Windows process when the port starts accepting connections. This was first introduced in [Build 17627](/windows/wsl/release-notes#build-17618-skip-ahead). +Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes. You can add specific rules for a WSL process just as you would for any Windows process. Also, Windows Defender Firewall now supports notifications for WSL processes. For example, when a Linux tool wants to allow access to a port from the outside (like SSH or a web server like nginx), Windows Defender Firewall will prompt to allow access just like it would for a Windows process when the port starts accepting connections. This behavior was first introduced in [Build 17627](/windows/wsl/release-notes#build-17618-skip-ahead). ##### Windows Defender Device Guard -[Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control) has always been a collection of technologies that can be combined to lock down a PC, including: -- Software-based protection provided by code integrity policies +[Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control) has always been a collection of technologies that can be combined to lock down a PC, including: + +- Software-based protection provided by code integrity policies - Hardware-based protection provided by Hypervisor-protected code integrity (HVCI) -But these protections can also be configured separately. And, unlike HVCI, code integrity policies do not require virtualization-based security (VBS). To help underscore the distinct value of these protections, code integrity policies have been rebranded as [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control). +But these protections can also be configured separately. And, unlike HVCI, code integrity policies don't require virtualization-based security (VBS). To help underscore the distinct value of these protections, code integrity policies have been rebranded as [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control). -### Next-gen protection +### Next-gen protection -### Endpoint detection and response +### Endpoint detection and response -Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Microsoft Defender for Endpoint portal. +Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Microsoft Defender for Endpoint portal. -Windows Defender is now called Microsoft Defender Antivirus and now shares detection status between M365 services and interoperates with Microsoft Defender for Endpoint. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus). +Windows Defender is now called Microsoft Defender Antivirus and now shares detection status between Microsoft 365 services and interoperates with Microsoft Defender for Endpoint. Other policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus). We've also [increased the breadth of the documentation library for enterprise security admins](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows). The new library includes information on: @@ -98,9 +95,9 @@ We've [invested heavily in helping to protect against ransomware](https://blogs. **Endpoint detection and response** is also enhanced. New **detection** capabilities include: -- [Use the threat intelligence API to create custom alerts](/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization. +- [Use the threat intelligence API to create custom alerts](/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intelligence application, and create custom threat intelligence alerts for your organization. -- [Custom detection](/microsoft-365/security/defender-endpoint/overview-custom-detections). With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. +- [Custom detection](/microsoft-365/security/defender-endpoint/overview-custom-detections). With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. You can use advanced hunting through the creation of custom detection rules. - Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks. @@ -110,83 +107,77 @@ We've [invested heavily in helping to protect against ransomware](https://blogs. **Threat response** is improved when an attack is detected, enabling immediate action by security teams to contain a breach: -- [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package. -- [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file. +- [Take response actions on a machine](/microsoft-365/security/defender-endpoint/respond-machine-alerts) - Quickly respond to detected attacks by isolating machines or collecting an investigation package. +- [Take response actions on a file](/microsoft-365/security/defender-endpoint/respond-file-alerts) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file. -Additional capabilities have been added to help you gain a holistic view on **investigations** include: +Other capabilities have been added to help you gain a holistic view on **investigations** include: -- [Threat analytics](/windows/security/threat-protection/windows-defender-atp/threat-analytics) - Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. +- [Threat analytics](/microsoft-365/security/defender-endpoint/threat-analytics) - Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess the effect to their environment. They also provide recommended actions to contain, increase organizational resilience, and prevent specific threats. -- [Query data using Advanced hunting in Microsoft Defender for Endpoint](/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection) +- [Query data using Advanced hunting in Microsoft Defender for Endpoint](/microsoft-365/security/defender/advanced-hunting-query-language) -- [Use Automated investigations to investigate and remediate threats](/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) +- [Use Automated investigations to investigate and remediate threats](/microsoft-365/security/defender-endpoint/automated-investigations) -- [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials. +- [Investigate a user account](/microsoft-365/security/defender-endpoint/investigate-user) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials. -- [Alert process tree](/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time. +- [Alert process tree](/microsoft-365/security/defender-endpoint/investigate-alerts) - Aggregates multiple detections and related events into a single view to reduce case resolution time. -- [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Microsoft Defender for Endpoint. +- [Pull alerts using REST API](/microsoft-365/security/defender-endpoint/configure-siem) - Use REST API to pull alerts from Microsoft Defender for Endpoint. Other enhanced security features include: -- [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Microsoft Defender for Endpoint service and fix known issues. +- [Check sensor health state](/microsoft-365/security/defender-endpoint/check-sensor-status) - Check an endpoint's ability to provide sensor data and communicate with the Microsoft Defender for Endpoint service and fix known issues. -- [Managed security service provider (MSSP) support](/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection) - Microsoft Defender for Endpoint adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools. +- [Managed security service provider (MSSP) support](/microsoft-365/security/defender-endpoint/mssp-support) - Microsoft Defender for Endpoint adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools. -- [Integration with Azure Defender](/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center) - Microsoft Defender for Endpoint integrates with Azure Defender to provide a comprehensive server protection solution. With this integration Azure Defender can leverage the power of Defender for Endpoint to provide improved threat detection for Windows Servers. +- [Integration with Azure Defender](/microsoft-365/security/defender-endpoint/configure-server-endpoints#integration-with-microsoft-defender-for-cloud) - Microsoft Defender for Endpoint integrates with Azure Defender to provide a comprehensive server protection solution. With this integration, Azure Defender can use Defender for Endpoint to provide improved threat detection for Windows Servers. -- [Integration with Microsoft Cloud App Security](/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration) - Microsoft Cloud App Security leverages Microsoft Defender for Endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Defender for Endpoint monitored machines. +- [Integration with Microsoft Cloud App Security](/microsoft-365/security/defender-endpoint/microsoft-cloud-app-security-integration) - Microsoft Cloud App Security uses Microsoft Defender for Endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Defender for Endpoint monitored machines. -- [Onboard Windows Server 2019](/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019) - Microsoft Defender for Endpoint now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. +- [Onboard Windows Server 2019](/microsoft-365/security/defender-endpoint/configure-server-endpoints#windows-server-semi-annual-enterprise-channel-sac-windows-server-2019-and-windows-server-2022) - Microsoft Defender for Endpoint now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. -- [Onboard previous versions of Windows](/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection) - Onboard supported versions of Windows machines so that they can send sensor data to the Microsoft Defender for Endpoint sensor. +- [Onboard previous versions of Windows](/microsoft-365/security/defender-endpoint/onboard-downlevel) - Onboard supported versions of Windows machines so that they can send sensor data to the Microsoft Defender for Endpoint sensor. -- [Enable conditional access to better protect users, devices, and data](/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection) +- [Enable conditional access to better protect users, devices, and data](/microsoft-365/security/defender-endpoint/conditional-access) -We've also added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device’s time is not properly synced with our time servers and the time-syncing service is disabled, we’ll provide the option for you to turn it back on. +We've also added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device's time isn't properly synced with our time servers and the time-syncing service is disabled, we'll provide the option for you to turn it back on. -We’re continuing to work on how other security apps you’ve installed show up in the **Windows Security** app. There’s a new page called **Security providers** that you can find in the **Settings** section of the app. Click **Manage providers** to see a list of all the other security providers (including antivirus, firewall, and web protection) that are running on your device. Here you can easily open the providers’ apps or get more information on how to resolve issues reported to you through **Windows Security**. +We're continuing to work on how other security apps you've installed show up in the **Windows Security** app. There's a new page called **Security providers** that you can find in the **Settings** section of the app. Select **Manage providers** to see a list of all the other security providers (including antivirus, firewall, and web protection) that are running on your device. Here you can easily open the providers' apps or get more information on how to resolve issues reported to you through **Windows Security**. -This also means you’ll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you’ll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks). +This improvement also means you'll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you'll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks). You can read more about ransomware mitigations and detection capability at: -- [Averting ransomware epidemics in corporate networks with Microsoft Defender for Endpoint](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/) -- [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/) +- [Averting ransomware epidemics in corporate networks with Microsoft Defender for Endpoint](https://www.microsoft.com/security/blog/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/) +- [Microsoft Malware Protection Center blog](https://www.microsoft.com/security/blog/category/research/ransomware/) Also see [New capabilities of Microsoft Defender for Endpoint further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97) -Get a quick, but in-depth overview of Microsoft Defender for Endpoint for Windows 10: [Defender for Endpoint](/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). +Get a quick, but in-depth overview of Microsoft Defender for Endpoint for Windows 10: [Defender for Endpoint](/microsoft-365/security/defender-endpoint/). - +### Information protection -### Information protection - -Improvements have been added to Windows Information Protection and BitLocker. +Improvements have been added to Windows Information Protection and BitLocker. #### Windows Information Protection -Windows Information Protection is now designed to work with Microsoft Office and Azure Information Protection. For more information, see [Deploying and managing Windows Information Protection (WIP) with Azure Information Protection](https://myignite.microsoft.com/sessions/53660?source=sessions). +Windows Information Protection is now designed to work with Microsoft Office and Azure Information Protection. -Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune). +Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure). -You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For info, see the brand-new topic, [How to collect Windows Information Protection (WIP) audit event logs](/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs). +You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For more information, see [How to collect Windows Information Protection (WIP) audit event logs](/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs). -This release enables support for WIP with Files on Demand, allows file encryption while the file is open in another app, and improves performance. For more information, see [OneDrive Files On-Demand For The Enterprise](https://techcommunity.microsoft.com/t5/OneDrive-Blog/OneDrive-Files-On-Demand-For-The-Enterprise/ba-p/117234). +This release enables support for WIP with Files on Demand, allows file encryption while the file is open in another app, and improves performance. For more information, see [OneDrive files on-demand for the enterprise](https://techcommunity.microsoft.com/t5/microsoft-onedrive-blog/onedrive-files-on-demand-for-the-enterprise/ba-p/117234). ### BitLocker -The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](/windows/device-security/bitlocker/bitlocker-group-policy-settings#bkmk-unlockpol3). +The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#configure-minimum-pin-length-for-startup). #### Silent enforcement on fixed drives -Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard AAD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don’t pass the HSTI. +Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (Azure AD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard Azure AD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don't pass the HSTI. -This is an update to the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp), which was introduced in Windows 10, version 1703, and leveraged by Intune and others. - -This feature will soon be enabled on Olympia Corp as an optional feature. +This change is an update to the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) and used by Intune and others. ### Identity protection @@ -194,50 +185,46 @@ Improvements have been added are to Windows Hello for Business and Credential Gu #### Windows Hello for Business -New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you are not present. +New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you aren't present. -New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification) include: +New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification) include: -- You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). +- You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](/mem/intune). -- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset). +- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more information, see [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset). -[Windows Hello](/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in [Kiosk configuration](#kiosk-configuration). +[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/index) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in [Kiosk configuration](#kiosk-configuration). -- Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/). +- Windows Hello is now password-less on S-mode. - Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions. -- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their device Bluetooth is off. +- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign-in, and will notify Dynamic lock users if Dynamic lock has stopped working because their device Bluetooth is off. -- You can set up Windows Hello from lock screen for MSA accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options. +- You can set up Windows Hello from lock screen for Microsoft accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options. -- New [public API](/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider. +- New [public API](/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync) for secondary account SSO for a particular identity provider. + +- It's easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: device Bluetooth is off). -- It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: device Bluetooth is off). - For more information, see: [Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/#OdKBg3pwJQcEKCbJ.97) #### Windows Defender Credential Guard -Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It is designed to protect against well-known threats such as Pass-the-Hash and credential harvesting. +Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It's designed to protect against well-known threats such as Pass-the-Hash and credential harvesting. -Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. +Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns on this functionality by default when the machine has been Azure Active Directory joined. This feature provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. > [!NOTE] -> Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions. +> Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions. -For more information, see [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations). +For more information, see [Credential Guard Security Considerations](/windows/security/identity-protection/credential-guard/credential-guard-requirements#security-considerations). ### Other security improvements #### Windows security baselines -Microsoft has released new [Windows security baselines](/windows/device-security/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/device-security/security-compliance-toolkit-10). - -**Windows security baselines** have been updated for Windows 10. A [security baseline](/windows/device-security/windows-security-baselines) is a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/device-security/security-compliance-toolkit-10). - -The new [security baseline for Windows 10 version 1803](/windows/security/threat-protection/security-compliance-toolkit-10) has been published. +Microsoft has released new [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security effect. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10). #### SMBLoris vulnerability @@ -245,57 +232,52 @@ An issue, known as _SMBLoris_, which could result in denial of service, has been #### Windows Security Center -Windows Defender Security Center is now called **Windows Security Center**. +Windows Defender Security Center is now called **Windows Security Center**. -You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Microsoft Defender Antivirus** and **Windows Defender Firewall**. +You can still get to the app in all the usual ways. Ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Microsoft Defender Antivirus** and **Windows Defender Firewall**. -The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Microsoft Defender Antivirus will remain enabled side-by-side with these products. +The WSC service now requires antivirus products to run as a protected process to register. Products that haven't yet implemented this functionality won't appear in the Windows Security Center user interface, and Microsoft Defender Antivirus will remain enabled side-by-side with these products. -WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**. +WSC now includes the Fluent Design System elements you know and love. You'll also notice we've adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you've enabled that option in **Color Settings**. - +:::image type="content" source="../images/defender.png" alt-text="Screenshot of the Windows Security Center."::: -#### Group Policy Security Options +#### Group policy security options -The security setting [**Interactive logon: Display user information when the session is locked**](/windows/device-security/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. +The security setting [**Interactive logon: Display user information when the session is locked**](/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked) has been updated to work with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. A new security policy setting -[**Interactive logon: Don't display username at sign-in**](/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 Enterprise LTSC 2019. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile. +[**Interactive logon: Don't display username at sign-in**](/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 Enterprise LTSC 2019. This security policy setting determines whether the username is displayed during sign-in. It works with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile. #### Windows 10 in S mode -We’ve continued to work on the **Current threats** area in [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: +We've continued to work on the **Current threats** area in [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: -> [!div class="mx-imgBorder"] ->  +:::image type="content" source="../images/virus-and-threat-protection.png" alt-text="Screenshot of the Virus & threat protection settings in Windows."::: ## Deployment ### MBR2GPT.EXE -MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise LTSC 2019 (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS). +MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise LTSC 2019 (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool runs from a Windows Preinstallation Environment (Windows PE) command prompt, but can also run from the full Windows 10 operating system. -The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports additional partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk. +The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports other partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk. -Additional security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock. +Other security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock. -For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt). +For more information, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt). ### DISM The following new DISM commands have been added to manage feature updates: -- **DISM /Online /Initiate-OSUninstall** - - Initiates an OS uninstall to take the computer back to the previous installation of windows. +- `DISM /Online /Initiate-OSUninstall`: Initiates an OS uninstall to take the computer back to the previous installation of windows. -- **DISM /Online /Remove-OSUninstall** - - Removes the OS uninstall capability from the computer. +- `DISM /Online /Remove-OSUninstall`: Removes the OS uninstall capability from the computer. -- **DISM /Online /Get-OSUninstallWindow** - - Displays the number of days after upgrade during which uninstall can be performed. +- `DISM /Online /Get-OSUninstallWindow`: Displays the number of days after upgrade during which uninstall can be performed. -- **DISM /Online /Set-OSUninstallWindow** - - Sets the number of days after upgrade during which uninstall can be performed. +- `DISM /Online /Set-OSUninstallWindow`: Sets the number of days after upgrade during which uninstall can be performed. For more information, see [DISM operating system uninstall command-line options](/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options). @@ -303,129 +285,106 @@ For more information, see [DISM operating system uninstall command-line options] You can now run your own custom actions or scripts in parallel with Windows Setup. Setup will also migrate your scripts to next feature release, so you only need to add them once. -Prerequisites: +Prerequisites: + - Windows 10, version 1803 or Windows 10 Enterprise LTSC 2019, or later. - Windows 10 Enterprise or Pro For more information, see [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions). -It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option. +It's also now possible to run a script if the user rolls back their version of Windows using the PostRollback option. `/PostRollback [\setuprollback.cmd] [/postrollback {system / admin}]` -For more information, see [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21). +For more information, see [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#postrollback). New command-line switches are also available to control BitLocker: -- **Setup.exe /BitLocker AlwaysSuspend** - - Always suspend BitLocker during upgrade. +- `Setup.exe /BitLocker AlwaysSuspend`: Always suspend BitLocker during upgrade. -- **Setup.exe /BitLocker TryKeepActive** - - Enable upgrade without suspending BitLocker, but if upgrade does not work, then suspend BitLocker and complete the upgrade. +- `Setup.exe /BitLocker TryKeepActive`: Enable upgrade without suspending BitLocker, but if upgrade doesn't work, then suspend BitLocker and complete the upgrade. -- **Setup.exe /BitLocker ForceKeepActive** - - Enable upgrade without suspending BitLocker, but if upgrade does not work, fail the upgrade. +- `Setup.exe /BitLocker ForceKeepActive`: Enable upgrade without suspending BitLocker, but if upgrade doesn't work, fail the upgrade. -For more information, see [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33). +For more information, see [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#bitlocker). ### Feature update improvements -Portions of the work done during the offline phases of a Windows update have been moved to the online phase. This has resulted in a significant reduction of offline time when installing updates. For more information, see [We're listening to you](https://insider.windows.com/en-us/articles/were-listening-to-you/). +Portions of the work done during the offline phases of a Windows update have been moved to the online phase. This change results in a significant reduction of offline time when installing updates. For more information, see [We're listening to you](https://insider.windows.com/articles/were-listening-to-you/). ### SetupDiag [SetupDiag](/windows/deployment/upgrade/setupdiag) is a new command-line tool that can help diagnose why a Windows 10 update failed. -SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. +SetupDiag works by searching Windows Setup log files. When it searches log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. ## Sign-in ### Faster sign-in to a Windows 10 shared pc -If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](/windows/configuration/set-up-shared-or-guest-pc) in a flash! +If you have shared devices deployed in your work place, **Fast sign-in** enables users to quickly sign in to a [shared Windows 10 PC](/windows/configuration/set-up-shared-or-guest-pc). -**To enable fast sign-in:** +#### To enable fast sign-in 1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise LTSC 2019. 2. Set the Policy CSP, and the **Authentication** and **EnableFastFirstSignIn** policies to enable fast sign-in. -3. Sign-in to a shared PC with your account. You'll notice the difference! +3. Sign-in to a shared PC with your account. -  + :::image type="content" source="../images/fastsignin.png" alt-text="An animated image that demonstrates the fast sign-in feature."::: ### Web sign-in to Windows 10 -Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing “web sign-in,” a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML). +Until now, Windows sign-in only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We're introducing "web sign-in," a new way of signing into your Windows PC. Web Sign-in enables Windows sign-in support for non-ADFS federated providers (e.g.SAML). -**To try out web sign-in:** +#### Try out web sign-in 1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs). -2. Set the Policy CSP, and the Authentication and EnableWebSignIn policies to enable web sign-in. +2. Set the Policy CSP, and the Authentication and EnableWebSignIn policies to enable web sign-in. 3. On the lock screen, select web sign-in under sign-in options. -4. Click the “Sign in” button to continue. - +4. Select "Sign in" to continue. -## Windows Analytics + :::image type="content" source="../images/websignin.png" alt-text="A screenshot of the Windows sign-in screen that highlights the web sign-in feature."::: -### Upgrade Readiness - ->[!IMPORTANT] ->Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a General Availability Channel release. - -Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017. - -The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled. - -For more information about Upgrade Readiness, see the following topics: - -- [Windows Analytics blog](/archive/blogs/upgradeanalytics/) -- [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness) - -Upgrade Readiness provides insights into application and driver compatibility issues. New capabilities include better app coverage, post-upgrade health reports, and enhanced report filtering capabilities. For more information, see [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). - -### Update Compliance +## Update Compliance Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date. Update Compliance is a solution built using OMS Log Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues. +New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. + For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](/windows/deployment/update/update-compliance-monitor). -New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Microsoft Defender Antivirus with Update Compliance](/windows/deployment/update/update-compliance-monitor). - -### Device Health - -Maintaining devices is made easier with Device Health, a new, premium analytic tool that identifies devices and drivers that crash frequently and might need to be rebuilt or replaced. For more information, see [Monitor the health of devices with Device Health](/windows/deployment/update/device-health-monitor). - -## Accessibility and Privacy +## Accessibility and privacy ### Accessibility -"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/), a blog post. +"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in [What's new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/). ### Privacy -In the Feedback and Settings page under Privacy Settings you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the [Diagnostic Data Viewer](/windows/configuration/diagnostic-data-viewer-overview) app. +In the Feedback and Settings page under Privacy Settings you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the [Diagnostic Data Viewer](/windows/privacy/diagnostic-data-viewer-overview) app. ## Configuration ### Kiosk configuration -The new chromium-based Microsoft Edge has many improvements specifically targeted to Kiosks. However, it is not included in the LTSC release of Windows 10. You can download and install Microsoft Edge separately [here](https://www.microsoft.com/edge/business/download). +The new chromium-based Microsoft Edge has many improvements targeted to kiosks. However, it's not included in the LTSC release of Windows 10. You can download and install Microsoft Edge separately. For more information, see [Download and deploy Microsoft Edge for business](https://www.microsoft.com/edge/business/download). -Internet Explorer is included in Windows 10 LTSC releases as its feature set is not changing, and it will continue to get security fixes for the life of a Windows 10 LTSC release. +Internet Explorer is included in Windows 10 LTSC releases as its feature set isn't changing, and it will continue to get security fixes for the life of a Windows 10 LTSC release. -If you wish to take advantage of [Kiosk capabilities in Edge](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy), consider [Kiosk mode](/windows/configuration/kiosk-methods) with a semi-annual release channel. +If you wish to take advantage of [Kiosk capabilities in Microsoft Edge](/previous-versions/windows/edge-legacy/microsoft-edge-kiosk-mode-deploy), consider [Kiosk mode](/windows/configuration/kiosk-methods) with a semi-annual release channel. ### Co-management -Intune and Microsoft Endpoint Manager policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management. +Intune and Microsoft Endpoint Configuration Manager policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management. -For more information, see [What's New in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803). +For more information, see [What's New in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management). ### OS uninstall period @@ -435,72 +394,70 @@ The OS uninstall period is a length of time that users are given when they can o Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards. - - ### Windows Spotlight -The following new Group Policy and mobile device management (MDM) settings are added to help you configure Windows Spotlight user experiences: +The following new group policy and mobile device management (MDM) settings are added to help you configure Windows Spotlight user experiences: - **Turn off the Windows Spotlight on Action Center** - **Do not use diagnostic data for tailored experiences** - **Turn off the Windows Welcome Experience** -[Learn more about Windows Spotlight.](/windows/configuration/windows-spotlight) +For more information, see [Configure Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight). ### Start and taskbar layout Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10 Enterprise LTSC 2019 adds support for customized taskbars to [MDM](/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management). -[Additional MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include: +[More MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include: - Settings for the User tile: [**Start/HideUserTile**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) - Settings for Power: [**Start/HidePowerButton**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesleep) -- Additional new settings: [**Start/HideFrequentlyUsedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](/windows/client-management/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](/windows/client-management/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideapplist). +- Other new settings: [**Start/HideFrequentlyUsedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](/windows/client-management/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](/windows/client-management/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideapplist). ## Windows Update ### Windows Insider for Business -We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (Azure AD). By enrolling devices in Azure AD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](https://insider.windows.com/for-business). +We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (Azure AD). By enrolling devices in Azure AD, you increase the visibility of feedback submitted by users in your organization - especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](https://insider.windows.com/for-business). You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](https://insider.windows.com/for-business). - ### Optimize update delivery -With changes delivered in Windows 10 Enterprise LTSC 2019, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with Microsoft Endpoint Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](/windows-server/administration/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS. +With changes delivered in Windows 10 Enterprise LTSC 2019, [express updates](/windows/deployment/do/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with Configuration Manager. It's also supported with other third-party updating and management products that [implement this new functionality](/windows-server/administration/windows-server-update-services/deploy/express-update-delivery-isv-support). This support is in addition to current express support on Windows Update, Windows Update for Business and WSUS. >[!NOTE] > The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update. -Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios. +Delivery Optimization policies now enable you to configure other restrictions to have more control in various scenarios. Added policies include: -- [Allow uploads while the device is on battery while under set Battery level](/windows/deployment/update/waas-delivery-optimization#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) -- [Enable Peer Caching while the device connects via VPN](/windows/deployment/update/waas-delivery-optimization#enable-peer-caching-while-the-device-connects-via-vpn) -- [Minimum RAM (inclusive) allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-ram-allowed-to-use-peer-caching) -- [Minimum disk size allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-disk-size-allowed-to-use-peer-caching) -- [Minimum Peer Caching Content File Size](/windows/deployment/update/waas-delivery-optimization#minimum-peer-caching-content-file-size) -To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](/windows/deployment/update/waas-delivery-optimization). +- [Allow uploads while the device is on battery while under set Battery level](/windows/deployment/do/waas-delivery-optimization-reference#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) +- [Enable Peer Caching while the device connects via VPN](/windows/deployment/do/waas-delivery-optimization-reference#enable-peer-caching-while-the-device-connects-via-vpn) +- [Minimum RAM (inclusive) allowed to use Peer Caching](/windows/deployment/do/waas-delivery-optimization-reference#minimum-ram-allowed-to-use-peer-caching) +- [Minimum disk size allowed to use Peer Caching](/windows/deployment/do/waas-delivery-optimization-reference#minimum-disk-size-allowed-to-use-peer-caching) +- [Minimum Peer Caching Content File Size](/windows/deployment/do/waas-delivery-optimization-reference#minimum-peer-caching-content-file-size) + +For more information, see [Configure Delivery Optimization for Windows updates](/windows/deployment/do/waas-delivery-optimization). ### Uninstalled in-box apps no longer automatically reinstall Starting with Windows 10 Enterprise LTSC 2019, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process. -Additionally, apps de-provisioned by admins on Windows 10 Enterprise LTSC 2019 machines will stay de-provisioned after future feature update installations. This will not apply to the update from Windows 10 Enterprise LTSC 2016 (or earlier) to Windows 10 Enterprise LTSC 2019. +Additionally, apps de-provisioned by admins on Windows 10 Enterprise LTSC 2019 machines will stay de-provisioned after future feature update installations. This behavior won't apply to the update from Windows 10 Enterprise LTSC 2016 (or earlier) to Windows 10 Enterprise LTSC 2019. ## Management ### New MDM capabilities -Windows 10 Enterprise LTSC 2019 adds many new [configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful Group Policy settings via MDM - see [Policy CSP - ADMX-backed policies](/windows/client-management/mdm/policy-configuration-service-provider). +Windows 10 Enterprise LTSC 2019 adds many new [configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful group policy settings via MDM. For more information, see [Policy CSP - ADMX-backed policies](/windows/client-management/mdm/policy-configuration-service-provider). Some of the other new CSPs are: -- The [DynamicManagement CSP](/windows/client-management/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs. +- The [DynamicManagement CSP](/windows/client-management/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device isn't within the corporate building or campus. Once configured, these settings will be enforced even if the device can't reach the management server when the location or network changes. The dynamic management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs. - The [CleanPC CSP](/windows/client-management/mdm/cleanpc-csp) allows removal of user-installed and pre-installed applications, with the option to persist user data. @@ -512,13 +469,11 @@ Some of the other new CSPs are: - The [EnterpriseAppVManagement CSP](/windows/client-management/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM. -IT pros can use the new [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents. +For more information, see [What's new in mobile device enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management). -[Learn more about new MDM capabilities.](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew10) +MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group policy can be used with Active Directory joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy). -MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group Policy can be used with Active Directory joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy). - -Multiple new configuration items are also added. For more information, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1709). +Multiple new configuration items are also added. For more information, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management). ### Mobile application management support for Windows 10 @@ -528,13 +483,14 @@ For more info, see [Implement server-side support for mobile application managem ### MDM diagnostics -In Windows 10 Enterprise LTSC 2019, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](/message-analyzer/microsoft-message-analyzer-operating-guide) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost. +In Windows 10 Enterprise LTSC 2019, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we're introducing [Microsoft Message Analyzer](/message-analyzer/microsoft-message-analyzer-operating-guide) as another tool to help support personnel quickly reduce issues to their root cause, while saving time and cost. ### Application Virtualization for Windows (App-V) -Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10 Enterprise LTSC 2019 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically clean up your unpublished packages after a device restart. +Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10 Enterprise LTSC 2019 introduces two new PowerShell cmdlets, **New-AppVSequencerVM** and **Connect-AppvSequencerVM**. These cmdlets automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (`.appvt`) file, and letting you use PowerShell or group policy settings to automatically clean up your unpublished packages after a device restart. + +For more information, see the following articles: -For more info, see the following topics: - [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-provision-a-vm) - [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-sequencing) - [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-updating) @@ -544,16 +500,16 @@ For more info, see the following topics: Learn more about the diagnostic data that's collected at the Basic level and some examples of the types of data that is collected at the Full level. -- [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703) -- [Windows 10, version 1703 Diagnostic Data](/windows/configuration/windows-diagnostic-data-1703) +- [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703) +- [Windows 10, version 1703 diagnostic data](/windows/privacy/windows-diagnostic-data-1703) -### Group Policy spreadsheet +### Group policy spreadsheet -Learn about the new Group Policies that were added in Windows 10 Enterprise LTSC 2019. +Learn about the new group policies that were added in Windows 10 Enterprise LTSC 2019. -- [Group Policy Settings Reference for Windows and Windows Server](https://www.microsoft.com/download/details.aspx?id=25250) +- [Group policy settings reference for Windows and Windows Server](https://www.microsoft.com/download/details.aspx?id=25250) -### Mixed Reality Apps +### Mixed reality apps This version of Windows 10 introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/). Organizations that use WSUS must take action to enable Windows Mixed Reality. You can also prohibit use of Windows Mixed Reality by blocking installation of the Mixed Reality Portal. For more information, see [Enable or block Windows Mixed Reality apps in the enterprise](/windows/application-management/manage-windows-mixed-reality). @@ -561,7 +517,7 @@ This version of Windows 10 introduces [Windows Mixed Reality](https://blogs.wind ### Network stack -Several network stack enhancements are available in this release. Some of these features were also available in Windows 10, version 1703. For more information, see [Core Network Stack Features in the Creators Update for Windows 10](https://blogs.technet.microsoft.com/networking/2017/07/13/core-network-stack-features-in-the-creators-update-for-windows-10/). +Several network stack enhancements are available in this release. Some of these features were also available in Windows 10, version 1703. For more information, see [Core network stack features in the Creators Update for Windows 10](https://techcommunity.microsoft.com/t5/networking-blog/core-network-stack-features-in-the-creators-update-for-windows/ba-p/339676). ### Miracast over Infrastructure @@ -569,47 +525,47 @@ In this version of Windows 10, Microsoft has extended the ability to send a Mira #### How it works -Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection. +Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS and multicast DNS (mDNS). If the name isn't resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection. -#### Miracast over Infrastructure offers a number of benefits +#### Miracast over Infrastructure offers many benefits - Windows automatically detects when sending the video stream over this path is applicable. - Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network. -- Users do not have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections. +- Users don't have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections. - No changes to current wireless drivers or PC hardware are required. -- It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct. -- It leverages an existing connection that both reduces the time to connect and provides a very stable stream. +- It works well with older wireless hardware that isn't optimized for Miracast over Wi-Fi Direct. +- It uses an existing connection that reduces the time to connect and provides a stable stream. #### Enabling Miracast over Infrastructure -If you have a device that has been updated to Windows 10 Enterprise LTSC 2019, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment: +If you have a device that has been updated to Windows 10 Enterprise LTSC 2019, then you automatically have this new feature. To take advantage of it in your environment, you need to make sure the following requirement exist within your deployment: - The device (PC or Surface Hub) needs to be running Windows 10, version 1703, Windows 10 Enterprise LTSC 2019, or a later OS. - A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows device can act as a Miracast over Infrastructure *source*. - - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself. + - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection. For example, using either WPA2-PSK or WPA2-Enterprise security. If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself. - As a Miracast source, the device must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. -- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname. +- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this configuration by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname. - Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. > [!IMPORTANT] -> Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method. +> Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don't have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method. ## Registry editor improvements -We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word. +We added a dropdown that displays while you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word. - +:::image type="content" source="../images/regeditor.png" alt-text="Screenshot of Registry Editor showing list of path completion."::: ## Remote Desktop with Biometrics Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session. -To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click **Connect**. +To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and select **Connect**. -- Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click **More choices** to choose alternate credentials. +- Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also select **More choices** to choose alternate credentials. - Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN. @@ -619,6 +575,6 @@ See the following example:   -## See Also +## See also [Windows 10 Enterprise LTSC](index.md): A short description of the LTSC servicing channel with links to information about each release. diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md index 1e10461eea..6faf817654 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md @@ -4,10 +4,7 @@ ms.reviewer: manager: dougeby ms.author: aaroncz description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2021. -keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise LTSC 2021"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: low ms.topic: article @@ -142,7 +139,7 @@ Windows Hello enhancements include: - Windows Hello is now supported as Fast Identity Online 2 (FIDO2) authenticator across all major browsers including Chrome and Firefox. - You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN. - Windows Hello PIN sign-in support is [added to Safe mode](/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995). -- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (MSA). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894). +- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (Microsoft account). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894). - With specialized hardware and software components available on devices shipping with Windows 10, version 20H2 configured out of factory, Windows Hello now offers added support for virtualization-based security with supporting fingerprint and face sensors. This feature isolates and secures a user's biometric authentication data. - Windows Hello multi-camera support is added, allowing users to choose an external camera priority when both external and internal Windows Hello-capable cameras are present. - [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less login for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD. diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md index e7ad13d805..8190b90e04 100644 --- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md +++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md @@ -1,16 +1,14 @@ --- title: What's new in Windows 10, versions 1507 and 1511 (Windows 10) description: What's new in Windows 10 for Windows 10 (versions 1507 and 1511). -ms.assetid: 75F285B0-09BE-4821-9B42-37B9BE54CEC6 ms.reviewer: ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski manager: dougeby ms.author: aaroncz -ms.localizationpriority: high +ms.localizationpriority: medium ms.topic: article +ROBOTS: NOINDEX --- # What's new in Windows 10, versions 1507 and 1511 for IT Pros diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md index 509b7d10a0..48342fd24c 100644 --- a/windows/whats-new/whats-new-windows-10-version-1607.md +++ b/windows/whats-new/whats-new-windows-10-version-1607.md @@ -1,16 +1,14 @@ --- title: What's new in Windows 10, version 1607 (Windows 10) description: What's new in Windows 10 for Windows 10 (version 1607). -keywords: ["What's new in Windows 10", "Windows 10", "anniversary update"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: high +ms.localizationpriority: medium ms.reviewer: author: aczechowski manager: dougeby ms.author: aaroncz ms.topic: article +ROBOTS: NOINDEX --- # What's new in Windows 10, version 1607 for IT Pros diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index a62e914365..df0bb338ac 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -1,17 +1,14 @@ --- title: What's new in Windows 10, version 1703 description: New and updated features in Windows 10, version 1703 (also known as the Creators Updated). -keywords: ["What's new in Windows 10", "Windows 10", "creators update"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: high -ms.assetid: dca7c655-c4f6-45f8-aa02-64187b202617 +ms.localizationpriority: medium ms.reviewer: author: aczechowski manager: dougeby ms.author: aaroncz ms.topic: article +ROBOTS: NOINDEX --- # What's new in Windows 10, version 1703 for IT Pros @@ -44,8 +41,6 @@ Both the desktop and kiosk wizards include an option to remove pre-installed sof Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards. - - ### Windows Spotlight @@ -232,7 +227,6 @@ Some of the other new CSPs are: - The [EnterpriseAppVManagement CSP](/windows/client-management/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM. -IT pros can use the new [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents. [Learn more about new MDM capabilities.](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew10) diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md index 905d4ff2dd..ad9ebb3782 100644 --- a/windows/whats-new/whats-new-windows-10-version-1709.md +++ b/windows/whats-new/whats-new-windows-10-version-1709.md @@ -1,16 +1,14 @@ --- title: What's new in Windows 10, version 1709 description: New and updated features in Windows 10, version 1709 (also known as the Fall Creators Update). -keywords: ["What's new in Windows 10", "Windows 10", "Fall Creators Update"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library ms.reviewer: author: aczechowski manager: dougeby ms.author: aaroncz -ms.localizationpriority: high +ms.localizationpriority: medium ms.topic: article +ROBOTS: NOINDEX --- # What's new in Windows 10, version 1709 for IT Pros diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md index f2f4dc5964..d8903b9bbb 100644 --- a/windows/whats-new/whats-new-windows-10-version-1803.md +++ b/windows/whats-new/whats-new-windows-10-version-1803.md @@ -1,16 +1,14 @@ --- title: What's new in Windows 10, version 1803 description: New and updated features in Windows 10, version 1803 (also known as the Windows 10 April 2018 Update). -keywords: ["What's new in Windows 10", "Windows 10", "April 2018 Update"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library ms.reviewer: author: aczechowski manager: dougeby ms.author: aaroncz -ms.localizationpriority: high +ms.localizationpriority: medium ms.topic: article +ROBOTS: NOINDEX --- # What's new in Windows 10, version 1803 for IT Pros @@ -147,7 +145,7 @@ The OS uninstall period is a length of time that users are given when they can o - Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/). - Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions. - Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off. -- You can set up Windows Hello from lock screen for MSA accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options. +- You can set up Windows Hello from lock screen for Microsoft accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options. - New [public API](/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider. - It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off). diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md index 9ce31284cc..d14888637d 100644 --- a/windows/whats-new/whats-new-windows-10-version-1809.md +++ b/windows/whats-new/whats-new-windows-10-version-1809.md @@ -2,15 +2,13 @@ title: What's new in Windows 10, version 1809 ms.reviewer: description: Learn about features for Windows 10, version 1809, including features and fixes included in previous cumulative updates to Windows 10, version 1803. -keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 October 2018 Update"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski manager: dougeby ms.author: aaroncz -ms.localizationpriority: high +ms.localizationpriority: medium ms.topic: article +ROBOTS: NOINDEX --- # What's new in Windows 10, version 1809 for IT Pros diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md index 35ed9f16c3..30dde72ade 100644 --- a/windows/whats-new/whats-new-windows-10-version-1903.md +++ b/windows/whats-new/whats-new-windows-10-version-1903.md @@ -1,16 +1,13 @@ --- title: What's new in Windows 10, version 1903 description: New and updated features in Windows 10, version 1903 (also known as the Windows 10 May 2019 Update). -keywords: ["What's new in Windows 10", "Windows 10", "May 2019 Update"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: aczechowski ms.author: aaroncz manager: dougeby -ms.localizationpriority: high +ms.localizationpriority: medium ms.topic: article +ROBOTS: NOINDEX --- # What's new in Windows 10, version 1903 for IT Pros diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md index 3b33b31e96..7f89949678 100644 --- a/windows/whats-new/whats-new-windows-10-version-1909.md +++ b/windows/whats-new/whats-new-windows-10-version-1909.md @@ -1,16 +1,13 @@ --- title: What's new in Windows 10, version 1909 description: New and updated features in Windows 10, version 1909 (also known as the Windows 10 November 2019 Update). -keywords: ["What's new in Windows 10", "Windows 10", "November 2019 Update"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: aczechowski ms.author: aaroncz manager: dougeby -ms.localizationpriority: high +ms.localizationpriority: medium ms.topic: article +ROBOTS: NOINDEX --- # What's new in Windows 10, version 1909 for IT Pros diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md index 726580724f..a00b411668 100644 --- a/windows/whats-new/whats-new-windows-10-version-2004.md +++ b/windows/whats-new/whats-new-windows-10-version-2004.md @@ -1,16 +1,13 @@ --- title: What's new in Windows 10, version 2004 description: New and updated features in Windows 10, version 2004 (also known as the Windows 10 May 2020 Update). -keywords: ["What's new in Windows 10", "Windows 10", "May 2020 Update"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: aczechowski ms.author: aaroncz manager: dougeby -ms.localizationpriority: high +ms.localizationpriority: medium ms.topic: article +ROBOTS: NOINDEX --- # What's new in Windows 10, version 2004 for IT Pros @@ -35,7 +32,7 @@ To download and install Windows 10, version 2004, use Windows Update (**Settings - Windows Hello PIN sign-in support is [added to Safe mode](/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995). -- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (MSA). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894). +- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (Microsoft account). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894). ### Windows Defender System Guard diff --git a/windows/whats-new/whats-new-windows-10-version-20H2.md b/windows/whats-new/whats-new-windows-10-version-20H2.md index 436dc92f0d..b3f400dbeb 100644 --- a/windows/whats-new/whats-new-windows-10-version-20H2.md +++ b/windows/whats-new/whats-new-windows-10-version-20H2.md @@ -1,11 +1,7 @@ --- title: What's new in Windows 10, version 20H2 description: New and updated features in Windows 10, version 20H2 (also known as the Windows 10 October 2020 Update). -keywords: ["What's new in Windows 10", "Windows 10", "October 2020 Update"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: aczechowski ms.author: aaroncz manager: dougeby diff --git a/windows/whats-new/whats-new-windows-10-version-21H1.md b/windows/whats-new/whats-new-windows-10-version-21H1.md index 2fdba9bd26..f598d1913b 100644 --- a/windows/whats-new/whats-new-windows-10-version-21H1.md +++ b/windows/whats-new/whats-new-windows-10-version-21H1.md @@ -1,11 +1,7 @@ --- title: What's new in Windows 10, version 21H1 description: New and updated features in Windows 10, version 21H1 (also known as the Windows 10 May 2021 Update). -keywords: ["What's new in Windows 10", "Windows 10", "May 2021 Update"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: aczechowski ms.author: aaroncz manager: dougeby diff --git a/windows/whats-new/whats-new-windows-10-version-21H2.md b/windows/whats-new/whats-new-windows-10-version-21H2.md index d536eb04eb..da72022d30 100644 --- a/windows/whats-new/whats-new-windows-10-version-21H2.md +++ b/windows/whats-new/whats-new-windows-10-version-21H2.md @@ -3,9 +3,6 @@ title: What's new in Windows 10, version 21H2 for IT pros description: Learn more about what's new in Windows 10 version 21H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more. manager: dougeby ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: mobile ms.author: aaroncz author: aczechowski ms.localizationpriority: medium diff --git a/windows/whats-new/windows-10-insider-preview.md b/windows/whats-new/windows-10-insider-preview.md index 2e6f2191f7..61a499904f 100644 --- a/windows/whats-new/windows-10-insider-preview.md +++ b/windows/whats-new/windows-10-insider-preview.md @@ -2,8 +2,6 @@ title: Documentation for Windows 10 Insider Preview (Windows 10) description: Preliminary documentation for some Windows 10 features in Insider Preview. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: dansimp ms.date: 04/14/2017 ms.reviewer: diff --git a/windows/whats-new/windows-11-overview.md b/windows/whats-new/windows-11-overview.md index 623e6caba5..ec5cd6f23f 100644 --- a/windows/whats-new/windows-11-overview.md +++ b/windows/whats-new/windows-11-overview.md @@ -3,14 +3,10 @@ title: Windows 11 overview for administrators description: Learn more about Windows 11. Read about the features IT professionals and administrators should know about Windows 11, including security, using apps, using Android apps, the new desktop, and deploying and servicing PCs. ms.reviewer: manager: dougeby -ms.audience: itpro author: aczechowski ms.author: aaroncz ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library ms.localizationpriority: medium -audience: itpro ms.topic: article ms.collection: highpri ms.custom: intro-overview diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md index 91a6d66855..7f67c4a774 100644 --- a/windows/whats-new/windows-11-plan.md +++ b/windows/whats-new/windows-11-plan.md @@ -1,10 +1,7 @@ --- title: Plan for Windows 11 description: Windows 11 deployment planning, IT Pro content. -keywords: ["get started", "windows 11", "plan"] ms.prod: w11 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.author: aaroncz manager: dougeby diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index 262bf50024..532493e1e3 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -1,10 +1,7 @@ --- title: Prepare for Windows 11 description: Prepare your infrastructure and tools to deploy Windows 11, IT Pro content. -keywords: ["get started", "windows 11"] ms.prod: w11 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.author: aaroncz manager: dougeby diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md index 8384e85778..b2aef79c6d 100644 --- a/windows/whats-new/windows-11-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -2,14 +2,10 @@ title: Windows 11 requirements description: Hardware requirements to deploy Windows 11 manager: dougeby -ms.audience: itpro author: aczechowski ms.author: aaroncz ms.prod: w11 -ms.mktglfcycl: deploy -ms.sitesec: library ms.localizationpriority: medium -audience: itpro ms.topic: article ms.custom: seo-marvel-apr2020 ms.collection: highpri
+:::image type="content" source="images/windows-10-management-range-of-options.png" alt-text="Diagram of the path to modern IT." lightbox="images/windows-10-management-range-of-options.png":::
-As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like Group Policy, Active Directory, and Microsoft Configuration Manager. It also delivers a “mobile-first, cloud-first” approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Microsoft Store for Business.
+As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like group Policy, Active Directory, and Configuration Manager. It also delivers a "mobile-first, cloud-first" approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Microsoft Store for Business.
-## Deployment and Provisioning
+## Deployment and provisioning
-With Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” To transform new devices into fully configured, fully managed devices, you can:
+With Windows 10, you can continue to use traditional OS deployment, but you can also "manage out of the box." To transform new devices into fully configured, fully managed devices, you can:
+- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management service such as [Windows Autopilot](/mem/autopilot/windows-autopilot) or [Microsoft Intune](/mem/intune/fundamentals/).
-- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services such as [Microsoft Autopilot](/windows/deployment/windows-10-auto-pilot) or [Microsoft Intune](/mem/intune/fundamentals/).
+- Create self-contained provisioning packages built with the Windows Configuration Designer. For more information, see [Provisioning packages for Windows](/windows/configuration/provisioning-packages/provisioning-packages).
-- Create self-contained provisioning packages built with the [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-packages).
+- Use traditional imaging techniques such as deploying custom images using [Configuration Manager](/mem/configmgr/core/understand/introduction).
-- Use traditional imaging techniques such as deploying custom images using [Microsoft Endpoint Configuration Manager](/configmgr/core/understand/introduction).
+You have multiple options for [upgrading to Windows 10](/windows/deployment/windows-10-deployment-scenarios). For existing devices running Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This process usage can mean lower deployment costs, and improved productivity as end users can be immediately productive - everything is right where they left it. You can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today.
-You have multiple options for [upgrading to Windows 10](/windows/deployment/windows-10-deployment-scenarios). For existing devices running Windows 7 or Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This process usage can mean lower deployment costs, and improved productivity as end users can be immediately productive – everything is right where they left it. You can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today with Windows 7.
+## Identity and authentication
-## Identity and Authentication
-
-You can use Windows 10 and services like [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **“bring your own device” (BYOD)** or to **“choose your own device” (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them.
+You can use Windows 10 and services like [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **"bring your own device" (BYOD)** or to **"choose your own device" (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them.
You can envision user and device management as falling into these two categories:
-- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices:
+- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices:
- - For corporate devices, they can set up corporate access with [Azure AD Join](/azure/active-directory/devices/overview). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud.