deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' of https://github.com/MicrosoftDocs/windows-docs-pr into cz-cspdocs-2309

Browse Source
This commit is contained in:
Aaron Czechowski 2023-10-04 13:11:45 -07:00
commit c9c874b350
5 changed files with 144 additions and 131 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
windows/client-management/implement-server-side-mobile-application-management.md
View File

@ -1,29 +1,29 @@
---
title: Support for mobile application management on Windows
description: Learn about implementing the Windows version of mobile application management (MAM), which is a lightweight solution for managing company data access and security on personal devices.
title: Support for Windows Information Protection (WIP) on Windows
description: Learn about implementing the Windows version of Windows Information Protection (WIP), which is a lightweight solution for managing company data access and security on personal devices.
ms.topic: article
ms.date: 08/10/2023
---
# Support for mobile application management on Windows
# Support for Windows Information Protection (WIP) on Windows
The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP).
Windows Information Protection (WIP) is a lightweight solution for managing company data access and security on personal devices. WIP support is built into Windows.
[!INCLUDE [Deprecate Windows Information Protection](../security/information-protection/windows-information-protection/includes/wip-deprecation.md)]
## Integration with Azure AD
MAM on Windows is integrated with Azure Active Directory (Azure AD) identity service. The MAM service supports Azure AD-integrated authentication for the user and the device during enrollment and the downloading of MAM policies. MAM integration with Azure AD is similar to mobile device management (MDM) integration. See [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).
WIP is integrated with Azure Active Directory (Azure AD) identity service. The WIP service supports Azure AD-integrated authentication for the user and the device during enrollment and the downloading of WIP policies. WIP integration with Azure AD is similar to mobile device management (MDM) integration. See [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).
MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD-integrated MDM services are provided in an organization, a user's personal devices are enrolled to MAM or MDM, depending on the user's actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device is enrolled to MAM. If a user joins their device to Azure AD, it's enrolled to MDM. In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices.
WIP uses Workplace Join (WPJ). WPJ is integrated with adding a work account flow to a personal device. If a user adds their work or school Entra ID account as a secondary account to the machine, their device registered with WPJ. If a user joins their device to Azure AD, it's enrolled to MDM. In general, a device that has a personal account as its primary account is considered a personal device and should be registered with WPJ. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices.
On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD-integrated application, such as the next update of Microsoft 365 apps. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**.
Regular non administrator users can enroll to MAM.
## Integration with Windows Information Protection
## Understand Windows Information Protection
MAM on Windows takes advantage of [built-in Windows Information Protection (WIP) policies](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, MAM limits enforcement of WIP policies to [enlightened apps](/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip) and WIP-aware apps. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they don't handle personal data, and therefore, it's safe for Windows to protect data on their behalf.
WIP takes advantage of [built-in policies](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, WPJ limits enforcement of WIP policies to [enlightened apps](/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip) and WIP-aware apps. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they don't handle personal data, and therefore, it's safe for Windows to protect data on their behalf.
To make applications WIP-aware, app developers need to include the following data in the app resource file.
@ -74,7 +74,7 @@ Since the [Poll](mdm/dmclient-csp.md#deviceproviderprovideridpoll) node isn't pr
## Supported CSPs
MAM on Windows supports the following configuration service providers (CSPs). All other CSPs are blocked. Note the list may change later based on customer feedback:
WIP supports the following configuration service providers (CSPs). All other CSPs are blocked. Note the list may change later based on customer feedback:
- [AppLocker CSP](mdm/applocker-csp.md) for configuration of Windows Information Protection enterprise allowed apps.
- [ClientCertificateInstall CSP](mdm/clientcertificateinstall-csp.md) for installing VPN and Wi-Fi certs.

13
windows/client-management/mdm/policy-csp-defender.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Defender Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/10/2023
ms.date: 10/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -1074,10 +1074,18 @@ This policy setting allows you to configure the maximum percentage CPU utilizati
- If you enable this setting, CPU utilization won't exceed the percentage specified.
- If you disable or don't configure this setting, CPU utilization won't exceed the default value.
<!-- AvgCPULoadFactor-Description-End -->
<!-- AvgCPULoadFactor-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> If you enable both of the following policies, then Windows ignores the value of **AvgCPULoadFactor**:
>
> - [ScanOnlyIfIdle](defender-csp.md#configurationscanonlyifidleenabled): Instructs the product to scan only when the computer isn't in use.
> - [DisableCpuThrottleOnIdleScans](defender-csp.md#configurationdisablecputhrottleonidlescans): Instructs the product to disable CPU throttling on idle scans.
<!-- AvgCPULoadFactor-Editable-End -->
<!-- AvgCPULoadFactor-DFProperties-Begin -->
@ -2902,7 +2910,9 @@ Valid remediation action values are:
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- Links -->
[TAMPER-1]: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection
[TAMPER-2]: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#what-about-exclusions
<!-- Defender-CspMoreInfo-End -->
<!-- Defender-End -->
@ -2910,3 +2920,4 @@ Valid remediation action values are:
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

212
windows/deployment/TOC.yml
View File

@ -124,16 +124,6 @@
href: deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
- name: In-place upgrade
href: deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
- name: Subscription Activation
items:
- name: Windows subscription activation
href: windows-10-subscription-activation.md
- name: Windows Enterprise E3 in CSP
href: windows-10-enterprise-e3-overview.md
- name: Configure VDA for subscription activation
href: vda-subscription-activation.md
- name: Deploy Windows Enterprise licenses
href: deploy-enterprise-licenses.md
- name: Deploy Windows client updates
items:
- name: Assign devices to servicing channels
@ -184,6 +174,109 @@
href: update/deployment-service-drivers.md
- name: Troubleshoot Windows Update for Business deployment service
href: update/deployment-service-troubleshoot.md
- name: Activate
items:
- name: Windows subscription activation
href: windows-10-subscription-activation.md
- name: Windows Enterprise E3 in CSP
href: windows-10-enterprise-e3-overview.md
- name: Configure VDA for subscription activation
href: vda-subscription-activation.md
- name: Deploy Windows Enterprise licenses
href: deploy-enterprise-licenses.md
- name: Volume Activation
items:
- name: Overview
href: volume-activation/volume-activation-windows-10.md
- name: Plan for volume activation
href: volume-activation/plan-for-volume-activation-client.md
- name: Activate using Key Management Service
href: volume-activation/activate-using-key-management-service-vamt.md
- name: Activate using Active Directory-based activation
href: volume-activation/activate-using-active-directory-based-activation-client.md
- name: Activate clients running Windows 10
href: volume-activation/activate-windows-10-clients-vamt.md
- name: Monitor activation
href: volume-activation/monitor-activation-client.md
- name: Use the Volume Activation Management Tool
href: volume-activation/use-the-volume-activation-management-tool-client.md
href: volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
- name: Volume Activation Management Tool (VAMT)
items:
- name: VAMT technical reference
href: volume-activation/volume-activation-management-tool.md
- name: Introduction to VAMT
href: volume-activation/introduction-vamt.md
- name: Active Directory-Based Activation Overview
href: volume-activation/active-directory-based-activation-overview.md
- name: Install and Configure VAMT
items:
- name: Overview
href: volume-activation/install-configure-vamt.md
- name: VAMT Requirements
href: volume-activation/vamt-requirements.md
- name: Install VAMT
href: volume-activation/install-vamt.md
- name: Configure Client Computers
href: volume-activation/configure-client-computers-vamt.md
- name: Add and Manage Products
items:
- name: Overview
href: volume-activation/add-manage-products-vamt.md
- name: Add and Remove Computers
href: volume-activation/add-remove-computers-vamt.md
- name: Update Product Status
href: volume-activation/update-product-status-vamt.md
- name: Remove Products
href: volume-activation/remove-products-vamt.md
- name: Manage Product Keys
items:
- name: Overview
href: volume-activation/manage-product-keys-vamt.md
- name: Add and Remove a Product Key
href: volume-activation/add-remove-product-key-vamt.md
- name: Install a Product Key
href: volume-activation/install-product-key-vamt.md
- name: Install a KMS Client Key
href: volume-activation/install-kms-client-key-vamt.md
- name: Manage Activations
items:
- name: Overview
href: volume-activation/manage-activations-vamt.md
- name: Run Online Activation
href: volume-activation/online-activation-vamt.md
- name: Run Proxy Activation
href: volume-activation/proxy-activation-vamt.md
- name: Run KMS Activation
href: volume-activation/kms-activation-vamt.md
- name: Run Local Reactivation
href: volume-activation/local-reactivation-vamt.md
- name: Activate an Active Directory Forest Online
href: volume-activation/activate-forest-vamt.md
- name: Activate by Proxy an Active Directory Forest
href: volume-activation/activate-forest-by-proxy-vamt.md
- name: Manage VAMT Data
items:
- name: Overview
href: volume-activation/manage-vamt-data.md
- name: Import and Export VAMT Data
href: volume-activation/import-export-vamt-data.md
- name: Use VAMT in Windows PowerShell
href: volume-activation/use-vamt-in-windows-powershell.md
- name: VAMT Step-by-Step Scenarios
items:
- name: Overview
href: volume-activation/vamt-step-by-step.md
- name: "Scenario 1: Online Activation"
href: volume-activation/scenario-online-activation-vamt.md
- name: "Scenario 2: Proxy Activation"
href: volume-activation/scenario-proxy-activation-vamt.md
- name: "Scenario 3: KMS Client Activation"
href: volume-activation/scenario-kms-activation-vamt.md
- name: VAMT Known Issues
href: volume-activation/vamt-known-issues.md
- name: Information sent to Microsoft during activation
href: volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
- name: Monitor
items:
- name: Windows Update for Business reports
@ -280,9 +373,9 @@
- name: How does Windows Update work?
href: update/how-windows-update-works.md
- name: Windows client upgrade paths
href: upgrade/windows-10-upgrade-paths.md
href: upgrade/windows-upgrade-paths.md
- name: Windows client edition upgrade
href: upgrade/windows-10-edition-upgrades.md
href: upgrade/windows-edition-upgrades.md
- name: Deploy Windows 10 with Microsoft 365
href: deploy-m365.md
- name: Understand the Unified Update Platform
@ -327,82 +420,6 @@
href: planning/security-and-data-protection-considerations-for-windows-to-go.md
- name: "Windows To Go: frequently asked questions"
href: planning/windows-to-go-frequently-asked-questions.yml
- name: Volume Activation Management Tool (VAMT) technical reference
items:
- name: VAMT technical reference
href: volume-activation/volume-activation-management-tool.md
- name: Introduction to VAMT
href: volume-activation/introduction-vamt.md
- name: Active Directory-Based Activation Overview
href: volume-activation/active-directory-based-activation-overview.md
- name: Install and Configure VAMT
items:
- name: Overview
href: volume-activation/install-configure-vamt.md
- name: VAMT Requirements
href: volume-activation/vamt-requirements.md
- name: Install VAMT
href: volume-activation/install-vamt.md
- name: Configure Client Computers
href: volume-activation/configure-client-computers-vamt.md
- name: Add and Manage Products
items:
- name: Overview
href: volume-activation/add-manage-products-vamt.md
- name: Add and Remove Computers
href: volume-activation/add-remove-computers-vamt.md
- name: Update Product Status
href: volume-activation/update-product-status-vamt.md
- name: Remove Products
href: volume-activation/remove-products-vamt.md
- name: Manage Product Keys
items:
- name: Overview
href: volume-activation/manage-product-keys-vamt.md
- name: Add and Remove a Product Key
href: volume-activation/add-remove-product-key-vamt.md
- name: Install a Product Key
href: volume-activation/install-product-key-vamt.md
- name: Install a KMS Client Key
href: volume-activation/install-kms-client-key-vamt.md
- name: Manage Activations
items:
- name: Overview
href: volume-activation/manage-activations-vamt.md
- name: Run Online Activation
href: volume-activation/online-activation-vamt.md
- name: Run Proxy Activation
href: volume-activation/proxy-activation-vamt.md
- name: Run KMS Activation
href: volume-activation/kms-activation-vamt.md
- name: Run Local Reactivation
href: volume-activation/local-reactivation-vamt.md
- name: Activate an Active Directory Forest Online
href: volume-activation/activate-forest-vamt.md
- name: Activate by Proxy an Active Directory Forest
href: volume-activation/activate-forest-by-proxy-vamt.md
- name: Manage VAMT Data
items:
- name: Overview
href: volume-activation/manage-vamt-data.md
- name: Import and Export VAMT Data
href: volume-activation/import-export-vamt-data.md
- name: Use VAMT in Windows PowerShell
href: volume-activation/use-vamt-in-windows-powershell.md
- name: VAMT Step-by-Step Scenarios
items:
- name: Overview
href: volume-activation/vamt-step-by-step.md
- name: "Scenario 1: Online Activation"
href: volume-activation/scenario-online-activation-vamt.md
- name: "Scenario 2: Proxy Activation"
href: volume-activation/scenario-proxy-activation-vamt.md
- name: "Scenario 3: KMS Client Activation"
href: volume-activation/scenario-kms-activation-vamt.md
- name: VAMT Known Issues
href: volume-activation/vamt-known-issues.md
- name: User State Migration Tool (USMT) technical reference
items:
- name: USMT overview articles
@ -570,25 +587,6 @@
href: planning/testing-your-application-mitigation-packages.md
- name: Use the Sdbinst.exe Command-Line Tool
href: planning/using-the-sdbinstexe-command-line-tool.md
- name: Volume Activation
items:
- name: Overview
href: volume-activation/volume-activation-windows-10.md
- name: Plan for volume activation
href: volume-activation/plan-for-volume-activation-client.md
- name: Activate using Key Management Service
href: volume-activation/activate-using-key-management-service-vamt.md
- name: Activate using Active Directory-based activation
href: volume-activation/activate-using-active-directory-based-activation-client.md
- name: Activate clients running Windows 10
href: volume-activation/activate-windows-10-clients-vamt.md
- name: Monitor activation
href: volume-activation/monitor-activation-client.md
- name: Use the Volume Activation Management Tool
href: volume-activation/use-the-volume-activation-management-tool-client.md
- name: "Appendix: Information sent to Microsoft during activation "
href: volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
- name: Install fonts in Windows client
href: windows-10-missing-fonts.md
- name: Customize Windows PE boot images

28
windows/deployment/upgrade/windows-edition-upgrades.md
View File

@ -31,7 +31,7 @@ For a comprehensive list of all possible upgrade paths to Windows, see [Windows
The following table shows the methods and paths available to change the edition of Windows that is running on your computer.
| Edition upgrade | MDM | Provisioning package | Command-line tool | Manually entering product key |
| Edition upgrade | MDM | Provisioning<br>package | Command-<br>line tool | Manually entering<br>product key |
|-----| ----- | ----- | ----- | ----- |
| **Home > Pro** | ❌ | ❌ | ❌ | ☑️ |
| **Home > Pro for Workstations** | ❌ | ❌ | ❌ | ☑️|
@ -51,22 +51,22 @@ The following table shows the methods and paths available to change the edition
- ☑️ = Supported, but reboot required.
- ❌ = Not supported.
- MDM = Modern device management.
- Each desktop edition in the table also has an N and KN SKU. These editions have had media-related functionality removed. Devices with N or KN SKUs installed can be upgraded to corresponding N or KN SKUs using the same methods.
> [!NOTE]
>
> Edition upgrades via Microsoft Store for Business are no longer available with the [retirement of Microsoft Store for Business](/announcements/microsoft-store-for-business-education-retiring).
> - Each desktop edition in the table also has an N and KN SKU. These editions have had media-related functionality removed. Devices with N or KN SKUs installed can be upgraded to corresponding N or KN SKUs using the same methods.
>
> - Edition upgrades via Microsoft Store for Business are no longer available with the retirement of the Microsoft Store for Business. For more information, see [Microsoft Store for Business and Education retiring March 31, 2023](/lifecycle/announcements/microsoft-store-for-business-education-retiring) and [Microsoft Store for Business and Microsoft Store for Education overview](/microsoft-store/microsoft-store-for-business-overview).
> [!TIP]
>
> - For information on upgrading editions of Windows using Microsoft Intune, including switching out of S mode, see [Upgrade Windows 10/11 editions or switch out of S mode on devices using Microsoft Intune](/mem/intune/configuration/edition-upgrade-configure-windows-10).
>
> - Edition upgrade is also possible using edition upgrade policy in Microsoft Configuration Manager. For more information, see [Upgrade Windows devices to a new edition with Configuration Manager](/mem/configmgr/compliance/deploy-use/upgrade-windows-version).
> Edition upgrade is also possible using edition upgrade policy in Microsoft Configuration Manager. For more information, see [Upgrade Windows devices to a new edition with Configuration Manager](/mem/configmgr/compliance/deploy-use/upgrade-windows-version).
## Upgrade using modern device management (MDM)
To upgrade desktop editions of Windows using MDM, enter the product key for the upgraded edition in the **UpgradeEditionWithProductKey** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](/windows/client-management/mdm/windowslicensing-csp).
For information on upgrading editions of Windows using Microsoft Intune, including switching out of S mode, see [Upgrade Windows 10/11 editions or switch out of S mode on devices using Microsoft Intune](/mem/intune/configuration/edition-upgrade-configure-windows-10).
## Upgrade using a provisioning package
Use Windows Configuration Designer to create a provisioning package to upgrade a desktop edition of Windows. Windows Configuration Designer is available as part of the Windows Assessment and Deployment Kit (Windows ADK) or as a stand-alone Microsoft Store app. Download the Windows Configuration Designer from one of the following locations:
@ -178,11 +178,7 @@ The following scenarios aren't supported:
## Supported Windows downgrade paths
- Yes = Supported downgrade path.
- No = not supported or not a downgrade.
- \- = Not considered a downgrade or an upgrade.
| Edition | Home | Pro | Pro for Workstations | Pro Education | Education | Enterprise LTSC | Enterprise |
| Edition | Home | Pro | Pro for<br> Workstations | Pro<br>Education | Education | Enterprise<br>LTSC | Enterprise |
|-----------------| ------------------------------------ | --------------------------- | ------------------------- | -------------------------------------- | ----------------------------------- | --------------------------------------------- |--------------------------------------------- |
| **Home** | - | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| **Pro** | ❌ | - | ❌ | ❌ | ❌ | ❌ | ❌ |
@ -192,7 +188,13 @@ The following scenarios aren't supported:
| **Enterprise LTSC** | ❌ | ❌ | ❌ | ❌ | ❌ | - | ❌ |
| **Enterprise** | ❌ | ✅ | ✅ | ✅ | - | ❌ | - |
**Windows N/KN**: Windows **N** and **KN** SKUs follow the same rules shown in the table.
- ✅ = Supported downgrade path.
- ❌ = not supported or not a downgrade.
- \- = Not considered a downgrade or an upgrade.
> [!NOTE]
>
> Windows **N** and Windows **KN** SKUs follow the same rules shown in the table.
The table may not represent more complex scenarios. For example, you can perform an upgrade from Pro to Pro for Workstation on a computer with an embedded Pro key using a Pro for Workstation license key. You can then later downgrade this computer back to Pro with the firmware-embedded key. The downgrade is allowed but only because the pre-installed OS is Pro.

4
windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
View File

@ -1,7 +1,7 @@
---
title: What's new 2023
description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
ms.date: 09/11/2023
ms.date: 10/04/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: whats-new
@ -33,6 +33,8 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| Message center post number | Description |
| ----- | ----- |
| [MC678305](https://admin.microsoft.com/adminportal/home#/MessageCenter) | September 2023 Windows Autopatch baseline configuration update |
| [MC678303](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Windows Autopatch availability within Microsoft Intune Admin Center |
| [MC674422](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Public Preview: Windows Autopatch Reliability Report |
| [MC672750](https://admin.microsoft.com/adminportal/home#/MessageCenter) | August 2023 Windows Autopatch baseline configuration update |