The root node. +The root node. -
Supported operation is Get. +Supported operation is Get. **ApprovedUpdates** -
Node for update approvals and EULA acceptance on behalf of the end-user. +Node for update approvals and EULA acceptance on behalf of the end-user. > [!NOTE] > When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list. -
The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update. +The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update. -
The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID. +The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID. > [!NOTE] > For the Windows 10 build, the client may need to reboot after additional updates are added. -
Supported operations are Get and Add. +Supported operations are Get and Add. **ApprovedUpdates/_Approved Update Guid_** -
Specifies the update GUID. +Specifies the update GUID. -
To auto-approve a class of updates, you can specify the Update Classifications GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. These GUIDs are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly. +To auto-approve a class of updates, you can specify the Update Classifications GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. These GUIDs are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly. -
Supported operations are Get and Add. +Supported operations are Get and Add. -
Sample syncml:
+Sample syncml:
```
Specifies the time the update gets approved. +Specifies the time the update gets approved. -
Supported operations are Get and Add. +Supported operations are Get and Add. **FailedUpdates** -
Specifies the approved updates that failed to install on a device. +Specifies the approved updates that failed to install on a device. -
Supported operation is Get. +Supported operation is Get. **FailedUpdates/_Failed Update Guid_** -
Update identifier field of the UpdateIdentity GUID that represents an update that failed to download or install. +Update identifier field of the UpdateIdentity GUID that represents an update that failed to download or install. -
Supported operation is Get. +Supported operation is Get. **FailedUpdates/*Failed Update Guid*/HResult** -
The update failure error code. +The update failure error code. -
Supported operation is Get. +Supported operation is Get. -**FailedUpdates/*Failed Update Guid*/Status** -
Specifies the failed update status (for example, download, install). +**FailedUpdates/*Failed Update Guid*/State** +Specifies the failed update state. -
Supported operation is Get. +| Update Status | Integer Value | +| -------------------------- | ------------- | +| UpdateStatusNewUpdate | 1 | +| UpdateStatusReadyToDownload| 2 | +| UpdateStatusDownloading | 4 | +| UpdateStatusDownloadBlocked| 8 | +| UpdateStatusDownloadFailed | 16 | +| UpdateStatusReadyToInstall | 32 | +| UpdateStatusInstalling | 64 | +| UpdateStatusInstallBlocked | 128 | +| UpdateStatusInstallFailed | 256 | +| UpdateStatusRebootRequired | 512 | +| UpdateStatusUpdateCompleted| 1024 | +| UpdateStatusCommitFailed | 2048 | +| UpdateStatusPostReboot | 4096 | + +Supported operation is Get. **FailedUpdates/*Failed Update Guid*/RevisionNumber** -
Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. +Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. -
Supported operation is Get. +Supported operation is Get. **InstalledUpdates** -
The updates that are installed on the device. +The updates that are installed on the device. -
Supported operation is Get. +Supported operation is Get. **InstalledUpdates/_Installed Update Guid_** -
UpdateIDs that represent the updates installed on a device. +UpdateIDs that represent the updates installed on a device. -
Supported operation is Get. +Supported operation is Get. **InstalledUpdates/*Installed Update Guid*/RevisionNumber** -
Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. +Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. -
Supported operation is Get. +Supported operation is Get. **InstallableUpdates** -
The updates that are applicable and not yet installed on the device. These updates include updates that aren't yet approved. +The updates that are applicable and not yet installed on the device. These updates include updates that aren't yet approved. -
Supported operation is Get. +Supported operation is Get. **InstallableUpdates/_Installable Update Guid_** -
Update identifiers that represent the updates applicable and not installed on a device. +Update identifiers that represent the updates applicable and not installed on a device. -
Supported operation is Get. +Supported operation is Get. **InstallableUpdates/*Installable Update Guid*/Type** -
The UpdateClassification value of the update. Valid values are: +The UpdateClassification value of the update. Valid values are: - 0 - None - 1 - Security - 2 - Critical -
Supported operation is Get. +Supported operation is Get. **InstallableUpdates/*Installable Update Guid*/RevisionNumber** -
The revision number for the update that must be passed in server to server sync to get the metadata for the update. +The revision number for the update that must be passed in server to server sync to get the metadata for the update. -
Supported operation is Get. +Supported operation is Get. **PendingRebootUpdates** -
The updates that require a reboot to complete the update session. +The updates that require a reboot to complete the update session. -
Supported operation is Get. +Supported operation is Get. **PendingRebootUpdates/_Pending Reboot Update Guid_** -
Update identifiers for the pending reboot state. +Update identifiers for the pending reboot state. -
Supported operation is Get. +Supported operation is Get. **PendingRebootUpdates/*Pending Reboot Update Guid*/InstalledTime** -
The time the update is installed. +The time the update is installed. -
Supported operation is Get. +Supported operation is Get. **PendingRebootUpdates/*Pending Reboot Update Guid*/RevisionNumber** -
Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. +Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. -
Supported operation is Get. +Supported operation is Get. **LastSuccessfulScanTime** -
The last successful scan time. +The last successful scan time. -
Supported operation is Get. +Supported operation is Get. **DeferUpgrade** -
Upgrades deferred until the next period. +Upgrades deferred until the next period. -
Supported operation is Get.
+Supported operation is Get.
**Rollback**
Added in Windows 10, version 1803. Node for the rollback operations.
diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md
index e80c753918..65937f4400 100644
--- a/windows/configuration/configure-windows-10-taskbar.md
+++ b/windows/configuration/configure-windows-10-taskbar.md
@@ -1,18 +1,10 @@
---
title: Configure Windows 10 taskbar
description: Administrators can pin more apps to the taskbar and remove default pinned apps from the taskbar by adding a section to a layout modification XML file.
-ms.prod: windows-client
author: lizgt2000
ms.author: lizlong
ms.topic: how-to
-ms.localizationpriority: medium
ms.date: 08/18/2023
-ms.reviewer:
-manager: aaroncz
-ms.collection:
- - highpri
- - tier2
-ms.technology: itpro-configure
---
# Configure Windows 10 taskbar
diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md
index c7298fc1d3..2173e2ee20 100644
--- a/windows/configuration/customize-and-export-start-layout.md
+++ b/windows/configuration/customize-and-export-start-layout.md
@@ -10,7 +10,6 @@ ms.topic: how-to
ms.localizationpriority: medium
ms.date: 08/18/2023
ms.collection:
- - highpri
- tier1
ms.technology: itpro-configure
---
diff --git a/windows/configuration/customize-start-menu-layout-windows-11.md b/windows/configuration/customize-start-menu-layout-windows-11.md
index 7ef410564c..2e959a035a 100644
--- a/windows/configuration/customize-start-menu-layout-windows-11.md
+++ b/windows/configuration/customize-start-menu-layout-windows-11.md
@@ -1,16 +1,9 @@
---
title: Add or remove pinned apps on the Start menu in Windows 11
description: Export Start layout to LayoutModification.json with pinned apps, and add or remove pinned apps. Use the JSON text in an MDM policy to deploy a custom Start menu layout to Windows 11 devices.
-manager: aaroncz
author: lizgt2000
ms.author: lizlong
ms.reviewer: ericpapa
-ms.prod: windows-client
-ms.localizationpriority: medium
-ms.collection:
- - highpri
- - tier1
-ms.technology: itpro-configure
ms.date: 01/10/2023
ms.topic: article
---
diff --git a/windows/configuration/customize-taskbar-windows-11.md b/windows/configuration/customize-taskbar-windows-11.md
index a38e34c05c..72a4298b7c 100644
--- a/windows/configuration/customize-taskbar-windows-11.md
+++ b/windows/configuration/customize-taskbar-windows-11.md
@@ -8,7 +8,6 @@ ms.prod: windows-client
author: lizgt2000
ms.localizationpriority: medium
ms.collection:
- - highpri
- tier1
ms.technology: itpro-configure
ms.date: 08/17/2023
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
index 40b7d5daac..94641458ae 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
@@ -3,15 +3,8 @@ title: Customize Windows 10 Start and taskbar with group policy
description: In Windows 10, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain.
ms.reviewer:
manager: aaroncz
-ms.prod: windows-client
author: lizgt2000
-ms.localizationpriority: medium
ms.author: lizlong
-ms.topic: article
-ms.collection:
- - highpri
- - tier2
-ms.technology: itpro-configure
ms.date: 12/31/2017
---
diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json
index 04fb8e95d9..6d8d824a07 100644
--- a/windows/configuration/docfx.json
+++ b/windows/configuration/docfx.json
@@ -38,13 +38,15 @@
"ms.collection": [
"tier2"
],
+ "zone_pivot_group_filename": "resources/zone-pivot-groups.json",
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-Windows",
"ms.technology": "itpro-configure",
"ms.topic": "article",
- "feedback_system": "GitHub",
- "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
- "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
+ "ms.prod": "windows-client",
+ "manager": "aaroncz",
+ "feedback_system": "Standard",
+ "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.win-configuration",
@@ -61,7 +63,7 @@
"tiburd",
"garycentric",
"beccarobins",
- "v-stchambers",
+ "Stacyrch140",
"v-stsavell",
"American-Dipper"
],
diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
index ee9ad89242..5b78101494 100644
--- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
+++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
@@ -1,17 +1,10 @@
---
title: Find the Application User Model ID of an installed app
ms.reviewer: sybruckm
-manager: aaroncz
description: To configure assigned access (kiosk mode), you need the Application User Model ID (AUMID) of apps installed on a device.
author: lizgt2000
ms.author: lizlong
ms.topic: article
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.collection:
- - highpri
- - tier2
-ms.technology: itpro-configure
ms.date: 12/31/2017
---
# Find the Application User Model ID of an installed app
diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md
index f1159c1544..95bcd1a788 100644
--- a/windows/configuration/guidelines-for-assigned-access-app.md
+++ b/windows/configuration/guidelines-for-assigned-access-app.md
@@ -1,16 +1,10 @@
---
title: Guidelines for choosing an app for assigned access
description: The following guidelines may help you choose an appropriate Windows app for your assigned access experience.
-ms.prod: windows-client
author: lizgt2000
-ms.localizationpriority: medium
ms.author: lizlong
ms.topic: article
ms.reviewer: sybruckm
-manager: aaroncz
-ms.collection:
- - highpri
- - tier2
ms.technology: itpro-configure
ms.date: 12/31/2017
---
diff --git a/windows/configuration/index.yml b/windows/configuration/index.yml
index 0eace6a656..6eff88270a 100644
--- a/windows/configuration/index.yml
+++ b/windows/configuration/index.yml
@@ -9,7 +9,6 @@ metadata:
ms.topic: landing-page # Required
ms.prod: windows-client
ms.collection:
- - highpri
- tier1
author: aczechowski
ms.author: aaroncz
diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md
index e74ea773a1..0218a198e2 100644
--- a/windows/configuration/kiosk-single-app.md
+++ b/windows/configuration/kiosk-single-app.md
@@ -2,16 +2,11 @@
title: Set up a single-app kiosk on Windows
description: A single-use device is easy to set up in Windows Pro, Enterprise, and Education editions.
ms.reviewer: sybruckm
-manager: aaroncz
ms.author: lizlong
-ms.prod: windows-client
author: lizgt2000
-ms.localizationpriority: medium
ms.topic: article
ms.collection:
- - highpri
- tier1
-ms.technology: itpro-configure
ms.date: 07/12/2023
---
diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index 89f93fc919..a32e707e87 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -1,26 +1,19 @@
---
title: Set up a multi-app kiosk on Windows 10
description: Learn how to configure a kiosk device running Windows 10 so that users can only run a few specific apps.
-ms.prod: windows-client
-ms.technology: itpro-configure
author: lizgt2000
ms.author: lizlong
-manager: aaroncz
ms.reviewer: sybruckm
-ms.localizationpriority: medium
ms.topic: how-to
-ms.collection:
- - highpri
- - tier2
-ms.date: 12/31/2017
+ms.date: 11/08/2023
+appliesto:
+ - ✅ Windows 10 Pro
+ - ✅ Windows 10 Enterprise
+ - ✅ Windows 10 Education
---
# Set up a multi-app kiosk on Windows 10 devices
-**Applies to**
-
-- Windows 10 Pro, Enterprise, and Education
-
> [!NOTE]
> The use of multiple monitors isn't supported for multi-app kiosk mode in Windows 10.
@@ -33,13 +26,13 @@ The following table lists changes to multi-app kiosk in recent updates.
| - Configure [a single-app kiosk profile](#profile) in your XML file For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans). For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). |
+| Licensing | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher), or F3 to be assigned to your users. Additionally, Microsoft Entra ID P1 or P2 and Microsoft Intune are required. For details about the specific service plans, see [more about licenses](#more-about-licenses). For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans). For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). |
| Connectivity | All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network. For the full list of required IPs and URLs, see [Configure your network](../prepare/windows-autopatch-configure-network.md). |
| Microsoft Entra ID | Microsoft Entra ID must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Microsoft Entra Connect to enable Microsoft Entra hybrid join. At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see [co-management requirements for Windows Autopatch](#configuration-manager-co-management-requirements). Other device management prerequisites include: See [Register your devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices) for more details on device prerequisites and on how the device registration process works with Windows Autopatch. For more information on co-management, see [co-management for Windows devices](/mem/configmgr/comanage/overview).
- Assign [group accounts to a config profile](#config-for-group-accounts)
- Configure [an account to sign in automatically](#config-for-autologon-account) | Windows 10, version 1803 |
| - Explicitly allow [some known folders when user opens file dialog box](#fileexplorernamespacerestrictions)
- [Automatically launch an app](#allowedapps) when the user signs in
- Configure a [display name for the autologon account](#config-for-autologon-account) | Windows 10, version 1809
**Important:** To use features released in Windows 10, version 1809, make sure that [your XML file](#create-xml-file) references `https://schemas.microsoft.com/AssignedAccess/201810/config`. |
->[!WARNING]
->The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access.
+> [!WARNING]
+> The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access.
You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provisioning package](#provision).
->[!TIP]
->Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
+> [!TIP]
+> Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
@@ -62,7 +55,7 @@ Process:
Watch how to use a provisioning package to configure a multi-app kiosk.
->[!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false]
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false]
If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#use-mdm-to-deploy-the-multi-app-configuration), or you can configure assigned access using the [MDM Bridge WMI Provider](kiosk-mdm-bridge.md).
@@ -71,8 +64,8 @@ If you don't want to use a provisioning package, you can deploy the configuratio
- Windows Configuration Designer (Windows 10, version 1709 or later)
- The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709 or later
->[!NOTE]
->For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk.
+> [!NOTE]
+> For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk.
### Create XML file
@@ -198,7 +191,7 @@ Starting in Windows 10 version 1809, you can explicitly allow some known folders
The following example shows how to allow user access to the Downloads folder in the common file dialog box.
->[!TIP]
+> [!TIP]
> To grant access to the Downloads folder through File Explorer, add "Explorer.exe" to the list of allowed apps, and pin a file explorer shortcut to the kiosk start menu.
```xml
@@ -278,8 +271,8 @@ The following example pins Groove Music, Movies & TV, Photos, Weather, Calculato
```
->[!NOTE]
->If an app isn't installed for the user, but is included in the Start layout XML, the app isn't shown on the Start screen.
+> [!NOTE]
+> If an app isn't installed for the user, but is included in the Start layout XML, the app isn't shown on the Start screen.
@@ -299,8 +292,8 @@ The following example hides the taskbar:
+- [Overview of Windows 11](/windows/whats-new/windows-11).
+- [Plan for Windows 11](/windows/whats-new/windows-11-plan).
+- [Prepare for Windows 11](/windows/whats-new/windows-11-prepare).
+- [Windows ADK for Windows 11](/windows-hardware/get-started/adk-install) is available.
## Deployment tools
-[SetupDiag](#setupdiag) is included with Windows 10, version 2004 and later, and Windows 11.
-New capabilities are available for [Delivery Optimization](#delivery-optimization) and [Windows Update for Business](#windows-update-for-business).
-VPN support is added to [Windows Autopilot](#windows-autopilot)
-An in-place upgrade wizard is available in [Configuration Manager](#microsoft-configuration-manager).
-The Windows 10 deployment and update [landing page](index.yml) has been redesigned, with more content added and more content coming soon.
+- [SetupDiag](#setupdiag) is included with all currently supported versions of Windows.
+- New capabilities are available for [Delivery Optimization](#delivery-optimization) and [Windows Update for Business](#windows-update-for-business).
+- VPN support is added to [Windows Autopilot](#windows-autopilot).
+- An in-place upgrade wizard is available in [Configuration Manager](#microsoft-configuration-manager).
## The Modern Desktop Deployment Center
-The [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home) has launched with tons of content to help you with large-scale deployment of Windows 10 and Microsoft 365 Apps for enterprise.
+The [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home) has content to help you with large-scale deployment of supported version of Windows and Microsoft 365 Apps for enterprise.
## Microsoft 365
-Microsoft 365 is a new offering from Microsoft that combines
+Microsoft 365 is a new offering from Microsoft that combines:
-- Windows 10
-- Office 365
+- A currently supported version of Windows.
+- Office 365.
- Enterprise Mobility and Security (EMS).
-See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, which now includes a link to download a nifty [Microsoft 365 Enterprise poster](deploy-m365.md#microsoft-365-enterprise-poster).
+See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, which now includes a link to download a [Microsoft 365 Enterprise poster](deploy-m365.md#microsoft-365-enterprise-poster).
-## Windows 10 servicing and support
+## Windows servicing and support
### Delivery Optimization
-Windows PowerShell cmdlets for Delivery Optimization have been improved:
+Windows PowerShell cmdlets for Delivery Optimization is improved:
-- **Get-DeliveryOptimizationStatus** has added the **-PeerInfo** option for a real-time peek behind the scenes on peer-to-peer activity (for example the peer IP Address, bytes received / sent).
+- **Get-DeliveryOptimizationStatus** has the **-PeerInfo** option for a real-time peek behind the scenes on peer-to-peer activity (for example the peer IP Address, bytes received / sent).
- **Get-DeliveryOptimizationLogAnalysis** is a new cmdlet that provides a summary of the activity in your DO log (# of downloads, downloads from peers, overall peer efficiency). Use the **-ListConnections** option to for in-depth look at peer-to-peer connections.
- **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to help in troubleshooting.
@@ -79,29 +75,36 @@ Other improvements in [Delivery Optimization](./do/waas-delivery-optimization.md
The following Delivery Optimization policies are removed in the Windows 10, version 2004 release:
-- Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth)
- - Reason: Replaced with separate policies for foreground and background
-- Max Upload Bandwidth (DOMaxUploadBandwidth)
+- Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth).
+ - Reason: Replaced with separate policies for foreground and background.
+- Max Upload Bandwidth (DOMaxUploadBandwidth).
- Reason: impacts uploads to internet peers only, which isn't used in enterprises.
-- Absolute max throttle (DOMaxDownloadBandwidth)
- - Reason: separated to foreground and background
+- Absolute max throttle (DOMaxDownloadBandwidth).
+ - Reason: separated to foreground and background.
### Windows Update for Business
[Windows Update for Business](./update/waas-manage-updates-wufb.md) enhancements in this release include:
-- Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy.
-- Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we've created a new policy that enables admins to opt devices out of the built-in safeguard holds.
+- **Intune console updates**: target version is now available allowing you to specify which supported version of Windows you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy.
+
+- **Validation improvements**: To ensure devices and end users stay productive and protected, Microsoft blocks devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, a new policy is available that enables admins to opt devices out of the built-in safeguard holds.
+
+- [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows automatically signs in as the user and locks their device in order to complete the update. This automatic sign-on ensures that when the user returns and unlocks the device, the update is completed.
+
+- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There's now a single, common start date for phased deployments (no more SAC-T designation). In addition, there's a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
-- [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows will automatically sign in as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
-- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally.
-- **Pause updates**: We've extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you'll need to update your device before pausing again.
-- **Improved update notifications**: When there's an update requiring you to restart your device, you'll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar.
-- **Intelligent active hours**: To further enhance active hours, users now can let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns.
-- **Improved update orchestration to improve system responsiveness**: This feature will improve system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions.
-Microsoft previously announced that we're [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. These editions include all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Microsoft 365 Apps for enterprise will continue to be supported for 18 months (there's no change for these editions). These support policies are summarized in the table below.
+- **Pause updates**: The ability to pause updates for both feature and monthly updates is extended. This extension ability is for all currently supported editions of Windows, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, the device needs to update before pausing again.
+
+- **Improved update notifications**: When there's an update requiring you to restart your device, a colored dot appears on the Power button in the Start menu and on the Windows icon in the taskbar.
+
+- **Intelligent active hours**: To further enhance active hours, users now can let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns.
+
+- **Improved update orchestration to improve system responsiveness**: This feature improves system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions.
+
+Microsoft previously announced that we're [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. These editions include all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Microsoft 365 Apps for enterprise will continue to be supported for 18 months (there's no change for these editions). These support policies are summarized in the following table:
@@ -111,7 +114,7 @@ Windows 10 version 1703 includes a Windows 10 Enterprise E3 and E5 benefit to Mi
Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise to their users. With Windows 10 Enterprise E3 in CSP, small and medium-sized organizations can more easily take advantage of Windows 10 Enterprise features.
-For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md)
+For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md).
## Deployment solutions and tools
@@ -119,17 +122,17 @@ For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterpris
[Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose, and recover devices.
-With the release of Windows 10, version 2004 you can configure [Windows Autopilot user-driven](/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903.
+With the release of Windows 10, version 2004 you can configure [Windows Autopilot user-driven](/windows/deployment/windows-autopilot/user-driven) Microsoft Entra hybrid join with VPN support.
-If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages. In previous versions, these language settings were only supported with self-deploying profiles.
+If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios now skip the language, locale, and keyboard pages. In previous versions, these language settings were only supported with self-deploying profiles.
The following Windows Autopilot features are available in Windows 10, version 1903 and later:
-- [Windows Autopilot for white glove deployment](/windows/deployment/windows-autopilot/white-glove) is new in Windows 10, version 1903. "White glove" deployment enables partners or IT staff to pre-provision devices so they're fully configured and business ready for your users.
+- [Windows Autopilot for pre-provisioned deployment](/autopilot/pre-provision) is new in Windows 10, version 1903. Pre-provisioned deployment enables partners or IT staff to pre-provision devices so they're fully configured and business ready for your users.
- The Intune [enrollment status page](/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions.
- [Cortana voiceover](/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
-- Windows Autopilot is self-updating during OOBE. From Windows 10 onward, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
-- Windows Autopilot will set the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
+- Windows Autopilot is self-updating during OOBE. From Windows 10 onward, version 1903 Autopilot functional and critical updates begin downloading automatically during OOBE.
+- Windows Autopilot sets the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
### Microsoft Configuration Manager
@@ -137,25 +140,21 @@ An in-place upgrade wizard is available in Configuration Manager. For more infor
### Windows 10 Subscription Activation
-Windows 10 Education support has been added to Windows 10 Subscription Activation.
+Windows 10 Education support is added to Windows 10 Subscription Activation.
With Windows 10, version 1903, you can step up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions - Windows 10 Education. For more information, see [Windows 10 Subscription Activation](./windows-10-subscription-activation.md).
### SetupDiag
-[SetupDiag](upgrade/setupdiag.md) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues.
+[SetupDiag](upgrade/setupdiag.md) is a command-line tool that can help diagnose why an update of Windows failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues.
-In Windows 10, version 2004, SetupDiag is now automatically installed.
-
-During the upgrade process, Windows Setup will extract all its sources files to the **%SystemDrive%\$Windows.~bt\Sources** directory. With Windows 10, version 2004 and later, Windows Setup now also installs SetupDiag.exe to this directory. If there's an issue with the upgrade, SetupDiag is automatically run to determine the cause of the failure. If the upgrade process proceeds normally, this directory is moved under %SystemDrive%\Windows.Old for cleanup.
+During the upgrade process, Windows Setup extracts all its sources files to the `%SystemDrive%\$Windows.~bt\Sources` directory. **SetupDiag.exe** is also installed to this directory. If there's an issue with the upgrade, SetupDiag automatically runs to determine the cause of the failure. If the upgrade process proceeds normally, this directory is moved under `%SystemDrive%\Windows.Old` for cleanup.
### Upgrade Readiness
-The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017.
+Upgrade Readiness helps you ensure that applications and drivers are ready for an upgrade of Windows. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details.
-Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details.
-
-The development of Upgrade Readiness has been heavily influenced by input from the community; the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
+Input from the community heavily influenced the development of Upgrade Readiness and the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
For more information about Upgrade Readiness, see the following articles:
@@ -164,7 +163,7 @@ For more information about Upgrade Readiness, see the following articles:
### Update Compliance
-Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date.
+Update Compliance helps you to keep supported Windows devices in your organization secure and up-to-date.
Update Compliance is a solution built using OMS Logs and Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues.
@@ -172,31 +171,35 @@ For more information about Update Compliance, see [Monitor Windows Updates with
### Device Health
-Device Health is the newest Windows Analytics solution that complements the existing Upgrade Readiness and Update Compliance solutions by helping to identify devices crashes and the cause. Device drivers that are causing crashes are identified along with alternative drivers that might reduce the number of crashes. Windows Information Protection misconfigurations are also identified. For more information, see [Monitor the health of devices with Device Health](/mem/configmgr/desktop-analytics/overview)
+Device Health is the newest Windows Analytics solution that complements the existing Upgrade Readiness and Update Compliance solutions by helping to identify devices crashes and the cause. Device drivers that are causing crashes are identified along with alternative drivers that might reduce the number of crashes. Windows Information Protection misconfigurations are also identified. For more information, see [Monitor the health of devices with Device Health](/mem/configmgr/desktop-analytics/overview).
### MBR2GPT
MBR2GPT.EXE converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. Previously, it was necessary to image, then wipe and reload a disk to change from MBR format to GPT.
-There are many benefits to converting the partition style of a disk to GPT, including the use of larger disk partitions, added data reliability, and faster boot and shutdown speeds. The GPT format also enables you to use the Unified Extensible Firmware Interface (UEFI) which replaces the Basic Input/Output System (BIOS) firmware interface. Security features of Windows 10 that require UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
+There are many benefits to converting the partition style of a disk to GPT, including the use of larger disk partitions, added data reliability, and faster boot and shutdown speeds. The GPT format also enables you to use the Unified Extensible Firmware Interface (UEFI) which replaces the Basic Input/Output System (BIOS) firmware interface. Security features of supported versions of Windows that require UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
For more information, see [MBR2GPT.EXE](mbr-to-gpt.md).
### Microsoft Deployment Toolkit (MDT)
-MDT version 8456 supports Windows 10, version 2004 and earlier operating systems, including Windows Server 2019. There's currently an issue that causes MDT to incorrectly detect that UEFI is present in Windows 10, version 2004. This issue is currently under investigation.
+MDT version 8456 supports Windows 10, version 2004 and earlier operating systems, including Windows Server 2019.
For the latest information about MDT, see the [MDT release notes](/mem/configmgr/mdt/release-notes).
+> [!IMPORTANT]
+>
+> MDT doesn't support versions of Windows after Windows 10 and Windows Server 2019.
+
### Windows Assessment and Deployment Kit (ADK)
-The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows.
+IT Pros can use the tools in the Windows Assessment and Deployment Kit (Windows ADK) to deploy Windows.
Download the Windows ADK and Windows PE add-on for Windows 11 [here](/windows-hardware/get-started/adk-install).
For information about what's new in the ADK, see [What's new in the Windows ADK](/windows-hardware/get-started/what-s-new-in-kits-and-tools).
-Also see [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md).
+Also see [Windows ADK for Windows scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md).
## Testing and validation guidance
@@ -206,19 +209,19 @@ The Windows 10 PoC guide enables you to test Windows 10 deployment in a virtual
For more information, see the following guides:
-- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
-- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
-- [Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md)
+- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md).
+- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md).
+- [Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md).
## Troubleshooting guidance
-[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) was published in October of 2016 and will continue to be updated with new fixes. The article provides a detailed explanation of the Windows 10 upgrade process and instructions on how to locate, interpret, and resolve specific errors that can be encountered during the upgrade process.
+[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) was published in October of 2016 and continues to be updated with new fixes. The article provides a detailed explanation of the Windows upgrade process and instructions on how to locate, interpret, and resolve specific errors that can be encountered during the upgrade process.
## Related articles
-[Overview of Windows as a service](update/waas-overview.md)
-[Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md)
-[Windows 10 release information](/windows/windows-10/release-information)
-[Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/windows/windows-10-specifications)
-[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
-[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
+- [Overview of Windows as a service](update/waas-overview.md).
+- [Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md).
+- [Windows 10 release information](/windows/windows-10/release-information).
+- [Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/windows/windows-10-specifications).
+- [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md).
+- [Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md).
diff --git a/windows/deployment/do/images/assigning-ip-2.png b/windows/deployment/do/images/assigning-ip-2.png
new file mode 100644
index 0000000000..4403b7e68b
Binary files /dev/null and b/windows/deployment/do/images/assigning-ip-2.png differ
diff --git a/windows/deployment/do/images/external-switch-1.jpg b/windows/deployment/do/images/external-switch-1.jpg
new file mode 100644
index 0000000000..7248d30ebe
Binary files /dev/null and b/windows/deployment/do/images/external-switch-1.jpg differ
diff --git a/windows/deployment/do/images/installation-complete-7.png b/windows/deployment/do/images/installation-complete-7.png
new file mode 100644
index 0000000000..8b1517348a
Binary files /dev/null and b/windows/deployment/do/images/installation-complete-7.png differ
diff --git a/windows/deployment/do/images/installation-info-4.png b/windows/deployment/do/images/installation-info-4.png
new file mode 100644
index 0000000000..41c2121e72
Binary files /dev/null and b/windows/deployment/do/images/installation-info-4.png differ
diff --git a/windows/deployment/do/images/memory-storage-5.png b/windows/deployment/do/images/memory-storage-5.png
new file mode 100644
index 0000000000..8e5b56f5c2
Binary files /dev/null and b/windows/deployment/do/images/memory-storage-5.png differ
diff --git a/windows/deployment/do/images/portal-installation-instructions-6.png b/windows/deployment/do/images/portal-installation-instructions-6.png
new file mode 100644
index 0000000000..201a1aa1d6
Binary files /dev/null and b/windows/deployment/do/images/portal-installation-instructions-6.png differ
diff --git a/windows/deployment/do/images/use-custom-dns-3.png b/windows/deployment/do/images/use-custom-dns-3.png
new file mode 100644
index 0000000000..90ef151c05
Binary files /dev/null and b/windows/deployment/do/images/use-custom-dns-3.png differ
diff --git a/windows/deployment/do/mcc-enterprise-deploy.md b/windows/deployment/do/mcc-enterprise-deploy.md
index 10f5b9cddf..65d63be915 100644
--- a/windows/deployment/do/mcc-enterprise-deploy.md
+++ b/windows/deployment/do/mcc-enterprise-deploy.md
@@ -13,7 +13,7 @@ appliesto:
- ✅ Windows 11
- ✅ Windows 10
- ✅ Microsoft Connected Cache for Enterprise and Education
-ms.date: 03/10/2023
+ms.date: 11/09/2023
---
# Deploy your cache node
@@ -29,7 +29,7 @@ To deploy MCC to your server:
1. [Create an MCC Node](#create-an-mcc-node-in-azure)
1. [Edit Cache Node Information](#edit-cache-node-information)
1. [Install MCC on a physical server or VM](#install-mcc-on-windows)
-1. [Verify proper functioning MCC server](#verify-proper-functioning-mcc-server)
+1. [Verify MCC functionality](#verify-mcc-server-functionality)
1. [Review common Issues](#common-issues) if needed.
For questions regarding these instructions contact [msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com)
@@ -194,12 +194,15 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p
>
> [D] Do not run **[R] Run once** [S] Suspend [?] Help (default is "D"):
-1. Choose whether you would like to create a new virtual switch or select an existing one. Name your switch and select the Net Adapter to use for the switch. A computer restart will be required if you're creating a new switch.
+1. Choose whether you would like to create a new external virtual switch or select an existing external virtual switch.
+ If creating a new external virtual switch, name your switch and be sure to choose a Local Area Connection (USB adapters work as well however, we do not recommend using Wi-Fi). A computer restart will be required if you're creating a new switch.
> [!NOTE]
> Restarting your computer after creating a switch is recommended. You'll notice network delays during installation if the computer has not been restarted.
- If you restarted your computer after creating a switch, start from Step 2 above and skip step 5.
+ If you restarted your computer after creating a switch, start from step 2 above and skip to step 5.
+
+ If you opt to use an existing external switch, select the switch from the presented options. Local Area Connection (or USB) is preferable to Wi-Fi.
:::image type="content" source="./images/ent-mcc-script-new-switch.png" alt-text="Screenshot of the installer script running in PowerShell when a new switch is created." lightbox="./images/ent-mcc-script-new-switch.png":::
@@ -207,34 +210,46 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p
:::image type="content" source="./images/ent-mcc-script-existing-switch.png" alt-text="Screenshot of the installer script running in PowerShell when using an existing switch." lightbox="./images/ent-mcc-script-existing-switch.png":::
-1. Decide whether you would like to use dynamic or static address for the Eflow VM
+1. Decide whether you would like to use dynamic or static address for the Eflow VM. If you choose to use a static IP, do not use the IP address of the server. It is a VM, and it will have its own IP.
:::image type="content" source="./images/ent-mcc-script-dynamic-address.png" alt-text="Screenshot of the installer script running in PowerShell asking if you'd like to use a dynamic address." lightbox="./images/ent-mcc-script-dynamic-address.png":::
> [!NOTE]
> Choosing a dynamic IP address might assign a different IP address when the MCC restarts. A static IP address is recommended so you don't have to change this value in your management solution when MCC restarts.
-1. Choose where you would like to download, install, and store the virtual hard disk for EFLOW. You'll also be asked how much memory, storage, and how many cores you would like to allocate for the VM. For this example, we chose the default values for all prompts.
-
-1. Follow the Azure Device Login link and sign into the Azure portal.
-
- :::image type="content" source="./images/ent-mcc-script-device-code.png" alt-text="Screenshot of the installer script running in PowerShell displaying the code and URL to use for the Azure portal." lightbox="./images/ent-mcc-script-device-code.png":::
-
-1. If this is your first MCC deployment, select **n** so that a new IoT Hub can be created. If you have already configured MCC before, choose **y** so that your MCCs are grouped in the same IoT Hub.
+ The IP address you assign to the EFLOW VM should be within the same subnet as the host server (based on the subnet mask) and not used by any other machine on the network.
+ For example, for host configuration where the server IP Address is 192.168.1.202 and the subnet mask is 255.255.255.0, the static IP can be anything 192.168.1.* except 192.168.1.202.
+
+ :::image type="content" source="./images/external-switch-1.jpg" alt-text="Screenshot of a sample output of ipconfig command showing example of subnet mask." lightbox="./images/external-switch-1.jpg":::
+ :::image type="content" source="./images/assigning-ip-2.png" alt-text="Screenshot of multiple installer questions about ipv4 address for Eflow." lightbox="./images/assigning-ip-2.png":::
+
+ If you would like to use your own DNS server instead of Google DNS 8.8.8.8, select **n** and set your own DNS server IP.
+ :::image type="content" source="./images/use-custom-dns-3.png" alt-text="Screenshot of multiple installer questions about setting an alternate DNS server." lightbox="./images/use-custom-dns-3.png":::
+ If you use a dynamic IP address, the DHCP server will automatically configure the IP address and DNS settings.
+
+1. Choose where you would like to download, install, and store the virtual hard disk for EFLOW. You'll also be asked how much memory, storage, and how many cores you would like to allocate for the VM. For this example, we chose the default values for download path, install path, and virtual hard disk path.
+
+ :::image type="content" source="./images/installation-info-4.png" alt-text="Screenshot of multiple installer questions about memory and storage for EFLOW." lightbox="./images/installation-info-4.png":::
+ For more information, see [Sizing Recommendations](mcc-enterprise-prerequisites.md#sizing-recommendations) for memory, virtual storage, and CPU cores. For this example we chose the recommend values for a Branch Office/Small Enterprise deployment.
+
+ :::image type="content" source="./images/memory-storage-5.png" alt-text="Screenshot of multiple installer questions about memory and storage." lightbox="./images/memory-storage-5.png":::
+
+1. When the installation is complete, you should see the following output (the values below will be your own)
:::image type="content" source="./images/ent-mcc-script-complete.png" alt-text="Screenshot of the installer script displaying the completion summary in PowerShell." lightbox="./images/ent-mcc-script-complete.png":::
-
+
+ :::image type="content" source="./images/installation-complete-7.png" alt-text="Screenshot of expected output when installation is complete." lightbox="./images/installation-complete-7.png":::
1. Your MCC deployment is now complete.
+ If you don't see any errors, continue to the next section to validate your MCC deployment. Your VM will not appear in Hyper-V Manager as it is an EFLOW VM.
+ - After validating your MCC is properly functional, review your management solution documentation, such as [Intune](/mem/intune/configuration/delivery-optimization-windows), to set the cache host policy to the IP address of your MCC.
+ - If you had errors during your deployment, see the [Common Issues](#common-issues) section in this article.
- 1. If you don't see any errors, continue to the next section to validate your MCC deployment. Your VM will not appear in Hyper-V Manager as it is an EFLOW VM.
- 1. After validating your MCC is properly functional, review your management solution documentation, such as [Intune](/mem/intune/configuration/delivery-optimization-windows), to set the cache host policy to the IP address of your MCC.
- 1. If you had errors during your deployment, see the [Common Issues](#common-issues) section in this article.
-
-## Verify proper functioning MCC server
+## Verify MCC server functionality
#### Verify client side
@@ -251,14 +266,20 @@ Connect to the EFLOW VM and check if MCC is properly running:
:::image type="content" source="./images/ent-mcc-connect-eflowvm.png" alt-text="Screenshot of running connect-EflowVm, sudo -s, and iotedge list from PowerShell." lightbox="./images/ent-mcc-connect-eflowvm.png":::
-You should see MCC, edgeAgent, and edgeHub running. If you see edgeAgent or edgeHub but not MCC, try this command in a few minutes. The MCC container can take a few minutes to deploy.
+You should see MCC, edgeAgent, and edgeHub running. If you see edgeAgent or edgeHub but not MCC, try this command in a few minutes. The MCC container can take a few minutes to deploy. If iotedge list times out, you can run docker ps -a to list the running containers.
+If the 3 containers are still not running, run the following commands to check if DNS resolution is working correctly:
+```bash
+ping www.microsoft.com
+resolvectl query microsoft.com
+```
+See the [common issues](#common-issues) section for more information.
#### Verify server side
-For a validation of properly functioning MCC, execute the following command in the EFLOW VM or any device in the network. Replace
**Note**: Since the existing MBR system partition is in use while running the full Windows environment, it can't be reused. In this case, a new ESP is created by shrinking the OS partition.|
+|**/allowFullOS**| By default, `MBR2GPT.exe` can only run from Windows PE and is blocked from running in full Windows. This option overrides this block and enables disk conversion while running in the full Windows environment.
**Note**: Since the existing MBR system partition is in use while running the full Windows environment, it can't be reused. In this case, a new EFI system partition is created by shrinking the OS partition.|
## Examples
@@ -83,7 +82,7 @@ If any of these checks fails, the conversion won't proceed, and an error will be
In the following example, disk 0 is validated for conversion. Errors and warnings are logged to the default location of **`%windir%`**.
```cmd
-X:\>mbr2gpt.exe /validate /disk:0
+X:\> mbr2gpt.exe /validate /disk:0
MBR2GPT: Attempting to validate disk 0
MBR2GPT: Retrieving layout of disk
MBR2GPT: Validating layout, disk sector size is: 512
@@ -94,19 +93,24 @@ MBR2GPT: Validation completed successfully
In the following example:
-1. Using DiskPart, the current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0.
+1. The current disk partition layout is displayed prior to conversion using DiskPart - three partitions are present on the MBR disk (disk 0):
-2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](/windows/win32/fileio/disk-partition-types) is **07** corresponding to the installable file system (IFS) type.
+ - A system reserved partition.
+ - A Windows partition.
+ - A recovery partition.
+ - A DVD-ROM is also present as volume 0.
-3. The MBR2GPT tool is used to convert disk 0.
+1. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](/windows/win32/fileio/disk-partition-types) is **07** corresponding to the installable file system (IFS) type.
-4. The DiskPart tool displays that disk 0 is now using the GPT format.
+1. The MBR2GPT tool is used to convert disk 0.
-5. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3).
+1. The DiskPart tool displays that disk 0 is now using the GPT format.
-6. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type.
+1. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3).
-As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition will boot properly.
+1. The OS volume is selected again. The detail displays that the OS volume is converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type.
+
+As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition boots properly.
[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
-
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
diff --git a/windows/deployment/update/create-deployment-plan.md b/windows/deployment/update/create-deployment-plan.md
index 89a981ff58..f5f57bd6c5 100644
--- a/windows/deployment/update/create-deployment-plan.md
+++ b/windows/deployment/update/create-deployment-plan.md
@@ -18,9 +18,9 @@ ms.date: 12/31/2017
# Create a deployment plan
-A "service management" mindset means that the devices in your organization fall into a continuum, with the software update process being constantly planned, deployed, monitored, and optimized. And once you use this process for feature updates, quality updates become a lightweight procedure that is simple and fast to execute, ultimately increasing velocity.
+A "service management" mindset means that the devices in your organization fall into a continuum, with the software update process being constantly planned, deployed, monitored, and optimized. Once you use this process for feature updates, quality updates become a lightweight procedure that is simple and fast to execute, ultimately increasing velocity.
-When you move to a service management model, you need effective ways of rolling out updates to representative groups of devices. We've found that a ring-based deployment works well for us at Microsoft and many other organizations across the globe. Deployment rings in Windows client are similar to the deployment groups most organizations constructed for previous major revision upgrades. They're simply a method to separate devices into a deployment timeline.
+When you move to a service management model, you need effective ways of rolling out updates to representative groups of devices. We've found that a ring-based deployment works well for us at Microsoft and many other organizations across the globe. Deployment rings in Windows clients are similar to the deployment groups most organizations constructed for previous major revision upgrades. They're simply a method to separate devices into a deployment timeline.
At the highest level, each ring comprises a group of users or devices that receive a particular update concurrently. For each ring, IT administrators set criteria to control deferral time or adoption (completion) that should be met before deployment to the next broader ring of devices or users can occur.
@@ -43,10 +43,10 @@ There are no definite rules for exactly how many rings to have for your deployme
## Advancing between rings
-There are basically two strategies for moving deployments from one ring to the next. One is service-based, the other project based.
+There are basically two strategies for moving deployments from one ring to the next. One is service-based, the other project-based.
-- "Red button" (service based): Assumes that content is good until proven bad. Content flows until an issue is discovered, at which point the IT administrator presses the "red button" to stop further distribution.
-- Green button (project based): Assumes that content is bad until proven good. Once all validation has passed, the IT administrator presses the "green button" to push the content to the next ring.
+- "Red button" (service-based): Assumes that content is good until proven bad. Content flows until an issue is discovered, at which point the IT administrator presses the "red button" to stop further distribution.
+- "Green button" (project-based): Assumes that content is bad until proven good. Once all validation has passed, the IT administrator presses the "green button" to push the content to the next ring.
When it comes to deployments, having manual steps in the process usually impedes update velocity. A "red button" strategy is better when that is your goal.
@@ -60,9 +60,9 @@ The purpose of the Preview ring is to evaluate the new features of the update. I
### Who goes in the Preview ring?
-The Preview ring users are the most tech savvy and resilient people, who won't lose productivity if something goes wrong. In general, these users are IT pros, and perhaps a few people in the business organization.
+The Preview ring users are the most tech-savvy and resilient people, who won't lose productivity if something goes wrong. In general, these users are IT pros, and perhaps a few people in the business organization.
-During your plan and prepare phases, you should focus on the following activities:
+During your plan and preparation phases, you should focus on the following activities:
- Work with Windows Insider Preview builds.
- Identify the features and functionality your organization can or wants to use.
@@ -87,7 +87,7 @@ Analytics can help with defining a good Limited ring of representative devices a
The most important part of this phase is finding a representative sample of devices and applications across your network. If possible, all hardware and all applications should be represented. It's important that the people selected for this ring are using their devices regularly to generate the data you'll need to make a decision for broader deployment across your organization. The IT department, lab devices, and users with the most cutting-edge hardware usually don't have the applications or device drivers that are truly a representative sample of your network.
-During your pilot and validate phases, you should focus on the following activities:
+During your pilot and validation phases, you should focus on the following activities:
- Deploy new innovations.
- Assess and act if issues are encountered.
@@ -104,7 +104,7 @@ Once the devices in the Limited ring have had a sufficient stabilization period,
In most businesses, the Broad ring includes the rest of your organization. Because of the work in the previous ring to vet stability and minimize disruption (with diagnostic data to support your decision), a broad deployment can occur relatively quickly.
> [!NOTE]
-> In some instances, you might hold back on mission-critical devices (such as medical devices) until deployment in the Broad ring is complete. Get best practices and recommendations for deploying Windows client feature updates to mission critical-devices.
+> In some instances, you might hold back on mission-critical devices (such as medical devices) until deployment in the Broad ring is complete. Get best practices and recommendations for deploying Windows client feature updates to mission-critical devices.
During the broad deployment phase, you should focus on the following activities:
diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md
index 58d36aae43..b3fa2680c5 100644
--- a/windows/deployment/update/deployment-service-overview.md
+++ b/windows/deployment/update/deployment-service-overview.md
@@ -27,7 +27,7 @@ Windows Update for Business product family has three elements:
- [Windows Update for Business reports](wufb-reports-overview.md) to monitor update deployment
- Deployment service APIs to approve and schedule specific updates for deployment, which are available through the Microsoft Graph and associated SDKs (including PowerShell)
-The deployment service complements existing Windows Update for Business capabilities, including existing device policies and the[Windows Update for Business reports workbook](wufb-reports-workbook.md).
+The deployment service complements existing Windows Update for Business capabilities, including existing device policies and the [Windows Update for Business reports workbook](wufb-reports-workbook.md).
:::image type="content" source="media/7512398-deployment-service-overview.png" alt-text="Diagram displaying the three elements that are parts of the Windows Update for Business family.":::
diff --git a/windows/deployment/update/eval-infra-tools.md b/windows/deployment/update/eval-infra-tools.md
index 6a83bab027..9352455d20 100644
--- a/windows/deployment/update/eval-infra-tools.md
+++ b/windows/deployment/update/eval-infra-tools.md
@@ -11,22 +11,22 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 12/31/2017
+ms.date: 10/31/2023
---
# Evaluate infrastructure and tools
-Before you deploy an update, it's best to assess your deployment infrastructure (that is, tools such as Configuration Manager, Microsoft Intune, or similar) and current configurations (such as security baselines, administrative templates, and policies that affect updates). Then, set some criteria to define your operational readiness.
+Before you deploy an update, assess your deployment infrastructure. For example, management systems like Configuration Manager, Microsoft Intune, or similar. Also assess current configurations such as security baselines, administrative templates, and policies that affect updates. Then set some criteria to define your operational readiness.
## Infrastructure
Do your deployment tools need updates?
-- If you use Configuration Manager, is it on the Current Branch with the latest release installed.? Being on this branch ensures that it supports the next Windows client feature update. Configuration Manager releases are supported for 18 months.
+- If you use Configuration Manager, is it on the current branch with the latest release installed? Being on this branch ensures that it supports the next Windows client feature update. Configuration Manager releases are supported for 18 months.
- Using a cloud-based management tool like Microsoft Intune reduces support challenges, since no related products need to be updated.
- If you use a non-Microsoft tool, check with its product support to make sure you're using the current version and that it supports the next Windows client feature update.
-Rely on your experiences and data from previous deployments to help you judge how long infrastructure changes take and identify any problems you've encountered while doing so.
+Rely on your experiences and data from previous deployments to help you judge how long infrastructure changes take and identify any problems you've encountered.
## Device settings
@@ -36,35 +36,35 @@ Make sure your security baseline, administrative templates, and policies have th
Keep security baselines current to help ensure that your environment is secure and that new security feature in the coming Windows client update are set properly.
-- **Microsoft security baselines**: You should implement security baselines from Microsoft. They are included in the [Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319), along with tools for managing them.
-- **Industry- or region-specific baselines**: Your specific industry or region might have particular baselines that you must follow per regulations. Ensure that any new baselines support the version of Windows client you are about to deploy.
+- **Microsoft security baselines**: You should implement security baselines from Microsoft. They're included in the [Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319), along with tools for managing them.
+- **Industry- or region-specific baselines**: Your specific industry or region might have particular baselines that you must follow per regulations. Ensure that any new baselines support the version of Windows client you're about to deploy.
### Configuration updates
-There are a number of Windows policies (set by Group Policy, Intune, or other methods) that affect when Windows updates are installed, deferral, end-user experience, and many other aspects. Check these policies to make sure they are set appropriately.
+There are several Windows policies that affect when Windows updates are installed, deferral, end-user experience, and many other aspects. For example, policies set by group policy, Intune, or other methods. Check these policies to make sure they're set appropriately.
-- **Windows Administrative templates**: Each Windows client feature update has a supporting Administrative template (.admx) file. Group Policy tools use Administrative template files to populate policy settings in the user interface. The templates are available in the Download Center, for example, this one for [Windows 11, version 22H2](https://www.microsoft.com/download/details.aspx?id=104593).
-- **Policies for update compliance and end-user experience**: A number of settings affect when a device installs updates, whether and for how long a user can defer an update, restart behavior after installation, and many other aspects of update behavior. It's especially important to look for existing policies that are out of date or could conflict with new ones.
+- **Windows Administrative templates**: Each Windows client feature update has a supporting Administrative template (.admx) file. Group Policy tools use Administrative template files to populate policy settings in the user interface. The templates are available in the Download Center, for example, this one for [Windows 11, version 23H2](https://www.microsoft.com/download/details.aspx?id=105667).
+- **Policies for update compliance and end-user experience**: Several settings affect when a device installs updates, whether and for how long a user can defer an update, restart behavior after installation, and many other aspects of update behavior. It's especially important to look for existing policies that are out of date or could conflict with new ones.
## Define operational readiness criteria
-When you’ve deployed an update, you’ll need to make sure the update isn’t introducing new operational issues. And you’ll also ensure that if incidents arise, the needed documentation and processes are available. Work with your operations and support team to define acceptable trends and what documents or processes require updating:
+When you deploy an update, you need to make sure the update isn't introducing new operational issues. If incidents arise, make sure the needed documentation and processes are available. Work with your operations and support team to define acceptable trends and what documents or processes require updating:
- **Call trend**: Define what percentage increase in calls relating to Windows client feature updates are acceptable or can be supported.
- **Incident trend**: Define what percentage of increase in calls asking for support relating to Windows client feature updates are acceptable or can be supported.
- **Support documentation**: Review supporting documentation that requires an update to support new infrastructure tooling or configuration as part of the Windows client feature update.
-- **Process changes:** Define and update any processes that will change as a result of the Windows 10 feature update.
+- **Process changes:** Define and update any processes that will change as a result of the Windows feature update.
-Your operations and support staff can help you determine if the appropriate information is being tracked at the moment. If it isn't, work out how to get this information so you can gain the right insight.
+Your operations and support staff can help you determine if the appropriate information is being tracked at the moment. If it isn't, work out how to get this information so you can gain the right insight.
## Tasks
Finally, you can begin to carry out the work needed to ensure your infrastructure and configuration can support the update. To help you keep track, you can classify the work into the following overarching tasks:
-- **Review infrastructure requirements**: Go over the details of requirements to support the update, and ensure they’ve all been defined.
-- **Validate infrastructure against requirements**: Compare your infrastructure against the requirements that have been identified for the update.
+- **Review infrastructure requirements**: Go over the details of requirements to support the update, and ensure they've all been defined.
+- **Validate infrastructure against requirements**: Compare your infrastructure against the requirements that you identified for the update.
- **Define infrastructure update plan**: Detail how your infrastructure must change to support the update.
-- **Review current support volume**: Understand the current support volume to understand how much of an effect the update has when it’s been deployed.
-- **Identify gaps that require attention**: Identify issues that will need to be addressed to successfully deploy the update. For example, will your infrastructure engineer have to research how a new feature that comes with the update might affect the infrastructure?
+- **Review current support volume**: Understand the current support volume to understand how much of an effect the update has when you deploy it.
+- **Identify gaps that require attention**: Identify issues that you'll need to address to successfully deploy the update. For example, will your infrastructure engineer have to research how a new feature that comes with the update might affect the infrastructure?
- **Define operational update plan**: Detail how your operational services and processes must change to support the update.
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index e2f3ab0e3c..baae39d605 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -12,7 +12,8 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 07/17/2023
+- ✅ Windows Server
+ms.date: 12/05/2023
---
# Update Windows installation media with Dynamic Update
@@ -83,24 +84,24 @@ Properly updating the installation media involves a large number of actions oper
This table shows the correct sequence for applying the various tasks to the files. For example, the full sequence starts with adding the servicing stack update to WinRE (1) and concludes with adding boot manager from WinPE to the new media (28).
-|Task |WinRE (winre.wim) |WinPE (boot.wim) |Operating system (install.wim) | New media |
-|-----------------------------------|-------------------|------------------|--------------------------------|-----------|
-|Add servicing stack Dynamic Update | 1 | 9 | 18 | |
-|Add language pack | 2 | 10 | 19 | |
-|Add localized optional packages | 3 | 11 | | |
-|Add font support | 4 | 12 | | |
-|Add text-to-speech | 5 | 13 | | |
-|Update Lang.ini | | 14 | | |
-|Add Features on Demand | | | 20 | |
-|Add Safe OS Dynamic Update | 6 | | | |
-|Add Setup Dynamic Update | | | | 26 |
-|Add setup.exe from WinPE | | | | 27 |
-|Add boot manager from WinPE | | | | 28 |
-|Add latest cumulative update | | 15 | 21 | |
-|Clean up the image | 7 | 16 | 22 | |
-|Add Optional Components | | | 23 | |
-|Add .NET and .NET cumulative updates | | | 24 | |
-|Export image | 8 | 17 | 25 | |
+|Task |WinRE (winre.wim) |Operating system (install.wim) | WinPE (boot.wim) | New media |
+|-----------------------------------|-------------------|--------------------------------|------------------|-----------|
+|Add servicing stack Dynamic Update | 1 | 9 | 17 | |
+|Add language pack | 2 | 10 | 18 | |
+|Add localized optional packages | 3 | | 19 | |
+|Add font support | 4 | | 20 | |
+|Add text-to-speech | 5 | | 21 | |
+|Update Lang.ini | | | 22 | |
+|Add Features on Demand | | 11 | | |
+|Add Safe OS Dynamic Update | 6 | | | |
+|Add Setup Dynamic Update | | | | 26 |
+|Add setup.exe from WinPE | | | | 27 |
+|Add boot manager from WinPE | | | | 28 |
+|Add latest cumulative update | | 12 | 23 | |
+|Clean up the image | 7 | 13 | 24 | |
+|Add Optional Components | | 14 | | |
+|Add .NET and .NET cumulative updates | | 15 | | |
+|Export image | 8 | 16 | 25 | |
> [!NOTE]
> Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md).
@@ -110,13 +111,13 @@ This table shows the correct sequence for applying the various tasks to the file
### Multiple Windows editions
-The main operating system file (install.wim) contains multiple editions of Windows. It's possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last.
+The main operating system file (install.wim) might contain multiple editions of Windows. It's possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last.
### Additional languages and features
-You don't have to add more languages and features to the image to accomplish the updates, but it's an opportunity to customize the image with more languages, Optional Components, and Features on Demand beyond what is in your starting image. To do this, it's important to make these changes in the correct order: first apply servicing stack updates, followed by language additions, then by feature additions, and finally the latest cumulative update. The provided sample script installs a second language (in this case Japanese (ja-JP)). Since this language is backed by an lp.cab, there's no need to add a Language Experience Pack. Japanese is added to both the main operating system and to the recovery environment to allow the user to see the recovery screens in Japanese. This includes adding localized versions of the packages currently installed in the recovery image.
+You don't have to add more languages and features to the image to accomplish the updates, but it's an opportunity to customize the image with more languages, Optional Components, and Features on Demand beyond what's in your starting image. When you add more languages and features, it's important to make these changes in the correct order: first apply servicing stack updates, followed by language additions, then by feature additions, and finally the latest cumulative update. The provided sample script installs a second language (in this case Japanese (ja-JP)). Since this language is backed by an lp.cab, there's no need to add a Language Experience Pack. Japanese is added to both the main operating system and to the recovery environment to allow the user to see the recovery screens in Japanese. This includes adding localized versions of the packages currently installed in the recovery image.
-Optional Components, along with the .NET feature, can be installed offline, however doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid this. One option is to skip the image cleanup step, though that results in a larger install.wim. Another option is to install the .NET and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you'll have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month).
+Optional Components, along with the .NET feature, can be installed offline, however doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid the cleanup failure. One option is to skip the image cleanup step, though that results in a larger install.wim. Another option is to install the .NET and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you'll have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month).
## Windows PowerShell scripts to apply Dynamic Updates to an existing image
@@ -130,7 +131,7 @@ These examples are for illustration only, and therefore lack error handling. The
### Get started
-The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there's a script error and it's necessary to start over from a known state. Also, it will provide a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they aren't read-only.
+The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there's a script error and it's necessary to start over from a known state. Also, it provides a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they aren't read-only.
```powershell
#Requires -RunAsAdministrator
@@ -194,128 +195,231 @@ Copy-Item -Path $MEDIA_OLD_PATH"\*" -Destination $MEDIA_NEW_PATH -Force -Recurse
Get-ChildItem -Path $MEDIA_NEW_PATH -Recurse | Where-Object { -not $_.PSIsContainer -and $_.IsReadOnly } | ForEach-Object { $_.IsReadOnly = $false }
```
-### Update WinRE
+### Update WinRE and each main OS Windows edition
-The script assumes that only a single edition is being updated, indicated by Index = 1 (Windows 10 Education Edition). Then the script mounts the image, saves Winre.wim to the working folder, and mounts it. It then applies servicing stack Dynamic Update, since its components are used for updating other components. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package.
+The script will update each edition of Windows within the main operating system file (install.wim). For each edition, the main OS image is mounted.
-It finishes by cleaning and exporting the image to reduce the image size.
+For the first image, Winre.wim is copied to the working folder, and mounted. It then applies servicing stack Dynamic Update, since its components are used for updating other components. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package. It finishes by cleaning and exporting the image to reduce the image size.
+
+Next, for the mounted OS image, the script starts by applying the servicing stack Dynamic Update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it uses `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod). Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .NET), this is the time to apply those. The script then proceeds with applying the latest cumulative update. Finally, the script cleans and exports the image. You can install Optional Components, along with the .NET feature, offline, but that requires the device to be restarted. This is why the script installs .NET and Optional Components after cleanup and before export.
+
+This process is repeated for each edition of Windows within the main operating system file. To reduce size, the serviced Winre.wim file from the first image is saved, and used to update each subsequent Windows edition. This reduces the final size of install.wim.
```powershell
-# Mount the main operating system, used throughout the script
-Write-Output "$(Get-TS): Mounting main OS"
-Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim" -Index 1 -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null
-
#
-# update Windows Recovery Environment (WinRE)
+# Update each main OS Windows image including the Windows Recovery Environment (WinRE)
#
-Copy-Item -Path $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Destination $WORKING_PATH"\winre.wim" -Force -ErrorAction stop | Out-Null
-Write-Output "$(Get-TS): Mounting WinRE"
-Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
-# Add servicing stack update (Step 1 from the table)
+# Get the list of images contained within WinPE
+$WINOS_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim"
-# Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
-# The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined
-# cumulative update that includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and
-# Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published separately; the combined
-# cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined
-# cumulative update format, that requires a standalone servicing stack update to be published, and installed first before the
-# combined cumulative update can be installed.
+Foreach ($IMAGE in $WINOS_IMAGES) {
-# This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
-# Write-Output "$(Get-TS): Adding package $SSU_PATH"
-# Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null
+ # first mount the main OS image
+ Write-Output "$(Get-TS): Mounting main OS, image index $($IMAGE.ImageIndex)"
+ Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim" -Index $IMAGE.ImageIndex -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null
-# Now, attempt the combined cumulative update.
-# There is a known issue where the servicing stack update is installed, but the cumulative update will fail. This error should
-# be caught and ignored, as the last step will be to apply the Safe OS update and thus the image will be left with the correct
-# packages installed.
+ if ($IMAGE.ImageIndex -eq "1") {
-try
-{
- Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $LCU_PATH | Out-Null
-}
-Catch
-{
- $theError = $_
- Write-Output "$(Get-TS): $theError"
+ #
+ # update Windows Recovery Environment (WinRE) within this OS image
+ #
+ Copy-Item -Path $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Destination $WORKING_PATH"\winre.wim" -Force -ErrorAction stop | Out-Null
+ Write-Output "$(Get-TS): Mounting WinRE"
+ Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
+
+ # Add servicing stack update (Step 1 from the table)
+
+ # Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
+ # The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined
+ # cumulative update that includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and
+ # Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published seperately; the combined
+ # cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined
+ # cumulative update format, that requires a standalone servicing stack update to be published, and installed first before the
+ # combined cumulative update can be installed.
+
+ # This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
+ # Write-Output "$(Get-TS): Adding package $SSU_PATH"
+ # Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null
+
+ # Now, attempt the combined cumulative update.
+ # There is a known issue where the servicing stack update is installed, but the cumulative update will fail. This error should
+ # be caught and ignored, as the last step will be to apply the Safe OS update and thus the image will be left with the correct
+ # packages installed.
+
+ try
+ {
+ Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $LCU_PATH | Out-Null
+ }
+ Catch
+ {
+ $theError = $_
+ Write-Output "$(Get-TS): $theError"
- if ($theError.Exception -like "*0x8007007e*") {
- Write-Output "$(Get-TS): This failure is a known issue with combined cumulative update, we can ignore."
- }
- else {
- throw
- }
-}
-
-# The second approach for Step 1 is for Windows releases that have not adopted the combined cumulative update
-# but instead continue to have a separate servicing stack update published. In this case, we'll install the SSU
-# update. This second approach is commented out below.
-
-# Write-Output "$(Get-TS): Adding package $SSU_PATH"
-# Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null
-
-#
-# Optional: Add the language to recovery environment
-#
-# Install lp.cab cab
-Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH"
-Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null
-
-# Install language cabs for each optional package installed
-$WINRE_INSTALLED_OC = Get-WindowsPackage -Path $WINRE_MOUNT
-Foreach ($PACKAGE in $WINRE_INSTALLED_OC) {
-
- if ( ($PACKAGE.PackageState -eq "Installed") `
- -and ($PACKAGE.PackageName.startsWith("WinPE-")) `
- -and ($PACKAGE.ReleaseType -eq "FeaturePack") ) {
-
- $INDEX = $PACKAGE.PackageName.IndexOf("-Package")
- if ($INDEX -ge 0) {
- $OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab"
- if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) {
- $OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB
- Write-Output "$(Get-TS): Adding package $OC_CAB_PATH"
- Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null
+ if ($theError.Exception -like "*0x8007007e*") {
+ Write-Output "$(Get-TS): This failure is a known issue with combined cumulative update, we can ignore."
+ }
+ else {
+ throw
}
}
+
+ # The second approach for Step 1 is for Windows releases that have not adopted the combined cumulative update
+ # but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
+ # update. This second approach is commented out below.
+
+ # Write-Output "$(Get-TS): Adding package $SSU_PATH"
+ # Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null
+
+ #
+ # Optional: Add the language to recovery environment
+ #
+ # Install lp.cab cab
+ Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH"
+ Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null
+
+ # Install language cabs for each optional package installed
+ $WINRE_INSTALLED_OC = Get-WindowsPackage -Path $WINRE_MOUNT
+ Foreach ($PACKAGE in $WINRE_INSTALLED_OC) {
+
+ if ( ($PACKAGE.PackageState -eq "Installed") `
+ -and ($PACKAGE.PackageName.startsWith("WinPE-")) `
+ -and ($PACKAGE.ReleaseType -eq "FeaturePack") ) {
+
+ $INDEX = $PACKAGE.PackageName.IndexOf("-Package")
+ if ($INDEX -ge 0) {
+ $OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab"
+ if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) {
+ $OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB
+ Write-Output "$(Get-TS): Adding package $OC_CAB_PATH"
+ Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null
+ }
+ }
+ }
+ }
+
+ # Add font support for the new language
+ if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) {
+ Write-Output "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH"
+ Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_FONT_SUPPORT_PATH -ErrorAction stop | Out-Null
+ }
+
+ # Add TTS support for the new language
+ if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) {
+ if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) {
+
+ Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH"
+ Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null
+
+ Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH"
+ Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_LANG_PATH -ErrorAction stop | Out-Null
+ }
+ }
+
+ # Add Safe OS
+ Write-Output "$(Get-TS): Adding package $SAFE_OS_DU_PATH"
+ Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SAFE_OS_DU_PATH -ErrorAction stop | Out-Null
+
+ # Perform image cleanup
+ Write-Output "$(Get-TS): Performing image cleanup on WinRE"
+ DISM /image:$WINRE_MOUNT /cleanup-image /StartComponentCleanup /ResetBase /Defer | Out-Null
+
+ # Dismount
+ Dismount-WindowsImage -Path $WINRE_MOUNT -Save -ErrorAction stop | Out-Null
+
+ # Export
+ Write-Output "$(Get-TS): Exporting image to $WORKING_PATH\winre.wim"
+ Export-WindowsImage -SourceImagePath $WORKING_PATH"\winre.wim" -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\winre2.wim" -ErrorAction stop | Out-Null
+
}
+
+ Copy-Item -Path $WORKING_PATH"\winre2.wim" -Destination $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Force -ErrorAction stop | Out-Null
+
+ #
+ # update Main OS
+ #
+
+ # Add servicing stack update (Step 18 from the table)
+
+ # Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
+ # The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined cumulative update that
+ # includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and Windows 11, version 22H2 are examples. In these
+ # cases, the servicing stack update is not published seperately; the combined cumulative update should be used for this step. However, in hopefully
+ # rare cases, there may breaking change in the combined cumulative update format, that requires a standalone servicing stack update to be published,
+ # and installed first before the combined cumulative update can be installed.
+
+ # This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
+ # Write-Output "$(Get-TS): Adding package $SSU_PATH"
+ # Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null
+
+ # Now, attempt the combined cumulative update. Unlike WinRE and WinPE, we don't need to check for error 0x8007007e
+ Write-Output "$(Get-TS): Adding package $LCU_PATH"
+ Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH | Out-Null
+
+ # The second approach for Step 18 is for Windows releases that have not adopted the combined cumulative update
+ # but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
+ # update. This second approach is commented out below.
+
+ # Write-Output "$(Get-TS): Adding package $SSU_PATH"
+ # Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null
+
+ # Optional: Add language to main OS
+ Write-Output "$(Get-TS): Adding package $OS_LP_PATH"
+ Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $OS_LP_PATH -ErrorAction stop | Out-Null
+
+ # Optional: Add a Features on Demand to the image
+ Write-Output "$(Get-TS): Adding language FOD: Language.Fonts.Jpan~~~und-JPAN~0.0.1.0"
+ Add-WindowsCapability -Name "Language.Fonts.$LANG_FONT_CAPABILITY~~~und-$LANG_FONT_CAPABILITY~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
+
+ Write-Output "$(Get-TS): Adding language FOD: Language.Basic~~~$LANG~0.0.1.0"
+ Add-WindowsCapability -Name "Language.Basic~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
+
+ Write-Output "$(Get-TS): Adding language FOD: Language.OCR~~~$LANG~0.0.1.0"
+ Add-WindowsCapability -Name "Language.OCR~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
+
+ Write-Output "$(Get-TS): Adding language FOD: Language.Handwriting~~~$LANG~0.0.1.0"
+ Add-WindowsCapability -Name "Language.Handwriting~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
+
+ Write-Output "$(Get-TS): Adding language FOD: Language.TextToSpeech~~~$LANG~0.0.1.0"
+ Add-WindowsCapability -Name "Language.TextToSpeech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
+
+ Write-Output "$(Get-TS): Adding language FOD:Language.Speech~~~$LANG~0.0.1.0"
+ Add-WindowsCapability -Name "Language.Speech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
+
+ # Note: If I wanted to enable additional Features on Demand, I'd add these here.
+
+ # Add latest cumulative update
+ Write-Output "$(Get-TS): Adding package $LCU_PATH"
+ Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null
+
+ # Perform image cleanup
+ Write-Output "$(Get-TS): Performing image cleanup on main OS"
+ DISM /image:$MAIN_OS_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
+
+ #
+ # Note: If I wanted to enable additional Optional Components, I'd add these here.
+ # In addition, we'll add .NET 3.5 here as well. Both .NET and Optional Components might require
+ # the image to be booted, and thus if we tried to cleanup after installation, it would fail.
+ #
+
+ Write-Output "$(Get-TS): Adding NetFX3~~~~"
+ Add-WindowsCapability -Name "NetFX3~~~~" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
+
+ # Add .NET Cumulative Update
+ Write-Output "$(Get-TS): Adding package $DOTNET_CU_PATH"
+ Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $DOTNET_CU_PATH -ErrorAction stop | Out-Null
+
+ # Dismount
+ Dismount-WindowsImage -Path $MAIN_OS_MOUNT -Save -ErrorAction stop | Out-Null
+
+ # Export
+ Write-Output "$(Get-TS): Exporting image to $WORKING_PATH\install2.wim"
+ Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH"\sources\install.wim" -SourceIndex $IMAGE.ImageIndex -DestinationImagePath $WORKING_PATH"\install2.wim" -ErrorAction stop | Out-Null
+
}
-# Add font support for the new language
-if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) {
- Write-Output "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH"
- Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_FONT_SUPPORT_PATH -ErrorAction stop | Out-Null
-}
-
-# Add TTS support for the new language
-if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) {
- if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) {
-
- Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH"
- Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null
-
- Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH"
- Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_LANG_PATH -ErrorAction stop | Out-Null
- }
-}
-
-# Add Safe OS
-Write-Output "$(Get-TS): Adding package $SAFE_OS_DU_PATH"
-Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SAFE_OS_DU_PATH -ErrorAction stop | Out-Null
-
-# Perform image cleanup
-Write-Output "$(Get-TS): Performing image cleanup on WinRE"
-DISM /image:$WINRE_MOUNT /cleanup-image /StartComponentCleanup /ResetBase /Defer | Out-Null
-
-# Dismount
-Dismount-WindowsImage -Path $WINRE_MOUNT -Save -ErrorAction stop | Out-Null
-
-# Export
-Write-Output "$(Get-TS): Exporting image to $WORKING_PATH\winre2.wim"
-Export-WindowsImage -SourceImagePath $WORKING_PATH"\winre.wim" -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\winre2.wim" -ErrorAction stop | Out-Null
-Move-Item -Path $WORKING_PATH"\winre2.wim" -Destination $WORKING_PATH"\winre.wim" -Force -ErrorAction stop | Out-Null
+Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sources\install.wim" -Force -ErrorAction stop | Out-Null
```
### Update WinPE
@@ -459,103 +563,6 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
Move-Item -Path $WORKING_PATH"\boot2.wim" -Destination $MEDIA_NEW_PATH"\sources\boot.wim" -Force -ErrorAction stop | Out-Null
```
-### Update the main operating system
-
-For this next phase, there's no need to mount the main operating system, since it was already mounted in the previous scripts. This script starts by applying the servicing stack Dynamic Update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it uses `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod).
-
-Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .NET), this is the time to apply those. The script then proceeds with applying the latest cumulative update. Finally, the script cleans and exports the image.
-
-You can install Optional Components, along with the .NET feature, offline, but that requires the device to be restarted. This is why the script installs .NET and Optional Components after cleanup and before export.
-
-```powershell
-#
-# update Main OS
-#
-
-# Add servicing stack update (Step 18 from the table)
-
-# Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
-# The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined cumulative update that
-# includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and Windows 11, version 22H2 are examples. In these
-# cases, the servicing stack update is not published separately; the combined cumulative update should be used for this step. However, in hopefully
-# rare cases, there may breaking change in the combined cumulative update format, that requires a standalone servicing stack update to be published,
-# and installed first before the combined cumulative update can be installed.
-
-# This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
-# Write-Output "$(Get-TS): Adding package $SSU_PATH"
-# Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null
-
-# Now, attempt the combined cumulative update. Unlike WinRE and WinPE, we don't need to check for error 0x8007007e
-Write-Output "$(Get-TS): Adding package $LCU_PATH"
-Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH | Out-Null
-
-# The second approach for Step 18 is for Windows releases that have not adopted the combined cumulative update
-# but instead continue to have a separate servicing stack update published. In this case, we'll install the SSU
-# update. This second approach is commented out below.
-
-# Write-Output "$(Get-TS): Adding package $SSU_PATH"
-# Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null
-
-# Optional: Add language to main OS
-Write-Output "$(Get-TS): Adding package $OS_LP_PATH"
-Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $OS_LP_PATH -ErrorAction stop | Out-Null
-
-# Optional: Add a Features on Demand to the image
-Write-Output "$(Get-TS): Adding language FOD: Language.Fonts.Jpan~~~und-JPAN~0.0.1.0"
-Add-WindowsCapability -Name "Language.Fonts.$LANG_FONT_CAPABILITY~~~und-$LANG_FONT_CAPABILITY~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
-
-Write-Output "$(Get-TS): Adding language FOD: Language.Basic~~~$LANG~0.0.1.0"
-Add-WindowsCapability -Name "Language.Basic~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
-
-Write-Output "$(Get-TS): Adding language FOD: Language.OCR~~~$LANG~0.0.1.0"
-Add-WindowsCapability -Name "Language.OCR~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
-
-Write-Output "$(Get-TS): Adding language FOD: Language.Handwriting~~~$LANG~0.0.1.0"
-Add-WindowsCapability -Name "Language.Handwriting~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
-
-Write-Output "$(Get-TS): Adding language FOD: Language.TextToSpeech~~~$LANG~0.0.1.0"
-Add-WindowsCapability -Name "Language.TextToSpeech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
-
-Write-Output "$(Get-TS): Adding language FOD:Language.Speech~~~$LANG~0.0.1.0"
-Add-WindowsCapability -Name "Language.Speech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
-
-# Note: If I wanted to enable additional Features on Demand, I'd add these here.
-
-# Add latest cumulative update
-Write-Output "$(Get-TS): Adding package $LCU_PATH"
-Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null
-
-# Copy our updated recovery image from earlier into the main OS
-# Note: If I were updating more than 1 edition, I'd want to copy the same recovery image file
-# into each edition to enable single instancing
-Copy-Item -Path $WORKING_PATH"\winre.wim" -Destination $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Force -ErrorAction stop | Out-Null
-
-# Perform image cleanup
-Write-Output "$(Get-TS): Performing image cleanup on main OS"
-DISM /image:$MAIN_OS_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
-
-#
-# Note: If I wanted to enable additional Optional Components, I'd add these here.
-# In addition, we'll add .NET 3.5 here as well. Both .NET and Optional Components might require
-# the image to be booted, and thus if we tried to cleanup after installation, it would fail.
-#
-
-Write-Output "$(Get-TS): Adding NetFX3~~~~"
-Add-WindowsCapability -Name "NetFX3~~~~" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
-
-# Add .NET Cumulative Update
-Write-Output "$(Get-TS): Adding package $DOTNET_CU_PATH"
-Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $DOTNET_CU_PATH -ErrorAction stop | Out-Null
-
-# Dismount
-Dismount-WindowsImage -Path $MAIN_OS_MOUNT -Save -ErrorAction stop | Out-Null
-
-# Export
-Write-Output "$(Get-TS): Exporting image to $WORKING_PATH\install2.wim"
-Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH"\sources\install.wim" -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\install2.wim" -ErrorAction stop | Out-Null
-Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sources\install.wim" -Force -ErrorAction stop | Out-Null
-```
-
### Update remaining media files
This part of the script updates the Setup files. It simply copies the individual files in the Setup Dynamic Update package to the new media. This step brings in updated Setup files as needed, along with the latest compatibility database, and replacement component manifests. This script also does a final replacement of setup.exe and boot manager files using the previously saved versions from WinPE.
diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md
index fd0efc4571..7aa9bf3ff1 100644
--- a/windows/deployment/update/servicing-stack-updates.md
+++ b/windows/deployment/update/servicing-stack-updates.md
@@ -15,21 +15,22 @@ appliesto:
- ✅ Windows 11
- ✅ Windows 10
- ✅ Windows Server
-ms.date: 12/31/2017
+ms.date: 12/08/2023
---
# Servicing stack updates
## What is a servicing stack update?
-Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically doesn't have updates released every month.
+
+Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the component-based servicing stack (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. [CBS](https://techcommunity.microsoft.com/t5/ask-the-performance-team/understanding-component-based-servicing/ba-p/373012) is a small component that typically doesn't have updates released every month.
## Why should servicing stack updates be installed and kept up to date?
-Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes.
+Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't have the latest servicing stack update installed, there's a risk that your device can't be updated with the latest Microsoft security fixes.
## When are they released?
-Servicing stack update are released depending on new issues or vulnerabilities. In rare occasions a servicing stack update may need to be released on demand to address an issue impacting systems installing the monthly security update. Starting in November 2018 new servicing stack updates will be classified as "Security" with a severity rating of "Critical."
+Servicing stack update are released depending on new issues or vulnerabilities. In rare occasions, a servicing stack update might need to be released out of band to address an issue impacting systems installing the monthly security update. New servicing stack updates are classified as `Security` with a severity rating of `Critical`.
## What's the difference between a servicing stack update and a cumulative update?
@@ -38,14 +39,14 @@ Both Windows client and Windows Server use the cumulative update mechanism, in w
Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest monthly security update release and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes.
-Microsoft publishes all cumulative updates and SSUs for Windows 10, version 2004 and later together as one cumulative monthly update to the normal release category in WSUS.
+Microsoft publishes all cumulative updates and servicing stack updates for Windows 10, version 2004 and later together as one cumulative monthly update to the normal release category in Windows Server Update Services (WSUS).
## Is there any special guidance?
-Microsoft recommends you install the latest servicing stack updates for your operating system before installing the latest cumulative update.
-
Typically, the improvements are reliability and performance improvements that don't require any specific special guidance. If there's any significant impact, it will be present in the release notes.
+Most users don't need to install an isolated servicing stack update. In the rare case that you need to install an isolated servicing stack update, Microsoft recommends you install the latest servicing stack updates for your operating system before installing the latest cumulative update.
+
## Installation notes
* Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system.
@@ -56,6 +57,6 @@ Typically, the improvements are reliability and performance improvements that do
## Simplifying on-premises deployment of servicing stack updates
-With the Windows Update experience, servicing stack updates and cumulative updates are deployed together to the device. The update stack automatically orchestrates the installation, so both are applied correctly. Starting in February 2021, the cumulative update includes the latest servicing stack updates, to provide a single cumulative update payload to both Windows Server Update Services (WSUS) and Microsoft Catalog. If you use an endpoint management tool backed by WSUS, such as Configuration Manager, you'll only have to select and deploy the monthly cumulative update. The latest servicing stack updates will automatically be applied correctly. Release notes and file information for cumulative updates, including those related to the servicing stack, will be in a single KB article. The combined monthly cumulative update is available on Windows 10, version 2004 and later starting with the 2021 2C release, KB4601382.
+With the Windows Update experience, servicing stack updates and cumulative updates are deployed together to the device. The update stack automatically orchestrates the installation, so both are applied correctly. Starting in February 2021, the cumulative update includes the latest servicing stack updates, to provide a single cumulative update payload to both WSUS and the Microsoft Update Catalog. If you use an endpoint management tool backed by WSUS, such as Configuration Manager, you'll only have to select and deploy the monthly cumulative update. The latest servicing stack updates will automatically be applied correctly. Release notes and file information for cumulative updates, including those related to the servicing stack, will be in a single KB article. The combined monthly cumulative update is available on Windows 10, version 2004 and later starting with [KB4601382](https://support.microsoft.com/kb/4601382), released in February of 2021.
diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md
index 840ea3d5a7..05c5f63d80 100644
--- a/windows/deployment/update/waas-branchcache.md
+++ b/windows/deployment/update/waas-branchcache.md
@@ -9,9 +9,8 @@ ms.author: mstewart
manager: aaroncz
ms.localizationpriority: medium
appliesto:
-- ✅ Windows 11
- ✅ Windows 10
-ms.date: 12/31/2017
+ms.date: 11/16/2023
---
# Configure BranchCache for Windows client updates
@@ -33,7 +32,10 @@ For detailed information about how Distributed Cache mode and Hosted Cache mode
Whether you use BranchCache with Configuration Manager or WSUS, each client that uses BranchCache must be configured to do so. You typically make your configurations through Group Policy. For step-by-step instructions on how to use Group Policy to configure BranchCache for Windows clients, see [Client Configuration](/previous-versions/windows/it-pro/windows-7/dd637820(v=ws.10)) in the [BranchCache Early Adopter's Guide](/previous-versions/windows/it-pro/windows-7/dd637762(v=ws.10)).
-In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows client, set the Delivery Optimization mode to Bypass to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode.
+In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows client, set the Delivery Optimization **Download mode** to '100' (Bypass) to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode.
+
+> [!Note]
+> Setting [Download mode](../do/waas-delivery-optimization-reference.md#download-mode) to '100' (Bypass) is only available in Windows 10, version 1607 and later, not in Windows 11. BranchCache isn't supported for Windows 11.
## Configure servers for BranchCache
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index 6af6c31910..2a1baa5255 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -16,7 +16,7 @@ appliesto:
- ✅ Windows Server 2022
- ✅ Windows Server 2019
- ✅ Windows Server 2016
-ms.date: 08/22/2023
+ms.date: 11/30/2023
---
# Configure Windows Update for Business
@@ -210,7 +210,7 @@ Starting with Windows 10, version 1607, you can selectively opt out of receiving
| MDM for Windows 10, version 1607 and later: ../Vendor/MSFT/Policy/Config/Update/**ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate |
## Enable optional updates
-
+
In addition to the monthly cumulative update, optional updates are available to provide new features and nonsecurity changes. Most optional updates are released on the fourth Tuesday of the month, known as optional nonsecurity preview releases. Optional updates can also include features that are gradually rolled out, known as controlled feature rollouts (CFRs). Installation of optional updates isn't enabled by default for devices that receive updates using Windows Update for Business. However, you can enable optional updates for devices by using the **Enable optional updates** policy.
To keep the timing of updates consistent, the **Enable optional updates** policy respects the [deferral period for quality updates](#configure-when-devices-receive-quality-updates). This policy allows you to choose if devices should receive CFRs in addition to the optional nonsecurity preview releases, or if the end-user can make the decision to install optional updates. This policy can change the behavior of the **Get the latest updates as soon as they're available** option in **Settings** > **Update & security** > ***Windows Update** > **Advanced options**.
@@ -243,8 +243,8 @@ The following options are available for the policy:
| Policy | Sets registry key under HKLM\Software |
| --- | --- |
-| GPO for Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Update > **Enable optional updates**| \Policies\Microsoft\Windows\WindowsUpdate\AllowOptionalContent |
-| MDM for Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later: ./Device/Vendor/MSFT/Policy/Config/Update/**[AllowOptionalContent](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalcontent)** | \Policies\Microsoft\Windows\WindowsUpdate\AllowOptionalContent |
+| **GPO applies to**:
**GPO location**: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Update > **Enable optional updates**| \Policies\Microsoft\Windows\WindowsUpdate\AllowOptionalContent |
+| **MDM applies to**:
**MDM location**: ./Device/Vendor/MSFT/Policy/Config/Update/**[AllowOptionalContent](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalcontent)** | \Policies\Microsoft\Windows\WindowsUpdate\AllowOptionalContent |
## Enable features that are behind temporary enterprise feature control
@@ -269,7 +269,7 @@ The following are quick-reference tables of the supported policy values for Wind
| GPO Key | Key type | Value |
| --- | --- | --- |
-| AllowOptionalContent *Added in Windows 11, version 22H2*| REG_DWORD | 1: Automatically receive optional updates (including CFRs) 2: Automatically receive optional updates 3: Users can select which optional updates to receive Other value or absent: Don't receive optional updates|
+| AllowOptionalContent *Added in*:
| REG_DWORD | 1: Automatically receive optional updates (including CFRs) 2: Automatically receive optional updates 3: Users can select which optional updates to receive Other value or absent: Don't receive optional updates|
| AllowTemporaryEnterpriseFeatureControl *Added in Windows 11, version 22H2*| REG_DWORD | 1: Allowed. All features in the latest monthly cumulative update are enabled. Other value or absent: Features that are shipped turned off by default will remain off |
| BranchReadinessLevel | REG_DWORD | 2: Systems take feature updates for the Windows Insider build - Fast 4: Systems take feature updates for the Windows Insider build - Slow 8: Systems take feature updates for the Release Windows Insider build Other value or absent: Receive all applicable updates |
| DeferFeatureUpdates | REG_DWORD | 1: Defer feature updatesOther value or absent: Don't defer feature updates |
@@ -285,7 +285,7 @@ The following are quick-reference tables of the supported policy values for Wind
| MDM Key | Key type | Value |
| --- | --- | --- |
-| AllowOptionalContent *Added in Windows 11, version 22H2*| REG_DWORD | 1: Automatically receive optional updates (including CFRs) 2: Automatically receive optional updates 3: Users can select which optional updates to receive Other value or absent: Don't receive optional updates|
+| AllowOptionalContent *Added in*:
| REG_DWORD | 1: Automatically receive optional updates (including CFRs) 2: Automatically receive optional updates 3: Users can select which optional updates to receive Other value or absent: Don't receive optional updates|
| AllowTemporaryEnterpriseFeatureControl *Added in Windows 11, version 22H2*| REG_DWORD | 1: Allowed. All features in the latest monthly cumulative update are enabled. Other value or absent: Features that are shipped turned off by default will remain off |
| BranchReadinessLevel | REG_DWORD |2: Systems take feature updates for the Windows Insider build - Fast 4: Systems take feature updates for the Windows Insider build - Slow 8: Systems take feature updates for the Release Windows Insider build 32: Systems take feature updates from General Availability Channel Note: Other value or absent: Receive all applicable updates |
| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: Defer feature updates by given days |
diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
index 58343cf36e..070ded3d1e 100644
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -13,66 +13,70 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 12/31/2017
+ms.date: 11/07/2023
---
# What is Windows Update for Business?
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
Windows Update for Business is a free service that is available for the following editions of Windows 10 and Windows 11:
+
- Pro, including Pro for Workstations
- Education
- Enterprise, including Enterprise LTSC, IoT Enterprise, and IoT Enterprise LTSC
-Windows Update for Business enables IT administrators to keep the Windows client devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or Mobile Device Management (MDM) solutions such as Microsoft Intune to configure the Windows Update for Business settings that control how and when devices are updated.
+Windows Update for Business enables IT administrators to keep their organization's Windows client devices always up to date with the latest security updates and Windows features by directly connecting these systems to the Windows Update service. You can use Group Policy or Mobile Device Management (MDM) solutions, such as Microsoft Intune, to configure the Windows Update for Business settings that control how and when devices are updated.
Specifically, Windows Update for Business lets you control update offerings and experiences to allow for reliability and performance testing on a subset of devices before deploying updates across the organization. It also provides a positive update experience for people in your organization.
## What can I do with Windows Update for Business?
-Windows Update for Business enables commercial customers to manage which Windows Updates are received when as well as the experience a device has when it receives them.
+Windows Update for Business enables commercial customers to manage which Windows Updates are received along with the experience a device has when it receives them.
-You can control Windows Update for Business policies by using either Mobile Device Management (MDM) tools such as Microsoft Intune or Group Policy management tools such as local group policy or the Group Policy Management Console (GPMC), as well as various other non-Microsoft management tools. MDMs use Configuration Service Provider (CSP) policies instead of Group Policy. Intune additionally uses Cloud Policies. Not all policies are available in all formats (CSP, Group Policy, or Cloud policy).
+You can control Windows Update for Business policies by using either MDM tools or Group Policy management, such as local group policy or the Group Policy Management Console (GPMC), and various other non-Microsoft management tools. MDMs use Configuration Service Provider (CSP) policies instead of Group Policy. Intune additionally uses Cloud Policies. Not all policies are available in all formats (CSP, Group Policy, or Cloud Policy).
+### Manage deployment of Windows Updates
-### Manage deployment of Windows Updates
-By using Windows Update for Business, you can control which types of Windows Updates are offered to devices in your ecosystem, when updates are applied, and deployment to devices in your organization in waves.
+By using Windows Update for Business, you can:
+- Control the types of Windows Updates are offered to devices in your organization
+- Control when updates are applied to the devices
+- Deploy updates to devices in your organization in waves
-### Manage which updates are offered
-Windows Update for Business enables an IT administrator to receive and manage a variety of different types of Windows Updates.
+### Manage which updates are offered
+
+Windows Update for Business enables an IT administrator to receive and manage various types of Windows Updates.
## Types of updates managed by Windows Update for Business
Windows Update for Business provides management policies for several types of updates to Windows 10 devices:
-- **Feature updates:** Previously referred to as "upgrades," feature updates contain not only security and quality revisions, but also significant feature additions and changes. Feature updates are released as soon as they become available. Feature updates aren't available for LTSC devices.
-- **Quality updates:** Quality updates are traditional operating system updates, typically released on the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates.
-- **Driver updates:** Updates for non-Microsoft drivers that are relevant to your devices. Driver updates are on by default, but you can use Windows Update for Business policies to turn them off if you prefer.
+- **Feature updates:** Previously referred to as upgrades, feature updates contain not only security and quality revisions, but also significant feature additions and changes. Feature updates are released as soon as they become available. Feature updates aren't available for LTSC devices.
+- **Quality updates:** Quality updates are traditional operating system updates. Typically quality updates are released on the second Tuesday of each month, though they can be released at any time. These include security, critical, and driver updates.
+- **Driver updates:** Updates for non-Microsoft drivers that are relevant to your devices. Driver updates are on by default, but you can use Windows Update for Business policies to turn them off if you prefer.
- **Microsoft product updates**: Updates for other Microsoft products, such as versions of Office that are installed by using Windows Installer (MSI). Versions of Office that are installed by using Click-to-Run can't be updated by using Windows Update for Business. Product updates are off by default. You can turn them on by using Windows Update for Business policies.
-
## Offering
-You can control when updates are applied, for example by deferring when an update is installed on a device or by pausing updates for a certain period.
+
+You can control when updates are applied. For example, you can defer when an update is installed on a device or by pausing updates for a certain period.
### Manage when updates are offered
+
You can defer or pause the installation of updates for a set period of time.
#### Enroll in prerelease updates
The branch readiness level enables administrators to specify which channel of feature updates they want to receive. Today there are branch readiness level options for both prerelease and released updates:
-- Windows Insider Canary
-- Windows Insider Dev
-- Windows Insider Beta
-- Windows Insider Preview
-- General Availability Channel
+- Windows Insider Canary channel
+- Windows Insider Dev channel
+- Windows Insider Beta channel
+- Windows Insider Release Preview channel
#### Defer an update
-A Windows Update for Business administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they're pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it's offered to a device. That is, if you set a feature update deferral period of 365 days, the device won't install a feature update that has been released for less than 365 days. To defer feature updates, use the **Select when Preview Builds and feature updates are Received** policy.
-
+An administrator can defer the installation of both feature and quality updates from deploying to devices within a range of time based on when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they're pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it's offered to a device. That is, if you set a feature update deferral period of 365 days, the device won't install a feature update that has been released for less than 365 days. To defer feature updates, use the **Select when Preview Builds and feature updates are Received** policy.
|Category |Maximum deferral period |
|---------|---------|
@@ -85,13 +89,12 @@ A Windows Update for Business administrator can defer the installation of both f
#### Pause an update
-If you discover a problem while deploying a feature or quality update, the IT administrator can pause the update for 35 days from a specified start date to prevent other devices from installing it until the issue is mitigated.
-If you pause a feature update, quality updates are still offered to devices to ensure they stay secure. The pause period for both feature and quality updates is calculated from a start date that you set.
+If you discover a problem while deploying a feature or quality update, you can pause the update for 35 days from a specified start date to prevent other devices from installing it until the issue is mitigated. If you pause a feature update, quality updates are still offered to devices to ensure they stay secure. The pause period for both feature and quality updates is calculated from a start date that you set.
To pause feature updates, use the **Select when Preview Builds and feature updates are Received** policy and to pause quality updates use the **Select when Quality Updates are Received** policy. For more information, see [Pause feature updates](waas-configure-wufb.md#pause-feature-updates) and [Pause quality updates](waas-configure-wufb.md#pause-quality-updates).
Built-in benefits:
-When updating from Windows Update, you get the added benefits of built-in compatibility checks to prevent against a poor update experience for your device as well as a check to prevent repeated rollbacks.
+When updating from Windows Update, you get the added benefits of built-in compatibility checks to prevent against a poor update experience for your device and a check to prevent repeated rollbacks.
### Recommendations
@@ -104,28 +107,38 @@ For the best experience with Windows Update, follow these guidelines:
### Manage the end-user experience when receiving Windows Updates
-Windows Update for Business provides controls to help meet your organization's security standards as well as provide a great end-user experience. We do this by enabling you to set automatic updates at times that work well for people in your organization and set deadlines for quality and feature updates. Because Windows Update includes built-in intelligence, it's better to use fewer controls to manage the user experience.
+Windows Update for Business provides controls to help meet your organization's security standards and provide a great end-user experience. We do this by enabling you to set automatic updates at times that work well for people in your organization and set deadlines for quality and feature updates. Because Windows Update includes built-in intelligence, it's better to use fewer controls to manage the user experience.
#### Recommended experience settings
Features like the smart busy check (which ensure updates don't happen when a user is signed in) and active hours help provide the best experience for end users while keeping devices more secure and up to date. Follow these steps to take advantage of these features:
1. Automatically download, install, and restart (default if no restart policies are set up or enabled).
-2. Use the default notifications.
-3. Set update deadlines.
+1. Use the default notifications.
+1. Set update deadlines.
-##### Setting deadlines
+##### Setting deadlines
-A compliance deadline policy (released in June 2019) enables you to set separate deadlines and grace periods for feature and quality updates.
+A compliance deadline policy enables you to set separate deadlines and grace periods for feature and quality updates.
This policy enables you to specify the number of days from an update's publication date that it must be installed on the device. The policy also includes a configurable grace period that specifies the number of days from when the update is installed on the device until the device is forced to restart. This approach is useful in a vacation scenario as it allows, for example, users who have been away to have a bit of time before being forced to restart their devices when they return from vacation.
#### Update Baseline
+> [!NOTE]
+> The Update Baseline toolkit is available only for Group Policy. Update Baseline does not affect your offering policies, whether you're using deferrals or target version to manage which updates are offered to your devices when. Update Baseline is not currently supported for Windows 11.
+
The large number of different policies offered can be overwhelming. Update Baseline provides a clear list of recommended Windows update policy settings for IT administrators who want the best user experience while also meeting their update compliance goals. The Update Baseline for Windows 10 includes policy settings recommendations covering deadline configuration, restart behavior, power policies, and more.
The Update Baseline toolkit makes it easy by providing a single command for IT Admins to apply the Update Baseline to devices. You can get the Update Baseline toolkit from the [Download Center](https://www.microsoft.com/download/details.aspx?id=101056).
->[!NOTE]
->The Update Baseline toolkit is available only for Group Policy. Update Baseline does not affect your offering policies, whether you’re using deferrals or target version to manage which updates are offered to your devices when. Update Baseline is not currently supported for Windows 11.
+## Other Windows Update for Business services
+The following services are part of the Windows Update for Business product family:
+
+- [Windows Update for Business reports](wufb-reports-overview.md) is a cloud-based solution that provides information about your Microsoft Entra joined devices' compliance with Windows updates. Windows Update for Business reports is offered through the Azure portal. Windows Update for Business reports helps you:
+ - Monitor security, quality, driver, and feature updates for Windows 11 and Windows 10 devices
+ - Report on devices with update compliance issues
+ - Analyze and display your data in multiple ways
+
+- The [Windows Update for Business deployment service](deployment-service-overview.md) is a cloud service designed to work with your existing Windows Update for Business policies and Windows Update for Business reports. The deployment service provides additional control over the approval, scheduling, and safeguarding of updates delivered from Windows Update to managed devices.
diff --git a/windows/deployment/update/waas-wufb-csp-mdm.md b/windows/deployment/update/waas-wufb-csp-mdm.md
index e65bab8900..cc945db4c2 100644
--- a/windows/deployment/update/waas-wufb-csp-mdm.md
+++ b/windows/deployment/update/waas-wufb-csp-mdm.md
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 10/10/2023
+ms.date: 11/30/2023
---
# Walkthrough: Use CSPs and MDMs to configure Windows Update for Business
@@ -47,19 +47,19 @@ Drivers are automatically enabled because they're beneficial to device systems.
### Set when devices receive feature and quality updates
-#### I want to receive pre-release versions of the next feature update
+#### I want to receive prerelease versions of the next feature update
-1. Ensure that you're enrolled in the Windows Insider Program for Business. This is a free program available to commercial customers to aid them in their validation of feature updates before they're released. Joining the program enables you to receive updates prior to their release as well as receive emails and content related to what is coming in the next updates.
+1. Ensure that you're enrolled in the Windows Insider Program for Business. Windows Insider is a free program available to commercial customers to aid them in their validation of feature updates before they're released. Joining the program enables you to receive updates prior to their release as well as receive emails and content related to what is coming in the next updates.
-1. For any of test devices you want to install pre-release builds, use [Update/ManagePreviewBuilds](/windows/client-management/mdm/policy-csp-update#update-managepreviewbuilds). Set this to **Enable preview builds**.
+1. For any of test devices you want to install prerelease builds, use [Update/ManagePreviewBuilds](/windows/client-management/mdm/policy-csp-update#update-managepreviewbuilds). Set the option to **Enable preview builds**.
-1. Use [Update/BranchReadinessLevel](/windows/client-management/mdm/policy-csp-update#update-branchreadinesslevel) and select one of the preview Builds. Windows Insider Program Slow is the recommended channel for commercial customers who are using pre-release builds for validation.
+1. Use [Update/BranchReadinessLevel](/windows/client-management/mdm/policy-csp-update#update-branchreadinesslevel) and select one of the preview Builds. Windows Insider Program Slow is the recommended channel for commercial customers who are using prerelease builds for validation.
-1. Additionally, you can defer pre-release feature updates the same way as released updates, by setting a deferral period up to 14 days by using [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays). If you're testing with Windows Insider Program Slow builds, we recommend that you receive the preview updates to your IT department on day 0, when the update is released, and then have a 7-10 day deferral before rolling out to your group of testers. This ensures that if a problem is discovered, you can pause the rollout of the preview update before it reaches your tests.
+1. Additionally, you can defer prerelease feature updates the same way as released updates, by setting a deferral period up to 14 days by using [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays). If you're testing with Windows Insider Program Slow builds, we recommend that you receive the preview updates to your IT department on day 0, when the update is released, and then have a 7-10 day deferral before rolling out to your group of testers. This schedule helps ensure that if a problem is discovered, you can pause the rollout of the preview update before it reaches your tests.
#### I want to manage which released feature update my devices receive
-A Windows Update for Business administrator can defer or pause updates. You can defer feature updates for up to 365 days and defer quality updates for up to 30 days. Deferring simply means that you won't receive the update until it has been released for at least the number of deferral days you specified (offer date = release date + deferral date). You can pause feature or quality updates for up to 35 days from a given start date that you specify.
+A Windows Update for Business administrator can defer or pause updates. You can defer feature updates for up to 365 days and defer quality updates for up to 30 days. Deferring simply means that you don't receive the update until it has been released for at least the number of deferral days you specified (offer date = release date + deferral date). You can pause feature or quality updates for up to 35 days from a given start date that you specify.
- To defer a feature update: [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays)
- To pause a feature update: [Update/PauseFeatureUpdatesStartTime](/windows/client-management/mdm/policy-csp-update#update-pausefeatureupdatesstarttime)
@@ -72,7 +72,7 @@ In this example, there are three rings for quality updates. The first ring ("pil
-When the quality update is released, it is offered to devices in the pilot ring the next time they scan for updates.
+When the quality update is released, it's offered to devices in the pilot ring the next time they scan for updates.
##### Five days later
The devices in the fast ring are offered the quality update the next time they scan for updates.
@@ -80,11 +80,11 @@ The devices in the fast ring are offered the quality update the next time they s
##### Ten days later
-Ten days after the quality update is released, it is offered to the devices in the slow ring the next time they scan for updates.
+Ten days after the quality update is released, it's offered to the devices in the slow ring the next time they scan for updates.
-If no problems occur, all of the devices that scan for updates will be offered the quality update within ten days of its release, in three waves.
+If no problems occur, all of the devices that scan for updates are offered the quality update within ten days of its release, in three waves.
##### What if a problem occurs with the update?
@@ -109,13 +109,13 @@ If you need a device to stay on a version beyond the point when deferrals on the
#### I want to manage when devices download, install, and restart after updates
-We recommended that you allow to update automatically--this is the default behavior. If you don't set an automatic update policy, the device will attempt to download, install, and restart at the best times for the user by using built-in intelligence such as intelligent active hours and smart busy check.
+We recommended that you allow to update automatically, which is the default behavior. If you don't set an automatic update policy, the device attempts to download, install, and restart at the best times for the user by using built-in intelligence such as intelligent active hours and smart busy check.
For more granular control, you can set the maximum period of active hours the user can set with [Update/ActiveHoursMaxRange](/windows/client-management/mdm/policy-csp-update#update-activehoursmaxrange). You could also set specific start and end times for active ours with [Update/ActiveHoursEnd](/windows/client-management/mdm/policy-csp-update#update-activehoursend) and [Update/ActiveHoursStart](/windows/client-management/mdm/policy-csp-update#update-activehoursstart).
-It's best to refrain from setting the active hours policy because it's enabled by default when automatic updates are not disabled and provides a better experience when users can set their own active hours.
+It's best to refrain from setting the active hours policy because it's enabled by default when automatic updates aren't disabled and provides a better experience when users can set their own active hours.
-To update outside of the active hours, use [Update/AllowAutoUpdate](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) with Option 2 (which is the default setting). For even more granular control, consider using automatic updates to schedule the install time, day, or week. To do this, use Option 3, and then set the following policies as appropriate for your plan:
+To update outside of the active hours, use [Update/AllowAutoUpdate](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) with Option 2 (which is the default setting). For even more granular control, consider using automatic updates to schedule the install time, day, or week. To use a schedule, use Option 3, and then set the following policies as appropriate for your plan:
- [Update/ScheduledInstallDay](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday)
- [Update/ScheduledInstallEveryWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalleveryweek)
@@ -132,7 +132,7 @@ If you don't want to allow any automatic updates prior to the deadline, set [Upd
#### I want to keep devices secure and compliant with update deadlines
-We recommend that you use set specific deadlines for feature and quality updates to ensure that devices stay secure on Windows 10, version 1709 and later. This works by enabling you to specify the number of days that can elapse after an update is offered to a device before it must be installed. Also you can set the number of days that can elapse after a pending restart before the user is forced to restart. Use these settings:
+We recommend that you use set specific deadlines for feature and quality updates to ensure that devices stay secure on Windows 10, version 1709 and later. Deadlines work by enabling you to specify the number of days that can elapse after an update is offered to a device before it must be installed. Also you can set the number of days that can elapse after a pending restart before the user is forced to restart. Use these settings:
- [Update/ConfigureDeadlineForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforfeatureupdates)
- [Update/ConfigureDeadlineForQualityUpdates ](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforqualityupdates)
@@ -140,7 +140,7 @@ We recommend that you use set specific deadlines for feature and quality updates
- [Update/ConfigureDeadlineGracePeriodForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#configuredeadlinegraceperiodforfeatureupdates)
- [Update/ConfigureDeadlineNoAutoReboot](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinenoautoreboot)
-These policies also offer an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline has actually expired. At that point the device will automatically schedule a restart regardless of active hours.
+These policies also offer an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline has actually expired. At that point, the device automatically schedules a restart regardless of active hours.
These notifications are what the user sees depending on the settings you choose:
@@ -172,7 +172,7 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window
There are additional settings that affect the notifications.
-We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you have set. If you do have further needs that aren't met by the default notification settings, you can use the [Update/UpdateNotificationLevel](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel) policy with these values:
+We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you set. If you do have further needs that aren't met by the default notification settings, you can use the [Update/UpdateNotificationLevel](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel) policy with these values:
**0** (default) - Use the default Windows Update notifications
**1** - Turn off all notifications, excluding restart warnings
@@ -181,14 +181,14 @@ We recommend that you use the default notifications as they aim to provide the b
> [!NOTE]
> Option **2** creates a poor experience for personal devices; it's only recommended for kiosk devices where automatic restarts have been disabled.
-Still more options are available in [Update/ScheduleRestartWarning](/windows/client-management/mdm/policy-csp-update#update-schedulerestartwarning). This setting allows you to specify the period for auto-restart warning reminder notifications (from 2-24 hours; 4 hours is the default) before the update. You can also specify the period for auto-restart imminent warning notifications with [Update/ScheduleImminentRestartWarning](/windows/client-management/mdm/policy-csp-update#update-scheduleimminentrestartwarning) (15-60 minutes is the default). We recommend using the default notifications.
+Still more options are available in [Update/ScheduleRestartWarning](/windows/client-management/mdm/policy-csp-update#update-schedulerestartwarning). This setting allows you to specify the period for auto restart warning reminder notifications (from 2-24 hours; 4 hours is the default) before the update. You can also specify the period for auto restart imminent warning notifications with [Update/ScheduleImminentRestartWarning](/windows/client-management/mdm/policy-csp-update#update-scheduleimminentrestartwarning) (15-60 minutes is the default). We recommend using the default notifications.
#### I want to manage the update settings a user can access
-Every Windows device provides users with a variety of controls they can use to manage Windows Updates. They can access these controls by Search to find Windows Updates or by going selecting **Updates and Security** in **Settings**. We provide the ability to disable a variety of these controls that are accessible to users.
+Every Windows device provides users with various controls they can use to manage Windows Updates. They can access these controls by Search to find Windows Updates or by going selecting **Updates and Security** in **Settings**. We provide the ability to disable a variety of these controls that are accessible to users.
Users with access to update pause settings can prevent both feature and quality updates for 7 days. You can prevent users from pausing updates through the Windows Update settings page by using [Update/SetDisablePauseUXAccess](/windows/client-management/mdm/policy-csp-update#update-setdisablepauseuxaccess).
-When you disable this setting, users will see **Some settings are managed by your organization** and the update pause settings are greyed out.
+When you disable this setting, users see **Some settings are managed by your organization** and the update pause settings are greyed out.
If you use Windows Server Update Server (WSUS), you can prevent users from scanning Windows Update. To do this, use [Update/SetDisableUXWUAccess](/windows/client-management/mdm/policy-csp-update#update-setdisableuxwuaccess).
@@ -205,3 +205,11 @@ The features that are turned off by default from servicing updates will be enabl
- **0** (default): Allowed. All features in the latest monthly cumulative update are enabled.
- When the policy is set to **0**, all features that are currently turned off will turn on when the device next reboots
- **1** - Not allowed. Features that are shipped turned off by default will remain off
+
+#### I want to enable optional updates
+
+*Applies to:*
+- Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later
+- Windows 10, version 22H2 with [KB5032278](https://support.microsoft.com/help/5032278), or a later cumulative update installed
+
+In addition to the monthly cumulative update, optional updates are available to provide new features and nonsecurity changes. Most optional updates are released on the fourth Tuesday of the month, known as optional nonsecurity preview releases. Optional updates can also include features that are gradually rolled out, known as controlled feature rollouts (CFRs). Installation of optional updates isn't enabled by default for devices that receive updates using Windows Update for Business. However, you can enable optional updates for devices by using [AllowOptionalContent](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalcontent). For more information about optional content, see [Enable optional updates](waas-configure-wufb.md#enable-optional-updates).
\ No newline at end of file
diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md
index 372a36d6df..22c937a71a 100644
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@@ -17,7 +17,7 @@ appliesto:
- ✅ Windows Server 2022
- ✅ Windows Server 2019
- ✅ Windows Server 2016
-ms.date: 10/10/2023
+ms.date: 11/30/2023
---
# Walkthrough: Use Group Policy to configure Windows Update for Business
@@ -202,7 +202,9 @@ If you use Windows Server Update Server (WSUS), you can prevent users from scann
#### I want to enable optional updates
-(*Starting in Windows 11, version 22H2 or later*)
+*Applies to:*
+- Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later
+- Windows 10, version 22H2 with [KB5032278](https://support.microsoft.com/help/5032278), or a later cumulative update installed
In addition to the monthly cumulative update, optional updates are available to provide new features and nonsecurity changes. Most optional updates are released on the fourth Tuesday of the month, known as optional nonsecurity preview releases. Optional updates can also include features that are gradually rolled out, known as controlled feature rollouts (CFRs). Installation of optional updates isn't enabled by default for devices that receive updates using Windows Update for Business. However, you can enable optional updates for devices by using the **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Update > Enable optional updates** policy.
diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md
index 2279f4318c..b75a881dc0 100644
--- a/windows/deployment/update/windows-update-logs.md
+++ b/windows/deployment/update/windows-update-logs.md
@@ -13,7 +13,7 @@ ms.collection:
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 12/31/2017
+ms.date: 12/08/2023
---
# Windows Update log files
@@ -24,18 +24,20 @@ The following table describes the log files created by Windows Update.
|Log file|Location|Description|When to use |
|-|-|-|-|
-|windowsupdate.log|C:\Windows\Logs\WindowsUpdate|Starting in Windows 8.1 and continuing in Windows 10, Windows Update client uses Event Tracing for Windows (ETW) to generate diagnostic logs.|If you receive an error message when you run Windows Update, you can use the information that is included in the Windowsupdate.log log file to troubleshoot the issue.|
-|UpdateSessionOrchestration.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the Update Orchestrator is responsible for sequence of downloading and installing various update types from Windows Update. And the events are logged to these .etl files.|When you see that the updates are available but download is not getting triggered.
When Updates are downloaded but installation is not triggered.
When Updates are installed but reboot is not triggered. |
+|windowsupdate.log|C:\Windows\Logs\WindowsUpdate|Starting in Windows 8.1 and continuing in Windows 10, Windows Update client uses Event Tracing for Windows (ETW) to generate diagnostic logs.|If you receive an error message when you run Windows Update, you can use the information included in the Windowsupdate.log log file to troubleshoot the issue.|
+|UpdateSessionOrchestration.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the Update Orchestrator Service is responsible for sequence of downloading and installing various update types from Windows Update. And the events are logged to these .etl files.|
|
|NotificationUxBroker.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the notification toast or the banner is triggered by NotificationUxBroker.exe. |When you want to check whether the notification was triggered or not. |
|CBS.log|%systemroot%\Logs\CBS|This log provides insight on the update installation part in the servicing stack.|To troubleshoot the issues related to Windows Update installation.|
-## Generating WindowsUpdate.log
+## Generating WindowsUpdate.log
+
To merge and convert Windows Update trace files (.etl files) into a single readable WindowsUpdate.log file, see [Get-WindowsUpdateLog](/powershell/module/windowsupdate/get-windowsupdatelog?preserve-view=tru&view=win10-ps).
>[!NOTE]
>When you run the **Get-WindowsUpdateLog** cmdlet, an copy of WindowsUpdate.log file is created as a static log file. It does not update as the old WindowsUpdate.log unless you run **Get-WindowsUpdateLog** again.
-### Windows Update log components
+## Windows Update log components
+
The Windows Update engine has different component names. The following are some of the most common components that appear in the WindowsUpdate.log file:
- AGENT- Windows Update agent
@@ -54,7 +56,7 @@ The Windows Update engine has different component names. The following are some
- PT- Synchronizes updates information to the local datastore
- REPORT- Collects reporting information
- SERVICE- Startup/shutdown of the Automatic Updates service
-- SETUP- Installs new versions of the Windows Update client when it is available
+- SETUP- Installs new versions of the Windows Update client when it's available
- SHUTDWN- Install at shutdown feature
- WUREDIR- The Windows Update redirector files
- WUWEB- The Windows Update ActiveX control
@@ -68,7 +70,7 @@ The Windows Update engine has different component names. The following are some
>[!NOTE]
>Many component log messages are invaluable if you are looking for problems in that specific area. However, they can be useless if you don't filter to exclude irrelevant components so that you can focus on what's important.
-### Windows Update log structure
+## Windows Update log structure
The Windows update log structure is separated into four main identities:
- Time Stamps
@@ -82,7 +84,7 @@ The Windows update log structure is separated into four main identities:
The WindowsUpdate.log structure is discussed in the following sections.
-#### Time stamps
+### Time stamps
The time stamp indicates the time at which the logging occurs.
- Messages are usually in chronological order, but there may be exceptions.
- A pause during a sync can indicate a network problem, even if the scan succeeds.
@@ -90,15 +92,15 @@ The time stamp indicates the time at which the logging occurs.
-#### Process ID and thread ID
+### Process ID and thread ID
The Process IDs and Thread IDs are random, and they can vary from log to log and even from service session to service session within the same log.
-- The first four hex digits are the process ID.
-- The next four hex digits are the thread ID.
+- The first four digits, in hex, are the process ID.
+- The next four digits, in hex, are the thread ID.
- Each component, such as the USO, Windows Update engine, COM API callers, and Windows Update installer handlers, has its own process ID.
-#### Component name
+### Component name
Search for and identify the components that are associated with the IDs. Different parts of the Windows Update engine have different component names. Some of them are as follows:
- ProtocolTalker - Client-server sync
@@ -111,31 +113,36 @@ Search for and identify the components that are associated with the IDs. Differe
-#### Update identifiers
+### Update identifiers
+
+The following items are update identifiers:
+
+#### Update ID and revision number
-##### Update ID and revision number
There are different identifiers for the same update in different contexts. It's important to know the identifier schemes.
-- Update ID: A GUID (indicated in the previous screenshot) that's assigned to a given update at publication time
+- Update ID: A GUID (indicated in the previous screenshot) assigned to a given update at publication time
- Revision number: A number incremented every time that a given update (that has a given update ID) is modified and republished on a service
- Revision numbers are reused from one update to another (not a unique identifier).
- The update ID and revision number are often shown together as "{GUID}.revision."
-##### Revision ID
-- A Revision ID (don't confuse this value with "revision number") is a serial number that's issued when an update is initially published or revised on a given service.
-- An existing update that's revised keeps the same update ID (GUID), has its revision number incremented (for example, from 100 to 101), but gets a new revision ID that is not related to the previous ID.
+#### Revision ID
+
+- A Revision ID (don't confuse this value with "revision number") is a serial number issued when an update is initially published or revised on a given service.
+- An existing update that is revised keeps the same update ID (GUID), has its revision number incremented (for example, from 100 to 101), but gets a new revision ID that isn't related to the previous ID.
- Revision IDs are unique on a given update source, but not across multiple sources.
- The same update revision might have different revision IDs on Windows Update and WSUS.
- The same revision ID might represent different updates on Windows Update and WSUS.
-##### Local ID
-- Local ID is a serial number issued when an update is received from a service by a given Windows Update client
+#### Local ID
+
+- Local ID is a serial number issued by a given Windows Update client when an update is received from a service.
- Typically seen in debug logs, especially involving the local cache for update info (Datastore)
-- Different client PCs will assign different Local IDs to the same update
+- Different client PCs assign different Local IDs to the same update
- You can find the local IDs that a client is using by getting the client's %WINDIR%\SoftwareDistribution\Datastore\Datastore.edb file
-##### Inconsistent terminology
+#### Inconsistent terminology
- Sometimes the logs use terms inconsistently. For example, the InstalledNonLeafUpdateIDs list actually contains revision IDs, not update IDs.
- Recognize IDs by form and context:
diff --git a/windows/deployment/update/wufb-reports-schema-enumerated-types.md b/windows/deployment/update/wufb-reports-schema-enumerated-types.md
new file mode 100644
index 0000000000..af84c4b582
--- /dev/null
+++ b/windows/deployment/update/wufb-reports-schema-enumerated-types.md
@@ -0,0 +1,280 @@
+---
+title: Enumerated types
+titleSuffix: Windows Update for Business reports
+description: Enumerated types for Windows Update for Business reports.
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
+author: mestew
+ms.author: mstewart
+manager: aaroncz
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+ms.date: 12/06/2023
+---
+
+# Enumerated types for Windows Update for Business reports
+
+The following enumerated types are used in Windows Update for Business reports:
+
+## OSEdition
+
+SKU of Windows the device is running.
+
+|Value | Description |
+|---|---|
+| **Enterprise** | Windows Enterprise |
+| **Professional** | Windows Professional |
+| **ProfessionalWorkstation** | Windows Professional workstation |
+| **ProfessionalN** | Similar to Windows Professional edition but doesn't include Windows media player. |
+| **Education** | Windows Education |
+
+## OSArchitecture
+
+Architecture of the OS running on the client.
+
+|Value | Description |
+|---|---|
+| **amd64** | OS is 64-bit |
+| **x86** | OS is 32-bit |
+| **Unknown** | The OS architecture is unknown |
+
+## OSFeatureUpdateStatus
+
+Feature updates status
+
+|Value | Description |
+|---|---|
+| **Unknown** | Default, sent if client data unavailable. |
+| **InService** | Client is on a version of Windows 10 that is serviced. |
+| **EndOfService** | Client is on a version of Windows 10 that is no longer serviced. |
+
+## OSQualityUpdateStatus
+
+Quality updates status
+
+|Value | Description |
+|---|---|
+| **Latest** | Client is on the latest quality update |
+| **NotLatest** | Client isn't on the latest quality update |
+
+## OSSecurityUpdateStatus
+
+Security updates status
+
+|Value | Description |
+|---|---|
+| **Latest** | Client is on the latest security update |
+| **NotLatest** | Client isn't on the latest security update |
+| **MultipleSecurityUpdatesMissing** | Client is missing multiple security updates |
+
+## OSFeatureUpdateComplianceStatus, OSSecurityUpdateComplianceStatus, OSQualityUpdateComplianceStatus
+
+Compliance status
+
+|Value | Description |
+|---|---|
+| **Compliant** | The latest deployment from the Windows Update for Business deployment service is installed on the client |
+| **NotCompliant** | The latest deployment from the Windows Update for Business deployment service isn't installed on the client|
+| **NotApplicable** | Client isn't part of any Windows Update for Business deployment service deployments |
+
+## OSServicingChannel
+
+Servicing channel of client
+
+|Value | Description |
+|---|---|
+| **Unknown** | Default, release branch can't be defined. |
+| **SAC** | Semi-annual release channel |
+| **LTSC** | Long-term servicing channel |
+| **WIP-S** | Windows Insider Preview - Slow ring |
+| **WIP-F**| Windows Insider Preview - Fast ring |
+| **Internal** | An identifiable, but internal release ring |
+
+## ServiceState
+
+High-level service state OSServicingChannel
+
+|Value | Description |
+|---|---|
+| **Pending** | Windows Update for Business deployment service isn't targeting this update to this device because the update isn't ready. |
+| **Offering** | Service is offering the update to the device. The update is available for the device to get if it scans Windows Update. |
+| **OnHold** | Service is holding off on offering update to the device indefinitely. Until either the service or admin changes some condition, devices remain in this state. |
+| **Canceled** | Service canceled offering update to the device, and the device is confirmed to not be installing the update. |
+
+## ServiceSubstate
+
+Lower-level service state
+
+| Value | ServiceState |
+|---|---|
+| **Validation** | Update can't be offered to the device because a validation issue with the device and deployment service. |
+| **Scheduled** | Update isn't ready to be offered to the device, but is scheduled for offering at a later date. |
+| **OfferReady** | Update is currently being offered to the device from Windows Update. |
+| **RemovedFromDeployment** | Update offering was canceled because it was removed from the deployment because of an explicit administrator action. |
+| **AdminCancelled** | Update offering was canceled because of an explicit administrator action. |
+| **ServiceCancelled** | Update offering was canceled because of an automatic action by the deployment service. |
+| **AdminPaused** | Update is on hold because the deployment was paused with an explicit administrator action. |
+| **ServicePaused** | Update is on hold because of an automatic action by the deployment service. |
+| **SafeguardHold** | Update isn't offered because an existing safeguard hold on the device. |
+
+## ClientState
+
+High-level client state
+
+|Value | Description |
+|---|---|
+| **Unknown** | Default value, if ClientSubstate is unknown (in other words, no client data) |
+| **Offering** | Update is being offered to device |
+| **Installing** | Update is in progress on device |
+| **Uninstalling** | Update is being uninstalled from device |
+| **Installed** | Update has been installed to device |
+| **Uninstalled** | Update has been uninstalled from device |
+| **Canceled** | Update has been canceled from device |
+| **OnHold** | Update has been on Hold |
+
+## ClientSubstate
+
+Lower-level client state
+
+|Value | Description |
+|---|---|
+| **Unknown** | Default value, if ClientSubstate is unknown (in other words, no client data) |
+| **Offering** | Update is being offered to device |
+| **Installing** | Update is in progress on device |
+| **Uninstalling** | Update is being uninstalled from device |
+| **Installed** | Update has been installed to device |
+| **Uninstalled** | Update has been uninstalled from device |
+| **Canceled** | Update has been canceled from device |
+| **OnHold** | Update has been on Hold |
+
+## UpdateCategory
+
+Type of update.
+
+|Value | Description |
+|---|---|
+| **WindowsQualityUpdate** | Windows feature update |
+| **WindowsFeatureUpdate** | Windows quality update |
+| **DriverUpdate** | Driver update |
+
+## UpdateClassification
+
+Whether this update is an upgrade, security, nonsecurity, or driver
+
+|Value | Description |
+|---|---|
+| **Security** | Update is a quality update containing security fixes |
+| **NonSecurity** | Update is a quality update not containing security fixes |
+| **Upgrade** | Update is a feature update |
+
+## UpdateSource
+
+Source of the update
+
+|Value | Description |
+|---|---|
+| **Inferred** | |
+| **MuV6** | Update through old Windows Update, or via WSUS (uses old protocol) |
+| **UUP** | Update through modern Windows Update |
+
+## ReadinessStatus
+
+Whether the device is capable of taking target OS and version.
+
+|Value | Description |
+|---|---|
+| **Capable** | The device meets all requirements to upgrade to Windows 11. |
+| **Not Capable** | The device doesn't meet the requirements to upgrade to Windows 11. Check Readiness Reason for the reason. |
+| **Unknown** | Microsoft doesn't have enough data points to determine the eligibility status. |
+
+## ReadinessReason
+
+Reason why the device isn't capable of updating to target OS and version.
+
+|Value | Description |
+|---|---|
+| **tpm** | [Trusted Platform Module](/windows/security/hardware-security/tpm/trusted-platform-module-overview) (TPM) version 2.0 is required. If your device doesn't meet the minimum requirements because of TPM, see [Enable TPM 2.0 on your PC](https://support.microsoft.com/windows/enable-tpm-2-0-on-your-pc-1fd5a332-360d-4f46-a1e7-ae6b0c90645c) to see if there are any remediation steps you can take. |
+| **cpufms** | CPU not supported. For more information, see [Windows Processor Requirements](/windows-hardware/design/minimum/windows-processor-requirements) |
+| **sysdrivesize** | 64 GB or larger storage device required. If your PC doesn't have a large enough storage drive, sometimes there are options for upgrading the drive. Consult your PC manufacturer's website or with a retailer to see if there are options to meet the minimum requirements for Windows 11. |
+| **UefiSecureBoot** | UEFI (Unified Extensible Firmware Interface) and Secure Boot capability. If your device doesn't meet the minimum requirements because it's not Secure Boot capable. For more information, see [Windows 11 and Secure Boot](https://support.microsoft.com/topic/a8ff1202-c0d9-42f5-940f-843abef64fad) to see if you're able to enable Secure Boot. Secure Boot can only be enabled with UEFI. |
+
+
+## AlertType
+
+Type of alert.
+
+|Value | Description |
+|---|---|
+| **ServiceUpdateAlert** | Alert is relevant to Windows Update for Business deployment service's offering of the content to the client. |
+| **ClientUpdateAlert** | Alert is relevant to client's ability to progress through the installation of the update content. |
+| **ServiceDeviceAlert** | Alert is relevant to device's status within Windows Update for Business deployment service |
+| **ClientDeviceAlert** | Alert is relevant to device's state |
+| **DeploymentAlert** | Alert is relevant to an entire deployment, or a significant number of devices in the deployment. |
+
+## AlertSubtype
+
+Subtype of alert.
+
+| Value | Description |
+|---|---|
+| **CancelledByUser** | The user canceled the update. |
+| **CertificateIssue** | An expired certificate was encountered. |
+| **DamagedMedia** | The update file appears to be damaged. |
+| **DeviceRegistrationInvalidAzureADJoin** | Device isn't able to register or authenticate properly with the deployment service due to not being device-level Entra ID joined. Devices that are workplace-joined aren't compatible with the deployment service. |
+| **DiskFull** | An operation couldn't be completed because the disk is full. |
+| **DiskIssue** | Windows Update has found disk corruption. |
+| **DownloadCancelled** | The download was canceled. |
+| **DownloadCredentialsIssue** | A proxy server or firewall on your network might require credentials. |
+| **DownloadIssue** | There was a download issue. |
+| **DownloadIssueServiceDisabled** | The service the download depends on is disabled. |
+| **DownloadTimeout** | A timeout occurred. |
+| **EndOfService** | Client OS is no longer being serviced |
+| **EndOfServiceApproaching** | Client OS servicing period completes in less than 60 days |
+| **FileNotFound** | The installer couldn't find a Windows component that it needs. |
+| **InstallAccessDenied** | Access denied. |
+| **InstallCancelled** | Install canceled. |
+| **InstallFileLocked** | Couldn't access the file because it's already in use. |
+| **InstallIssue** | There was an installation issue. |
+| **InstallSetupBlock** | There's an application or driver blocking the upgrade. |
+| **InstallSetupError** | Encountered an error while installing the new version of Windows. |
+| **InstallSetupRestartRequired** | A restart is required. |
+| **InstallSharingViolation** | An application is likely interfering with Windows Update. |
+| **InstallSystemError** | A system error occurred while installing the new version of Windows. |
+| **InsufficientUpdateConnectivity** | Device hasn't had sufficient connectivity to Windows Update to progress through the update process and will experience delays. |
+| **MultipleSecurityUpdatesMissing** | Client is missing multiple security updates |
+| **NetworkIssue** | The server timed out waiting for the requested. |
+| **PathNotFound** | The specified path can't be found. |
+| **RestartIssue** | The restart to apply updates is being blocked by one or more applications. |
+| **SafeguardHold** | Update can't be installed due to a known Safeguard Hold. |
+| **UnexpectedShutdown** | The installation stopped because Windows was shutting down or restarting. |
+| **WindowsComponentCorruption** | This device has a corrupted Windows component |
+| **WUBusy** | Windows Update tried to install an update while another installation process was already running. |
+| **WUComponentMissing** | Windows Update might be missing a component or the update file might be damaged. |
+| **WUDamaged** | The update file might be damaged. |
+| **WUFileCorruption** | Windows Update encountered corrupted files. |
+| **WUIssue** | An unexpected issue was encountered during the installation. |
+| **WUSetupError** | The setup process was suspended. |
+
+
+## AlertStatus
+
+Status of alert
+
+|Value | Description |
+|---|---|
+| **Active** | Alert is active, still requires attention. |
+| **Resolved** | Alert is resolved and no longer requires attention. |
+| **Deleted** | Alert was deleted from the backend system. |
+
+### AlertClassification
+
+Whether this alert is an error, a warning, or informational.
+
+| **Value** | Description |
+|---|---|
+| **Informational** | Alert is informational in nature. |
+| **Warning** | Alert is a warning |
+| **Error** | Alert is an error, or is related to an error. There should be an error code that maps to either something from the client or from the service. |
+| **Recommendation** | Alert is a recommendation, something to optimize. |
diff --git a/windows/deployment/update/wufb-reports-schema-ucclient.md b/windows/deployment/update/wufb-reports-schema-ucclient.md
index 9966c6a6ad..b5383c4ad8 100644
--- a/windows/deployment/update/wufb-reports-schema-ucclient.md
+++ b/windows/deployment/update/wufb-reports-schema-ucclient.md
@@ -11,7 +11,7 @@ manager: aaroncz
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 08/09/2023
+ms.date: 12/06/2023
---
# UCClient
@@ -19,41 +19,63 @@ ms.date: 08/09/2023
UCClient acts as an individual device's record. It contains data such as the currently installed build, the device's name, the OS edition, and active hours (quantitative).
## Schema for UCClient
-
-|Field |Type |Example |Description |
-|---|---|---|---|
-| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra Device ID |
-| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
-| **Country** | [string](/azure/kusto/query/scalar-data-types/string) | `US` | The last-reported location of device (country or region), based on IP address. Shown as country code. |
-| **DeviceFamily** | [string](/azure/kusto/query/scalar-data-types/string) | `PC, Phone` | The device family such as PC, Phone. |
-| **DeviceName** | [string](/azure/kusto/query/scalar-data-types/string) | `JohnPC-Contoso` | Client-provided device name |
-| **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:9832741921341` | The global device identifier |
-| **LastCensusScanTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The last time this device performed a successful census scan, if any. |
-| **LastWUScanTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The last time this device performed a successful Windows Update scan, if any. |
-| **OSArchitecture** | [string](/azure/kusto/query/scalar-data-types/string) | `x86` | The architecture of the operating system (not the device) this device is currently on. |
-| **OSBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `10.0.22621.1702` | The full operating system build installed on this device, such as Major.Minor.Build.Revision |
-| **OSBuildNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `22621` | The major build number, in int format, the device is using. |
-| **OSEdition** | [string](/azure/kusto/query/scalar-data-types/string) | `Professional` | The Windows edition |
-| **OSFeatureUpdateComplianceStatus** | [string](/azure/kusto/query/scalar-data-types/string)| `Compliant` | Whether or not the device is on the latest feature update that's offered from the Windows Update for Business deployment service, else NotApplicable. |
-| **OSFeatureUpdateEOSTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The end of service date of the feature update currently installed on the device. |
-| **OSFeatureUpdateReleaseTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The release date of the feature update currently installed on the device. |
-| **OSFeatureUpdateStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `InService;EndOfService` | Whether or not the device is on the latest available feature update, for its feature update. |
-| **OSQualityUpdateComplianceStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `NotCompliant` | Whether or not the device is on the latest quality update that's offered from the Windows Update for Business deployment service, else NotApplicable. |
-| **OSQualityUpdateReleaseTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The release date of the quality update currently installed on the device. |
-| **OSQualityUpdateStatus** | [string](/azure/kusto/query/scalar-data-types/string)| `Latest;NotLatest` | Whether or not the device is on the latest available quality update, for its feature update. |
-| **OSRevisionNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `836` | The revision, in int format, this device is on. |
-| **OSSecurityUpdateComplianceStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `NotCompliant` | Whether or not the device is on the latest security update (quality update where the Classification=Security) that's offered from the Windows Update for Business deployment service, else NotApplicable. |
-| **OSSecurityUpdateStatus** | [string](/azure/kusto/query/scalar-data-types/string)| `Latest;NotLatest;MultipleSecurityUpdatesMissing` | Whether or not the device is on the latest available security update, for its feature update. |
-| **OSServicingChannel** | [string](/azure/kusto/query/scalar-data-types/string) | `SAC` | The elected Windows 10 servicing channel of the device. |
-| **OSVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `1909` | The Windows 10 operating system version currently installed on the device, such as 19H2, 20H1, 20H2. |
-| **SCCMClientId** | [string](/azure/kusto/query/scalar-data-types/string) | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | Configuration Manager client ID, if available. |
-| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This field is to determine to which batch snapshot this record belongs. |
-| **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `DeviceEvent` | The EntityType. |
-| **WUFeatureDeadlineDays** | [int](/azure/kusto/query/scalar-data-types/int) | `0` | CSP: ConfigureDeadlineForFeatureUpdates. The Windows update feature update deadline configuration in days. `-1` indicates not configured, `0` indicates configured but set to `0`. Values > `0` indicate the deadline in days. |
-| **WUFeatureDeferralDays** | [int](/azure/kusto/query/scalar-data-types/int) | `0` | CSP: DeferFeatureUpdates. The Windows update feature update deferral configuration in days. `-1` indicates not configured, `0` indicates configured but set to `0`. Values > `0` indicate the policy setting. |
-| **WUFeatureGracePeriodDays** | [int](/azure/kusto/query/scalar-data-types/int) | `7` | The Windows Update grace period for feature update in days. -1 indicates not configured, `0` indicates configured and set to `0`. Values greater than `0` indicate the grace period in days. |
-| **WUFeaturePauseState** | [string](/azure/kusto/query/scalar-data-types/string) | `NotConfigured` | Indicates pause status of device for feature updates, possible values are Paused, NotPaused, NotConfigured. |
-| **WUQualityDeadlineDays** | [int](/azure/kusto/query/scalar-data-types/int) | `7` | CSP: ConfigureDeadlineForQualityUpdates. The Windows update quality update deadline configuration in days. `-1` indicates not configured, `0` indicates configured but set to `0`. Values > `0` indicate the deadline in days. |
-| **WUQualityDeferralDays** | [int](/azure/kusto/query/scalar-data-types/int) | `-1` | CSP: DeferQualityUpdates. The Windows Update quality update deferral configuration in days. `-1` indicates not configured, `0` indicates configured but set to `0`. Values greater than `0` indicate the policy setting. |
-| **WUQualityGracePeriodDays** | [int](/azure/kusto/query/scalar-data-types/int) | `0` | The Windows Update grace period for quality update in days. `-1` indicates not configured, `0` indicates configured and set to `0`. Values greater than `0` indicate the grace period in days. |
-| **WUQualityPauseState** | [string](/azure/kusto/query/scalar-data-types/string) | `NotConfigured` | Indicates pause status of device for quality updates, possible values are Paused, NotPaused, NotConfigured. |
+
+| Field |Type | Enumerated type |Example |Description |
+|---|---|---|---|---|
+| **AzureADDeviceID** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra Device ID |
+| **AzureADTenantId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
+| **City** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | | Currently, data isn't gathered to populate this field. Device city, based on IP address. |
+| **Country** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `US` | The last-reported location of device (country or region), based on IP address. Shown as country code. |
+| **DeviceFamily** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `PC, Phone` | The device family such as PC, Phone. |
+| **DeviceFormFactor** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Notebook, Desktop, Phone.` | Currently, data isn't gathered to populate this field. The device form factor |
+| **DeviceManufacturer** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Hewlett-Packard.` | Currently, data isn't gathered to populate this field. The device OEM manufacturer |
+| **DeviceModel** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `The device's OEM model ` | Currently, data isn't gathered to populate this field. The device OEM model |
+| **DeviceName** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `JohnPC-Contoso` | Client-provided device name |
+| **GlobalDeviceId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `g:9832741921341` | The global device identifier |
+| **IsVirtual** | [bool](/azure/data-explorer/kusto/query/scalar-data-types/bool) | No | `Yes, No` | Whether device is a virtual device. |
+| **LastCensusScanTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The last time this device performed a successful census scan, if any. |
+| **LastWUScanTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The last time this device performed a successful Windows Update scan, if any. |
+| **NewTest_CF [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Currently, data isn't gathered to populate this field. |
+| **OSArchitecture** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `x86` | The architecture of the operating system (not the device) this device is currently on. |
+| **OSBuild** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `10.0.22621.1702` | The full operating system build installed on this device, such as Major.Minor.Build.Revision |
+| **OSBuildNumber** | [int](/azure/kusto/query/scalar-data-types/int) | No | `22621` | The major build number, in int format, the device is using. |
+| **OSEdition** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Professional` | The Windows edition |
+| **OSFeatureUpdateComplianceStatus** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Compliant` | Whether the device is on the latest feature update that's offered from the Windows Update for Business deployment service, else NotApplicable. |
+| **OSFeatureUpdateEOSTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The end of service date of the feature update currently installed on the device. |
+| **OSFeatureUpdateReleaseTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The release date of the feature update currently installed on the device. |
+| **OSFeatureUpdateStatus** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `InService;EndOfService` | Whether the device is on the latest available feature update, for its feature update. |
+| **OSQualityUpdateComplianceStatus** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `NotCompliant` | Whether the device is on the latest quality update that's offered from the Windows Update for Business deployment service, else NotApplicable. |
+| **OSQualityUpdateReleaseTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The release date of the quality update currently installed on the device. |
+| **OSQualityUpdateStatus** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Latest;NotLatest` | Whether the device is on the latest available quality update, for its feature update. |
+| **OSRevisionNumber** | [int](/azure/kusto/query/scalar-data-types/int) | No | `836` | The revision, in int format, this device is on. |
+| **OSSecurityUpdateComplianceStatus** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `NotCompliant` | Whether the device is on the latest security update (quality update where the Classification=Security) that's offered from the Windows Update for Business deployment service, else NotApplicable. |
+| **OSSecurityUpdateStatus** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Latest;NotLatest;MultipleSecurityUpdatesMissing` | Whether the device is on the latest available security update, for its feature update. |
+| **OSServicingChannel** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `SAC` | The elected Windows 10 servicing channel of the device. |
+| **OSVersion** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `1909` | The Windows 10 operating system version currently installed on the device, such as 19H2, 20H1, 20H2. |
+| **PrimaryDiskFreeCapacityMb** | | No | | Currently, data isn't gathered to populate this field. Free disk capacity of the primary disk in Megabytes. |
+| **SCCMClientId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | Configuration Manager client ID, if available. |
+| **SourceSystem** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Azure` | |
+| **TenantId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID of the device. |
+| **TimeGenerated [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This field is to determine to which batch snapshot this record belongs. |
+| **Type** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `UCClient` | The entity type |
+| **UpdateConnectivityLevel** | | Yes | | Currently, data isn't gathered to populate this field. Whether or not this device is maintaining a sufficiently cumulative and continuous connection to Windows Update so the update can progress optimally. |
+| **WUAutomaticUpdates** | | No | | Currently, data isn't gathered to populate this field. Manage automatic update behavior to scan, download, and install updates. |
+| **WUDeadlineNoAutoRestart** | | No | | Currently, data isn't gathered to populate this field. Devices won't automatically restart outside of active hours until the deadline is reached - It's 1 by default and indicates enabled, 0 indicates disabled |
+| **WUDODownloadMode** | | No | | Currently, data isn't gathered to populate this field. The Windows Update DO DownloadMode configuration. |
+| **WUFeatureDeadlineDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `0` | CSP: ConfigureDeadlineForFeatureUpdates. The Windows Update feature update deadline configuration in days. -1 indicates not configured, 0 indicates configured but set to 0. Values > 0 indicate the deadline in days. |
+| **WUFeatureDeferralDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `0` | CSP: DeferFeatureUpdates. The Windows Update feature update deferral configuration in days. -1 indicates not configured, 0 indicates configured but set to 0. Values > 0 indicate the policy setting. |
+| **WUFeatureGracePeriodDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `7` | The Windows Update grace period for feature update in days. -1 indicates not configured, 0 indicates configured and set to 0. Values greater than 0 indicate the grace period in days. |
+| **WUFeaturePauseEndTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Currently, data isn't gathered to populate this field. The time Windows Update feature update pause will end, if activated, else null. |
+| **WUFeaturePauseStartTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Currently, data isn't gathered to populate this field. The time Windows Update feature update pause was activated, if activated, else null. Feature updates are paused for 35 days from the specified start date. |
+| **WUFeaturePauseState** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `NotConfigured` | Indicates pause status of device for feature updates. Possible values are Paused, NotPaused, NotConfigured. |
+| **WUNotificationLevel** | | No | | Currently, data isn't gathered to populate this field. This policy allows you to define what Windows Update notifications users see. 0 (default) - Use the default Windows Update notifications. 1 - Turn off all notifications, excluding restart warnings. 2 - Turn off all notifications, including restart warnings |
+| **WUPauseUXDisabled** | | No | | Currently, data isn't gathered to populate this field. This policy allows the IT admin to disable the Pause Updates feature. When this policy is enabled, the user can't access the Pause updates' feature. Supported values 0, 1. |
+| **WUQualityDeadlineDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `7` | CSP: ConfigureDeadlineForQualityUpdates. The Windows update quality update deadline configuration in days. -1 indicates not configured, 0 indicates configured but set to 0. Values > 0 indicate the deadline in days. |
+| **WUQualityDeferralDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `-1` | CSP: DeferQualityUpdates. The Windows Update quality update deferral configuration in days. -1 indicates not configured, 0 indicates configured but set to 0. Values greater than 0 indicate the policy setting. |
+| **WUQualityGracePeriodDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `0` | The Windows Update grace period for quality update in days. -1 indicates not configured, 0 indicates configured and set to 0. Values greater than 0 indicate the grace period in days. |
+| **WUQualityPauseEndTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Currently, data isn't gathered to populate this field. The time Windows Update quality update pause- will end, if activated, else null. |
+| **WUQualityPauseStartTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Currently, data isn't gathered to populate this field. The time Windows Update quality update pause- was activated; if activated; else null. |
+| **WUQualityPauseState** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `NotConfigured` | Indicates pause status of device for quality updates. Possible values are Paused, NotPaused, NotConfigured. |
+| **WURestartNotification** | | No | | Currently, data isn't gathered to populate this field. Allows the IT Admin to specify the method by which the auto restart required notification is dismissed. The following list shows the supported values: 1 (default) = Auto Dismissal. 2 - User Dismissal. |
+| **WUServiceURLConfigured**| | No | | Currently, data isn't gathered to populate this field. The device checks for updates from Microsoft Update. Set to a URL, such as http://abcd-srv:8530. The device checks for updates from the WSUS server at the specified URL. Not configured. The device checks for updates from Microsoft Update. Set to a URL, such as http://abcd-srv:8530. The device checks for updates from the WSUS server at the specified URL. |
+| **WUUXDisabled** | | No | | Currently, data isn't gathered to populate this field. This policy allows the IT admin to remove access to scan Windows Update. When this policy is enabled, the user can't access the Windows Update scan, download, and install features. Default is 0. Supported values 0, 1. |
diff --git a/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md b/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md
index a497b36832..59208c8193 100644
--- a/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md
@@ -11,7 +11,7 @@ manager: aaroncz
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 06/06/2022
+ms.date: 12/06/2023
---
# UCClientReadinessStatus
@@ -20,26 +20,29 @@ ms.date: 06/06/2022
UCClientReadinessStatus is an individual device's record about its readiness for updating to Windows 11. If the device isn't capable of running Windows 11, the record includes which Windows 11 [hardware requirements](/windows/whats-new/windows-11-requirements#hardware-requirements) the device doesn't meet.
## Schema for UCClientReadinessStatus
-
-|Field |Type |Example |Description |
-|---|---|---|---|
-| **DeviceName** | [string](/azure/kusto/query/scalar-data-types/string) | `JohnPC-Contoso` | Client-provided device name |
-| **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:9832741921341` | The global device identifier. |
-| **SCCMClientId** | [string](/azure/kusto/query/scalar-data-types/string) | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | Configuration Manager Client ID, if available. |
-| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
-| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra Device ID |
-| **OSName** | [string](/azure/kusto/query/scalar-data-types/string) | `Windows 10` | The operating system name. |
-| **OSVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `1909` | The Win10 OS Version (such as 19H2, 20H1, 20H2) currently installed on the device. |
-| **OSBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `10.0.18363.836` | The full OS build installed on this device, such as Major.Minor.Build.Revision |
-| **TargetOSName** | [string](/azure/kusto/query/scalar-data-types/string) | `Windows 11` | The name of the operating system being targeted to the device for this readiness record.|
-| **TargetOSVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `21H2` | The operating system version being targeted to the device for this readiness record.|
-| **TargetOSBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `10.0.22000.1` | The full operating system build number that's being targeted to the device for this readiness record.|
-| **ReadinessStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `Not capable` | The readiness status of the device is either capable, not capable, or unknown. This status is determined by Windows Update.|
-| **ReadinessReason** | [string](/azure/kusto/query/scalar-data-types/string) | `CPU;TPM` | Lists which [hardware requirements](/windows/whats-new/windows-11-requirements#hardware-requirements) are blocking the device from being capable of installing Windows 11. Field is null if the device is capable. This status is determined by the Windows Update applicability. |
-| **ReadinessScanTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The date and time when readiness was assessed and the assessment was sent.|
-| **ReadinessExpiryTime**| [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The date and time when the readiness assessment will expire.|
-| **SetupReadinessStatus**| [string](/azure/kusto/query/scalar-data-types/string) | `Not capable` | The readiness status of the device is either capable, not capable, or unknown. This status is determined by Windows setup.|
-| **SetupReadinessReason** | [string](/azure/kusto/query/scalar-data-types/string) | `CPU;TPM` | Lists which [hardware requirements](/windows/whats-new/windows-11-requirements#hardware-requirements) are blocking the device from being capable of installing Windows 11. Field is null if the device is capable. This status is determined by Windows setup. |
-| **SetupReadinessTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The date and time when readiness was assessed by setup and the assessment was sent.|
-| **SetupReadinessExpiryTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The date and time when the setup readiness assessment will expire.|
-| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 10:26:03.478039` | The date and time when Azure Monitor Logs ingested this record for your Log Analytics workspace.|
+
+|Field |Type | Enumerated type |Example |Description |
+|---|---|---|---|---|
+| **AzureADDeviceId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra Device ID |
+| **AzureADTenantId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
+| **DeviceName** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `JohnPC-Contoso` | Client-provided device name |
+| **GlobalDeviceId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `g:9832741921341` | The global device identifier. |
+| **OSBuild** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `10.0.18363.836` | The full OS build installed on this device, such as Major.Minor.Build.Revision |
+| **OSName** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Windows 10` | The operating system name. |
+| **OSVersion** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `1909` | The Win10 OS version (such as 19H2, 20H1, 20H2) currently installed on the device. |
+| **ReadinessExpiryTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020/05/14 09:26:03.478 AM` | The date and time when the readiness assessment will expire. |
+| **ReadinessReason** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `CPU;TPM` | Lists which hardware requirements are blocking the device from being capable of installing Windows 11. Field is null if the device is capable. This status is determined by the Windows Update applicability. |
+| **ReadinessScanTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020/05/14 09:26:03.478 AM` | The date and time when readiness was assessed and the assessment was sent. |
+| **ReadinessStatus** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Not capable` | The readiness status of the device is either capable, not capable, or unknown. This status is determined by Windows Update. |
+| **SCCMClientId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | Configuration Manager Client ID, if available. |
+| **SetupReadinessExpiryTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020/05/14 09:26:03.478 AM` | The date and time when the setup readiness assessment will expire. |
+| **SetupReadinessReason** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `CPU;TPM` | Lists which hardware requirements are blocking the device from being capable of installing Windows 11. Field is null if the device is capable. This status is determined by Windows setup. |
+| **SetupReadinessStatus** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Not capable` | The readiness status of the device is either capable, not capable, or unknown. This status is determined by Windows setup. |
+| **SetupReadinessTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020/05/14 09:26:03.478 AM` | The date and time when readiness was assessed by setup and the assessment was sent. |
+| **SourceSystem** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Azure` | |
+| **TargetOSBuild** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `10.0.22000.1` | The full operating system build number that's being targeted to the device for this readiness record. |
+| **TargetOSName** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Windows 11` | The name of the operating system being targeted to the device for this readiness record. |
+| **TargetOSVersion** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `21H2` | The operating system version being targeted to the device for this readiness record. |
+| **TenantId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID of the device. |
+| **TimeGenerated [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020/05/14 09:26:03.478 AM` | The date and time when Azure Monitor Logs ingested this record for your Log Analytics workspace. |
+| **Type** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `UCClientReadinessStatus` | The entity type |
diff --git a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md
index 760d757558..058a649dd6 100644
--- a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md
@@ -11,7 +11,7 @@ manager: aaroncz
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 06/05/2023
+ms.date: 12/06/2023
---
# UCClientUpdateStatus
@@ -20,39 +20,47 @@ ms.date: 06/05/2023
Update Event that combines the latest client-based data with the latest service-based data to create a complete picture for one device (client) and one update.
## Schema for UCClientUpdateStatus
-
-| Field | Type | Example | Description |
-|---|---|---|---|
-| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | A string corresponding to the Microsoft Entra tenant to which the device belongs. |
-| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | A string corresponding to this device's Microsoft Entra device ID |
-|**CatalogId** | [string](/azure/kusto/query/scalar-data-types/string) | `b0f410599615e2ce15e6614ac3fc4ec62d80324020351e172edef89091a64f2f` | The update catalog ID |
-| **ClientState** | [string](/azure/kusto/query/scalar-data-types/string) | `Installing` | Higher-level bucket of ClientSubstate. |
-| **ClientSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `DownloadStart` | Last-known state of this update relative to the device, from the client. |
-| **ClientSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | `2300` | Ranking of client substates for sequential ordering in funnel-type views. The rankings between ServiceSubstate and ClientSubstate can be used together. |
-| **ClientSubstateTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Date and time of last client substate transition |
-| **DeploymentId** | [string](/azure/kusto/query/scalar-data-types/string) | `cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | The identifier of the deployment that is targeting this update to this device, else empty. |
-| **DeviceName** | [string](/azure/kusto/query/scalar-data-types/string) | `JohnPC-Contoso` | Device's given name |
-| **FurthestClientSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `DownloadComplete` | Furthest clientSubstate |
-| **FurthestClientSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | `2400` | Ranking of furthest clientSubstate |
-| **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:9832741921341` | Microsoft internal global device identifier |
-| **IsUpdateHealty** | [bool](/azure/data-explorer/kusto/query/scalar-data-types/bool) | `1` | True: No issues preventing this device from updating to this update have been found. False: There is something that may prevent this device from updating. |
-| **OfferReceivedTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Date and time when device last reported entering OfferReceived, else empty. |
-| **RestartRequiredTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Date and time when device first reported entering RebootRequired (or RebootPending), else empty. |
-| **SCCMClientId** | [string](/azure/kusto/query/scalar-data-types/string) | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | A string corresponding to the Configuration Manager Client ID on the device. |
-| **SourceSystem** | [string](/azure/kusto/query/scalar-data-types/string)| `Azure`| |
-| **TargetBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `10.0.18363.836` | The full build of the content this DeviceUpdateEvent is tracking. For Windows 10 updates, this value would correspond to the full build (10.0.14393.385). |
-| **TargetBuildNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `18363` | Integer of the Major portion of Build. |
-| **TargetKBNumber** | [string](/azure/kusto/query/scalar-data-types/string) | `KB4524570` | KB Article. |
-| **TargetRevisionNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `836` | Integer or the minor (or revision) portion of the build. |
-| **TargetVersion** | [int](/azure/kusto/query/scalar-data-types/int) | `1909` | The target operating system version, such as 1909. |
-| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. |
-| **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `DeviceUpdateEvent` | The EntityType |
-| **UpdateCategory** | [string](/azure/kusto/query/scalar-data-types/string) | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. |
-| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether the update classification is an upgrade (feature update), security (quality update), non-security (quality update), or driver |
-| **UpdateDisplayName** | [string](/azure/kusto/query/scalar-data-types/string) | `Windows 10 1909` | The long-form display name for the given update. Varies on content type (feature update. quality update) |
-| **UpdateId** | [string](/azure/kusto/query/scalar-data-types/string) | `10e519f0-06ae-4141-8f53-afee63e995f0` |Update ID of the targeted update|
-| **UpdateInstalledTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | DateTime when event transitioned to UpdateInstalled, else empty. |
-| **UpdateManufacturer** | [string](/azure/kusto/query/scalar-data-types/string) | `Microsoft` | Manufacturer of update. Microsoft for feature or quality updates, for drivers the name of driver manufacturer. |
-| **UpdateReleaseTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The release date of the update |
-| **UpdateSource** | [string](/azure/kusto/query/scalar-data-types/string) | `UUP` | The source of the update such as UUP, MUv6, Media |
-
+
+|Field |Type | Enumerated type |Example |Description |
+|---|---|---|---|---|
+| **AzureADDeviceId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra Device ID |
+| **AzureADTenantId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
+| **CatalogId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `b0f410599615e2ce15e6614ac3fc4ec62d80324020351e172edef89091a64f2f` | This field applies to drivers only. The Catalog ID of the update from Windows Update for Business deployment service. |
+| **ClientState** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Installing` | This field applies to drivers only. Higher-level bucket of ClientSubstate. |
+| **ClientSubstate** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `DownloadStart` | Last-known state of this update relative to the device, from the client. |
+| **ClientSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | No | `2300` | Ranking of client substates for sequential ordering in funnel-type views. The rankings between ServiceSubstate and ClientSubstate can be used together. |
+| **ClientSubstateTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020/05/14 09:26:03.478 AM` | Date and time of last client substate transition |
+| **DeploymentId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | The identifier of the deployment that is targeting this update to this device, else empty. |
+| **DeviceName** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `JohnPC-Contoso` | Device's given name |
+| **EventData** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | | Currently, data isn't gathered to populate this field. Json to fill with arbitrary K/V pairs. Used to populate contextual data that would otherwise be sparsely populated if elevated to a field always present in the schema. |
+| **FurthestClientSubstate** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `DownloadComplete` | Furthest clientSubstate |
+| **FurthestClientSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | No | `2400` | Ranking of furthest clientSubstate |
+| **GlobalDeviceId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `g:9832741921341` | Microsoft internal global device identifier |
+| **IsUpdateHealthy** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `1` | Currently, data isn't gathered to populate this field. True: No issues preventing this device from updating to this update have been found. False: There's something that may prevent this device from updating. |
+| **OfferReceivedTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020/05/14 09:26:03.478 AM` | Date and time when device last reported entering OfferReceived, else empty. |
+| **RestartRequiredTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020/05/14 09:26:03.478 AM` | Date and time when device first reported entering RebootRequired (or RebootPending), else empty. |
+| **SCCMClientId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | A string corresponding to the Configuration Manager Client ID on the device. |
+| **SourceSystem** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Azure` | |
+| **TargetBuild** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `10.0.18363.836` | The full build of the content this DeviceUpdateEvent is tracking. For Windows 10 updates, this value would correspond to the full build (10.0.14393.385). |
+| **TargetBuildNumber** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `18363` | Integer of the Major portion of Build. |
+| **TargetKBNumber** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `KB4524570` | KB Article. |
+| **TargetRevisionNumber** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `836` | Integer or the minor (or revision) portion of the build. |
+| **TargetVersion** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `1909` | The target operating system version, such as 1909. |
+| **TenantId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID of the device. |
+| **TimeGenerated [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020/05/14 09:26:03.478 AM` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. |
+| **Type** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `UCClientUpdateStatus` | The entity type |
+| **UpdateCategory** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. |
+| **UpdateClassification** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Upgrade` | Whether the update classification is an upgrade (feature update), security (quality update), nonsecurity (quality update), or driver |
+| **UpdateConnectivityLevel** | | Yes | | Currently, data isn't gathered to populate this field. Whether or not this device is maintaining a sufficiently cumulative and continuous connection to Windows Update so the update can progress optimally. |
+| **UpdateDisplayName** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Windows 10 1909` | The long-form display name for the given update. Varies on content type (feature update. quality update) |
+| **UpdateHealthGroupL1** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | | Currently, data isn't gathered to populate this field. Grouping design to describe the current update installation's "health", L1 (highest-level). |
+| **UpdateHealthGroupL2** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | | Currently, data isn't gathered to populate this field. Integer for ranking the L1 UpdateHealthGroup. |
+| **UpdateHealthGroupL3** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | | Currently, data isn't gathered to populate this field. Second grouping, subset of L1, more detailed. |
+| **UpdateHealthGroupRankL1** | [int](/azure/kusto/query/scalar-data-types/int) | No | | Currently, data isn't gathered to populate this field. Integer for ranking the L2 UpdateHealthGroup. |
+| **UpdateHealthGroupRankL2** | [int](/azure/kusto/query/scalar-data-types/int) | No | | Currently, data isn't gathered to populate this field. Third grouping, subset of L3, more detailed. |
+| **UpdateHealthGroupRankL3** | [int](/azure/kusto/query/scalar-data-types/int) | No | | Currently, data isn't gathered to populate this field. Integer for ranking the L3 UpdateHealthGroup. |
+| **UpdateId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `10e519f0-06ae-4141-8f53-afee63e995f0` | This field applies to drivers only. Update ID of the targeted update |
+| **UpdateInstalledTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020/05/14 09:26:03.478 AM` | DateTime when event transitioned to UpdateInstalled, else empty. |
+| **UpdateManufacturer** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Microsoft` | This field applies to drivers only. Manufacturer of update. Microsoft for feature or quality updates, for drivers the name of driver manufacturer. |
+| **UpdateReleaseTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020/05/14 09:26:03.478 AM` | The release date of the update |
+| **UpdateSource** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `UUP` | The source of the update such as UUP, MUv6, Media |
diff --git a/windows/deployment/update/wufb-reports-schema-ucdevicealert.md b/windows/deployment/update/wufb-reports-schema-ucdevicealert.md
index a449781e51..e5dfa88144 100644
--- a/windows/deployment/update/wufb-reports-schema-ucdevicealert.md
+++ b/windows/deployment/update/wufb-reports-schema-ucdevicealert.md
@@ -11,7 +11,7 @@ manager: aaroncz
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 06/06/2022
+ms.date: 12/06/2023
---
# UCDeviceAlert
@@ -19,32 +19,29 @@ ms.date: 06/06/2022
These alerts are activated as a result of an issue that is device-specific. It isn't specific to the combination of a specific update and a specific device. Like UpdateAlerts, the AlertType indicates where the Alert comes from (ServiceDeviceAlert, ClientDeviceAlert). For example, an EndOfService alert is a ClientDeviceAlert, as a build no longer being serviced (EOS) is a client-wide state. Meanwhile, DeviceRegistrationIssues in the Windows Update for Business deployment service will be a ServiceDeviceAlert, as it's a device-wide state in the service to not be correctly registered.
## Schema for UCDeviceAlert
-
-|Field |Type |Example |Description |
-|---|---|---|---|
-| **AlertClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Error` | Whether this alert is an Error, a Warning, or Informational |
-| **AlertId** | [string](/azure/kusto/query/scalar-data-types/string) | `9e107d9d372bb6826bd81d3542a419d6` | The unique identifier of this alert |
-| **AlertRank** | [int](/azure/kusto/query/scalar-data-types/int) | `1000` | Integer ranking of alert for prioritization during troubleshooting |
-| **AlertStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `Active` | Whether this alert is Active, Resolved, or Deleted |
-| **AlertSubtype** | [string](/azure/kusto/query/scalar-data-types/string) | `DiskFull` | The subtype of alert. |
-| **AlertType** | [string](/azure/kusto/query/scalar-data-types/string) | `ClientUpdateAlert` | The type of alert such as ClientUpdateAlert or ServiceUpdateAlert. Indicates which fields will be present. |
-| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra device ID of the device, if available. |
-| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID of the device. |
-| **ClientSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `DownloadStart` | If the alert is from the client, the ClientSubstate at the time this alert was activated or updated, else empty. |
-| **ClientSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | `2300` | Rank of ClientSubstate |
-| **DeploymentId** | [string](/azure/kusto/query/scalar-data-types/string) | `cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | The deployment this alert is relative to, if there's one. |
-| **Description** | [string](/azure/kusto/query/scalar-data-types/string) | `Disk full` | A localized string translated from a combination of other alert fields + language preference that describes the issue in detail. |
-| **DeviceName** | [string](/azure/kusto/query/scalar-data-types/string) | `JohnPC-Contoso` | The given device's name |
-| **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:1298371934870` | Internal Microsoft global identifier, if available. |
-| **Recommendation** | [string](/azure/kusto/query/scalar-data-types/string) | `Free up disk space.` | A localized string translated from RecommendedAction, Message, and other fields (depending on source of alert) that provides a recommended action. |
-| **ResolvedTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time this alert was resolved, else empty. |
-| **SCCMClientId** | [string](/azure/kusto/query/scalar-data-types/string) | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | Configuration Manager client ID of the device, if available. |
-| **ServiceSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `OfferReady` | If the alert is from the service, the ServiceSubstate at the time this alert was activated or updated, else Empty. |
-| **ServiceSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | `100` | Rank of ServiceSubstate |
-| **StartTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time this alert was activated. |
-| **TargetBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `18363.836` | The Windows 10 Major. Revision this UpdateAlert is relative to. |
-| **TargetVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `1909` | The Windows 10 build this UpdateAlert is relative to. |
-| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. |
-| **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `UpdateAlert` | The entity type. |
-| **UpdateCategory** | [string](/azure/kusto/query/scalar-data-types/string) | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. |
-| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether this content is an upgrade (feature update), security (quality update), non-security (quality update), or driver |
+
+|Field |Type | Enumerated type |Example |Description |
+|---|---|---|---|---|
+| **AlertClassification** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Error` | Whether this alert is an Error, a Warning, or Informational |
+| **AlertData** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | | Currently, data isn't gathered to populate this field. An optional string formatted as a json payload containing metadata for the alert. |
+| **AlertId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `9e107d9d372bb6826bd81d3542a419d6` | The unique identifier of this alert |
+| **AlertRank** | [int](/azure/kusto/query/scalar-data-types/int) | No | `1000` | Integer ranking of alert for prioritization during troubleshooting |
+| **AlertStatus** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Active` | Whether this alert is Active, Resolved, or Deleted |
+| **AlertSubtype** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `DiskFull` | The subtype of alert. |
+| **AlertType** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `ClientUpdateAlert` | The type of alert such as ClientUpdateAlert or ServiceUpdateAlert. Indicates which fields are present. |
+| **AzureADDeviceId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra Device ID |
+| **AzureADTenantId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
+| **Description** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Disk full` | A localized string translated from a combination of other alert fields + language preference that describes the issue in detail. |
+| **DeviceName** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `JohnPC-Contoso` | The given device's name |
+| **ErrorCode** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | | Currently, data isn't gathered to populate this field. The Error Code, if any, that triggered this Alert. In the case of Client-based explicit alerts, error codes can have extended error codes, which are appended to the error code with an underscore separator. |
+| **ErrorSymName** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | | Currently, data isn't gathered to populate this field. The symbolic name that maps to the Error Code, if any. Otherwise empty. |
+| **GlobalDeviceId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `g:1298371934870` | Internal Microsoft global identifier, if available. |
+| **Recommendation** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Free up disk space.` | A localized string translated from RecommendedAction, Message, and other fields (depending on source of alert) that provides a recommended action. |
+| **ResolvedTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The time this alert was resolved, else empty. |
+| **SCCMClientId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | Configuration Manager client ID of the device, if available. |
+| **SourceSystem** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Azure` | |
+| **StartTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The time this alert was activated. |
+| **TenantId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID of the device. |
+| **TimeGenerated [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. |
+| **Type** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `UCDeviceAlert` | The entity type |
+| **URL** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `aka.ms/errordetail32152` | Currently, data isn't gathered to populate this field. An optional URL to get more in-depth information related to this alert. |
diff --git a/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md b/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md
index d6b10a0364..33540428e2 100644
--- a/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md
@@ -12,7 +12,7 @@ ms.reviewer: carmenf
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 11/17/2022
+ms.date: 12/06/2023
---
# UCDOAggregatedStatus
diff --git a/windows/deployment/update/wufb-reports-schema-ucdostatus.md b/windows/deployment/update/wufb-reports-schema-ucdostatus.md
index c9f8f9a935..98e6832a40 100644
--- a/windows/deployment/update/wufb-reports-schema-ucdostatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucdostatus.md
@@ -11,7 +11,7 @@ ms.reviewer: carmenf
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 11/17/2022
+ms.date: 12/06/2023
---
# UCDOStatus
diff --git a/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md b/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md
index 004f2def5e..c78b2c076d 100644
--- a/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md
@@ -11,7 +11,7 @@ manager: aaroncz
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 06/06/2022
+ms.date: 12/06/2023
---
# UCServiceUpdateStatus
@@ -19,38 +19,41 @@ ms.date: 06/06/2022
Update Event that comes directly from the service-side. The event has only service-side information for one device (client), and one update, in one deployment. This event has certain fields removed from it in favor of being able to show data in near real time.
## Schema for UCServiceUpdateStatus
-
-| Field | Type | Example | Description |
-|---|---|---|---|
-| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | If this DeviceUpdateEvent is from content deployed by a deployment scheduler service policy, this GUID will map to that policy, otherwise it will be empty. |
-| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | A GUID corresponding to the Microsoft Entra tenant to which the device belongs. |
-|**CatalogId** | [string](/azure/kusto/query/scalar-data-types/string) | `b0f410599615e2ce15e6614ac3fc4ec62d80324020351e172edef89091a64f2f` | The update catalog ID |
-| **DeploymentApprovedTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-05-14 09:26:03.478039` | Date and time of the update approval |
-| **DeploymentId** | [string](/azure/kusto/query/scalar-data-types/string) |`cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | If this DeviceUpdateEvent is from content deployed by a deployment scheduler service policy, this GUID will map to that policy, otherwise it will be empty. |
-| **DeploymentName** | [string](/azure/kusto/query/scalar-data-types/string) |`My deployment` | Friendly name of the created deployment |
-| **DeploymentIsExpedited** | [bool](/azure/data-explorer/kusto/query/scalar-data-types/bool) | `1` | Whether the content is being expedited |
-| **DeploymentRevokeTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-05-14 09:26:03.478039` | Date and time the update was revoked |
-| **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:9832741921341` | Microsoft internal global device identifier |
-| **OfferReadyTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | DateTime of OfferReady transition. If empty, not yet been offered. |
-| **PolicyCreatedTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Date and time the policy was created |
-| **PolicyId** | [string](/azure/kusto/query/scalar-data-types/string) | `9011c330-1234-5678-9abc-def012345678` | The policy identifier targeting the update to this device |
-| **PolicyName** | [string](/azure/kusto/query/scalar-data-types/string) | `My policy` | Friendly name of the policy |
-| **ServiceState** | [string](/azure/kusto/query/scalar-data-types/string) | `Offering` | High-level state of update's status relative to device, service-side. |
-| **ServiceSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `OfferReady` | Low-level state of update's status relative to device, service-side. |
-| **ServiceSubstateTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Date and time of last ServiceSubstate transition. |
-| **SourceSystem** | [string](/azure/kusto/query/scalar-data-types/string)| `Azure`| |
-| **TargetBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `10.0.18363.836` | The full build for the content this event is tracking. For Windows 10, this string corresponds to "10.0.Build.Revision" |
-| **TargetVersion** | [int](/azure/kusto/query/scalar-data-types/int) | `1909` | The version of content this DeviceUpdateEvent is tracking. For Windows 10 updates, this number would correspond to the year/month version format used, such as 1903. |
-| **TenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `9011c330-1234-5678-9abc-def012345678` | Microsoft Entra tenant ID |
-| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Time the snapshot ran can also be the same as EventDateTimeUTC in some cases. |
-| **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `ServiceUpdateEvent` | The EntityType |
-| **UpdateCategory** | [string](/azure/kusto/query/scalar-data-types/string) | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. |
-| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether this update is an upgrade (feature update), security (quality update), non-security (quality update), or driver |
-| **UpdateDisplayName** | [string](/azure/kusto/query/scalar-data-types/string) | `Windows 10 1909` | The long-form display name for the given update. Varies on content type (feature update. quality update) |
-| **UpdateId** | [string](/azure/kusto/query/scalar-data-types/string) | `10e519f0-06ae-4141-8f53-afee63e995f0` |Update ID of the targeted update|
-| **UpdateManufacturer** | [string](/azure/kusto/query/scalar-data-types/string) | `Microsoft` | Manufacturer of update. Microsoft for feature or quality updates, for drivers the name of driver manufacturer. |
-|**UpdateProvider** | [string](/azure/kusto/query/scalar-data-types/string) | `Microsoft` | Update provider of drivers and firmware |
-| **UpdateRecommendedTime** |[datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-05-14 09:26:03.478039` | Date and time when the update was recommended to the device |
-| **UpdateReleaseTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The release date of the update |
-|**UpdateVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `20.0.19.3` | Update version of drivers or firmware |
-| **UpdateVersionTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Update version date time stamp for drivers and firmware |
+
+| Field |Type | Enumerated type |Example |Description |
+|---|---|---|---|---|
+| **AzureADDeviceId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra Device ID |
+| **AzureADTenantId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
+| **CatalogId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `b0f410599615e2ce15e6614ac3fc4ec62d80324020351e172edef89091a64f2f` | This field applies to drivers only. The Catalog ID of the update from Windows Update for Business deployment service. |
+| **DeploymentApprovedTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | This field applies to drivers only. Date and time of the update approval |
+| **DeploymentId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | If this DeviceUpdateEvent is from content deployed by a deployment scheduler service policy, this GUID maps to that policy, otherwise it's empty. |
+| **DeploymentIsExpedited** | [bool](/azure/data-explorer/kusto/query/scalar-data-types/bool) | No | `1` | Currently, data isn't gathered to populate this field. It indicated whether the content is being expedited |
+| **DeploymentName** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `My deployment` | Currently, data isn't gathered to populate this field. Friendly name of the created deployment |
+| **DeploymentRevokeTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | This field applies to drivers only. Date and time the update was revoked |
+| **GlobalDeviceId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `g:9832741921341` | Currently, data isn't gathered to populate this field. Microsoft internal global device identifier |
+| **OfferReadyTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | DateTime of OfferReady transition. If empty, not yet been offered. |
+| **PolicyCreatedTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | This field applies to drivers only. Date and time the policy was created |
+| **PolicyId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `9011c330-1234-5678-9abc-def012345678` | This field applies to drivers only. The policy identifier targeting the update to this device |
+| **PolicyName** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `My policy` | Currently, data isn't gathered to populate this field. This field applies to drivers only. Friendly name of the policy. |
+| **ProjectedOfferReadyTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Projected time update will be offered to device. If empty, unknown. |
+| **ServiceState** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Offering` | High-level state of update's status relative to device, service-side. |
+| **ServiceSubstate** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `OfferReady` | Low-level state of update's status relative to device, service-side. |
+| **ServiceSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | No | | Currently, data isn't gathered to populate this field. Ranking of Substates for sequential ordering in funnel-type views. The rankings between ServiceSubstate and ClientSubstate can be used together. |
+| **ServiceSubstateTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Date and time of last ServiceSubstate transition. |
+| **SourceSystem** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Azure` | |
+| **TargetBuild** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `10.0.18363.836` | The full build for the content this event is tracking. For Windows 10, this string corresponds to "10.0.Build.Revision" |
+| **TargetVersion** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `1909` | The version of content this DeviceUpdateEvent is tracking. For Windows 10 updates, this number would correspond to the year/month version format used, such as 1903. |
+| **TenantId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `9011c330-1234-5678-9abc-def012345678` | Microsoft Entra tenant ID |
+| **TimeGenerated [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | | `2020-05-14 09:26:03.478039` | Time the snapshot ran can also be the same as EventDateTimeUTC in some cases. |
+| **Type** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `UCServiceUpdateStatus` | The entity type |
+| **UdpateIsSystemManifest** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | | Currently, data isn't gathered to populate this field. This field applies to drivers only. |
+| **UpdateCategory** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. |
+| **UpdateClassification** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Upgrade` | Whether this update is an upgrade (feature update), security (quality update), nonsecurity (quality update), or driver |
+| **UpdateDisplayName** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Windows 10 1909` | The long-form display name for the given update. Varies on content type (feature update. quality update) |
+| **UpdateId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `10e519f0-06ae-4141-8f53-afee63e995f0` | This field applies to drivers only. Update ID of the targeted update |
+| **UpdateManufacturer** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Microsoft` | This field applies to drivers only. Manufacturer of update. Microsoft for feature or quality updates, for drivers the name of driver manufacturer. |
+| **UpdateProvider** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Microsoft` | This field applies to drivers only. Update provider of drivers and firmware |
+| **UpdateRecommendedTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | This field applies to drivers only. Date and time when the update was recommended to the device |
+| **UpdateReleaseTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Currently, data isn't gathered to populate this field. The release date of the update |
+| **UpdateVersion** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `20.0.19.3` | This field applies to drivers only. Update version of drivers or firmware |
+| **UpdateVersionTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | This field applies to drivers only. Update version date time stamp for drivers and firmware |
diff --git a/windows/deployment/update/wufb-reports-schema-ucupdatealert.md b/windows/deployment/update/wufb-reports-schema-ucupdatealert.md
index ba81be193a..588cbd8cb6 100644
--- a/windows/deployment/update/wufb-reports-schema-ucupdatealert.md
+++ b/windows/deployment/update/wufb-reports-schema-ucupdatealert.md
@@ -11,7 +11,7 @@ manager: aaroncz
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 06/06/2022
+ms.date: 12/06/2023
---
# UCUpdateAlert
@@ -20,36 +20,39 @@ Alert for both client and service updates. Contains information that needs atten
## Schema for UCUpdateAlert
-|Field |Type |Example |Description |
-|---|---|---|---|
-| **AlertClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Error` | Whether this alert is an Error, a Warning, or Informational |
-| **AlertData** | [string](/azure/kusto/query/scalar-data-types/string) {json} | `{ "freeDiskCapacityMb": 3213, "contentSizeMb": 4381}` | An optional string formatted as a json payload containing metadata for the alert. |
-| **AlertId** | [string](/azure/kusto/query/scalar-data-types/string) | `9e107d9d372bb6826bd81d3542a419d6` | The unique identifier of this alert |
-| **AlertRank** | [int](/azure/kusto/query/scalar-data-types/int) | `1000` | Integer ranking of alert for prioritization during troubleshooting |
-| **AlertStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `Active` | Whether this alert is Active, Resolved, or Deleted |
-| **AlertSubtype** | [string](/azure/kusto/query/scalar-data-types/string) | `DiskFull` | The subtype of alert |
-| **AlertType** | [string](/azure/kusto/query/scalar-data-types/string) | `ClientUpdateAlert` | The type of alert such as ClientUpdateAlert or ServiceUpdateAlert. Indicates which fields will be present |
-| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra device ID of the device, if available. |
-| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID of the device. |
-| **ClientSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `DownloadStart` | If the alert is from the client, the ClientSubstate at the time this alert was activated or updated, else empty. |
-| **ClientSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | `2300` | Rank of ClientSubstate |
-| **DeploymentId** | [string](/azure/kusto/query/scalar-data-types/string) | `cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | The deployment this alert is relative to, if there's one. |
-| **Description** | [string](/azure/kusto/query/scalar-data-types/string) | `Disk full` | A localized string translated from a combination of other Alert fields + language preference that describes the issue in detail. |
-| **DeviceName** | [string](/azure/kusto/query/scalar-data-types/string) | `JohnPC-Contoso` | The given device's name |
-| **ErrorCode** | [string](/azure/kusto/query/scalar-data-types/string) | `0x8326CFA2D_C3FD` | The error code, if any, that triggered this alert. In the case of client-based explicit alerts, error codes can have extended error codes, which are appended to the error code with an underscore separator. |
-| **ErrorSymName** | [string](/azure/kusto/query/scalar-data-types/string) | `WU_E_DISK_FULL` | The symbolic name that maps to the error code, if any, otherwise empty. |
-| **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:1298371934870` | Internal Microsoft Global identifier, if available. |
-| **Recommendation** | [string](/azure/kusto/query/scalar-data-types/string) | `Free up disk space.` | A localized string translated from RecommendedAction, Message, and other fields (depending on the source of the alert) that provides a recommended action. |
-| **ResolvedTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time this alert was resolved, else empty. |
-| **SCCMClientId** | [string](/azure/kusto/query/scalar-data-types/string) | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | Configuration Manager client ID of the device, if available. |
-| **ServiceSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `OfferReady` | If the alert is from the service, the ServiceSubstate at the time this alert was activated or updated, else empty. |
-| **StartTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time this alert was activated. |
-| **TargetBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `18363.836` | The Windows 10 Major. Revision this UpdateAlert is relative to. |
-| **TargetVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `1909` | The Windows 10 build this UpdateAlert is relative to. |
-| **TenantId** |[string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID of the device. |
-| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. |
-| **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `UpdateAlert` | The entity type. |
-| **UpdateCategory** | [string](/azure/kusto/query/scalar-data-types/string) | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. |
-| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether this update is an upgrade (feature update), security (quality update), non-security (quality update), or driver |
-| **URL** | [string](/azure/kusto/query/scalar-data-types/string) | `aka.ms/errordetail32152` | An optional URL to get more in-depth information related to this alert. |
-| **UpdateId** | [string](/azure/kusto/query/scalar-data-types/string) | `10e519f0-06ae-4141-8f53-afee63e995f0` |Update ID of the targeted update|
+|Field |Type | ENUM |Example |Description |
+|---|---|---|---|---|
+| **AlertClassification** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Error` | Whether this alert is an error, a warning, or informational |
+| **AlertData** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `{ "freeDiskCapacityMb": 3213, "contentSizeMb": 4381}` | An optional string formatted as a json payload containing metadata for the alert. |
+| **AlertId** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `9e107d9d372bb6826bd81d3542a419d6` | The unique identifier of this alert |
+| **AlertRank** |[int](/azure/kusto/query/scalar-data-types/int) | No | `1000` | Integer ranking of alert for prioritization during troubleshooting |
+| **AlertStatus** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Active` | Whether this alert is active, resolved, or deleted |
+| **AlertSubtype** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `DiskFull` | The subtype of alert |
+| **AlertType** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `ClientUpdateAlert` | The type of alert such as ClientUpdateAlert or ServiceUpdateAlert. Indicates which fields are present. |
+| **AzureADDeviceId** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra Device ID |
+| **AzureADTenantId** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
+| **CatalogId** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `b0f410599615e2ce15e6614ac3fc4ec62d80324020351e172edef89091a64f2f` | This field applies to drivers only. The Catalog ID of the update from Windows Update for Business deployment service. |
+| **ClientSubstate** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `DownloadStart` | If the alert is from the client, the ClientSubstate at the time this alert was activated or updated, else empty. |
+| **ClientSubstateRank** |[int](/azure/kusto/query/scalar-data-types/int) | No | `2300` | Rank of ClientSubstate |
+| **DeploymentId** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | The deployment this alert is relative to, if there's one. |
+| **Description** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Disk full` | A localized string translated from a combination of other Alert fields + language preference that describes the issue in detail. |
+| **DeviceName** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `JohnPC-Contoso` | The given device's name |
+| **ErrorCode** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `0x8326CFA2D_C3FD` | The error code, if any, that triggered this alert. In the case of client-based explicit alerts, error codes can have extended error codes, which are appended to the error code with an underscore separator. |
+| **ErrorSymName** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `WU_E_DISK_FULL` | The symbolic name that maps to the error code, if any, otherwise empty. |
+| **GlobalDeviceId** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `g:1298371934870` | Internal Microsoft Global identifier, if available. |
+| **Recommendation** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Free up disk space.` | A localized string translated from RecommendedAction, Message, and other fields (depending on the source of the alert) that provides a recommended action. |
+| **ResolvedTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The time this alert was resolved, else empty. |
+| **SCCMClientId** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | Configuration manager client ID of the device, if available. |
+| **ServiceSubstate** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `OfferReady` | If the alert is from the service, the ServiceSubstate at the time this alert was activated or updated, else empty. |
+| **ServiceSubstateRank** |[int](/azure/kusto/query/scalar-data-types/int) | No | | Rank of 'ClientSubstate' |
+| **SourceSystem** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Azure` | |
+| **StartTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The time this alert was activated. |
+| **TargetBuild** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `18363.836` | The Windows 10 Major. Revision this 'UpdateAlert' is relative to. |
+| **TargetVersion** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `1909` | The Windows 10 build this UpdateAlert is relative to. |
+| **TenantId** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID of the device. |
+| **TimeGenerated [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. |
+| **Type** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `UCUpdateAlert` | The entity type |
+| **UpdateCategory** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. |
+| **UpdateClassification** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Upgrade` | Whether this update is an upgrade (feature update), security (quality update), nonsecurity (quality update), or driver |
+| **UpdateId** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `10e519f0-06ae-4141-8f53-afee63e995f0` | This field applies to drivers only. The Update ID of the targeted update. |
+| **URL** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `aka.ms/errordetail32152` | An optional URL to get more in-depth information related to this alert. |
diff --git a/windows/deployment/update/wufb-reports-schema.md b/windows/deployment/update/wufb-reports-schema.md
index 8a4fc45ecb..75cdcb5587 100644
--- a/windows/deployment/update/wufb-reports-schema.md
+++ b/windows/deployment/update/wufb-reports-schema.md
@@ -11,7 +11,7 @@ manager: aaroncz
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 11/15/2022
+ms.date: 12/06/2023
---
# Windows Update for Business reports schema
diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md
index df89fc602d..aefcd10aa4 100644
--- a/windows/deployment/vda-subscription-activation.md
+++ b/windows/deployment/vda-subscription-activation.md
@@ -9,7 +9,7 @@ ms.prod: windows-client
ms.technology: itpro-fundamentals
ms.localizationpriority: medium
ms.topic: how-to
-ms.date: 11/23/2022
+ms.date: 11/14/2023
---
# Configure VDA for Windows subscription activation
@@ -31,7 +31,7 @@ Deployment instructions are provided for the following scenarios:
- VMs must be running a supported version of Windows Pro edition.
- VMs must be joined to Active Directory or Microsoft Entra ID.
-- VMs must be hosted by a Qualified Multitenant Hoster (QMTH). For more information, download the PDF that describes the [Qualified Multitenant Hoster Program](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf).
+- VMs must be hosted by a Qualified Multitenant Hoster (QMTH).
## Activation
diff --git a/windows/deployment/volume-activation/plan-for-volume-activation-client.md b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
index 1cc96ae7ed..71a14f511f 100644
--- a/windows/deployment/volume-activation/plan-for-volume-activation-client.md
+++ b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
@@ -16,6 +16,7 @@ ms.date: 11/07/2022
**Applies to:**
+- Windows 11
- Windows 10
- Windows 8.1
- Windows 8
@@ -87,8 +88,7 @@ Telephone activation is primarily used in situations where a computer is isolate
- Active Directory-based activation
> [!NOTE]
-> Token-based activation is available for specific situations when approved customers rely on a public key infrastructure in an isolated and high-security environment. For more information, contact your Microsoft Account Team or your service representative.
-Token-based Activation option is available for Windows 10 Enterprise LTSB editions (Version 1507 and 1607).
+> Token-based activation for Windows Enterprise (including LTSC) and Windows Server is available for specific situations when approved customers rely on a public key infrastructure in an isolated and high-security environment. For more information, contact your Microsoft Account Team or your service representative.
### Multiple activation key
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index 40769fc671..11b304e822 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -225,26 +225,7 @@ When you have completed installation of Hyper-V on the host computer, begin conf
> [!IMPORTANT]
> Don't attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, don't start the VM outside the PoC network.
-If you don't have a PC available to convert to VM, do the following steps to download an evaluation VM:
-
-1. Open the [Download virtual machines](https://developer.microsoft.com/microsoft-edge/tools/vms/) page.
-
- > [!NOTE]
- > The above link may not be available in all locales.
-
-2. Under **Virtual machine**, choose **IE11 on Win7**.
-
-3. Under **Select platform**, choose **HyperV (Windows)**.
-
-4. Select **Download .zip**. The download is 3.31 GB.
-
-5. Extract the zip file. Three directories are created.
-
-6. Open the **Virtual Hard Disks** directory and then copy **IE11 - Win7.vhd** to the **C:\VHD** directory.
-
-7. Rename **IE11 - Win7.vhd** to **w7.vhd** (don't rename the file to w7.vhdx).
-
-8. In step 5 of the [Configure Hyper-V](#configure-hyper-v) section, replace the VHD file name **w7.vhdx** with **w7.vhd**.
+
If you have a PC available to convert to VM (computer 2):
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 6b8718bf68..b5fc8eb923 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -11,7 +11,7 @@ ms.collection:
- highpri
- tier2
ms.topic: conceptual
-ms.date: 11/23/2022
+ms.date: 11/14/2023
appliesto:
- ✅ Windows 10
- ✅ Windows 11
@@ -39,7 +39,15 @@ This article covers the following information:
For more information on how to deploy Enterprise licenses, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md).
> [!NOTE]
-> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude the [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications), from their Conditional Access policies using **Select Excluded Cloud Apps**. For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions).
+>
+> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude one of the following cloud apps from their Conditional Access policies using **Select Excluded Cloud Apps**:
+>
+> - [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications).
+> - [Windows Store for Business, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications).
+>
+> Although the app ID is the same in both instances, the name of the cloud app will depend on the tenant.
+>
+> For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions).
## Subscription activation for Enterprise
@@ -239,7 +247,7 @@ For more information, see [Deploy Windows Enterprise licenses](deploy-enterprise
## Virtual Desktop Access (VDA)
-Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Microsoft Azure or in another [qualified multitenant hoster (QMTH)](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf).
+Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Microsoft Azure or in another qualified multitenant hoster (QMTH).
Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Microsoft Entra joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md).
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
index eb2f5d26d5..e41d8e60f4 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
@@ -1,7 +1,7 @@
---
title: Post-device registration readiness checks
description: This article details how post-device registration readiness checks are performed in Windows Autopatch
-ms.date: 09/16/2022
+ms.date: 09/16/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md
index 34a3b93fab..6082093e6d 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md
@@ -95,7 +95,7 @@ For the deployment rings that have passed quality updates deferral date, the OOB
2. Under the **Release Announcements** tab, you can view the knowledge base (KB) articles corresponding to deployed OOB and regular Windows quality updates. You can also view the schedules for OOB update releases in the Release Schedule tab.
> [!NOTE]
-> Announcements abd OOB update schedules will be **removed** from the Release announcements tab when the next quality update is released. Further, if quality updates are paused for a deployment ring, the OOB updates will also be paused.
+> Announcements and OOB update schedules will be **removed** from the Release announcements tab when the next quality update is released. Further, if quality updates are paused for a deployment ring, the OOB updates will also be paused.
### Pause and resume a release
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md
index e68ee4d6bd..71b96ec441 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md
@@ -1,7 +1,7 @@
---
title: Quality update trending report
description: Provides a visual representation of the update status trend for all devices over the last 90 days with Autopatch groups.
-ms.date: 05/01/2023
+ms.date: 09/01/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
index 3b72dc6d90..fe9d6b3321 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
@@ -1,7 +1,7 @@
---
title: Maintain the Windows Autopatch environment
description: This article details how to maintain the Windows Autopatch environment
-ms.date: 05/15/2023
+ms.date: 09/15/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
index 690e61a507..20c341551a 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
@@ -1,7 +1,7 @@
---
title: Submit a support request
description: Details how to contact the Windows Autopatch Service Engineering Team and submit support requests
-ms.date: 01/06/2023
+ms.date: 09/06/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
index 54d107d92d..3f0e20c935 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
@@ -4,7 +4,7 @@ metadata:
description: Answers to frequently asked questions about Windows Autopatch.
ms.prod: windows-client
ms.topic: faq
- ms.date: 07/19/2023
+ ms.date: 12/04/2023
audience: itpro
ms.localizationpriority: medium
manager: dougeby
@@ -28,7 +28,7 @@ sections:
Windows Autopatch supports Windows 365 for Enterprise. Windows 365 for Business isn't supported.
- question: Does Windows Autopatch support Windows Education (A3/A5) or Windows Front Line Worker (F3) licensing?
answer: |
- Autopatch isn't available for 'A' or 'F' series licensing.
+ Autopatch isn't available for 'A'. Windows Autopatch supports some 'F' series licensing. For more information, see [More about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses).
- question: Will Windows Autopatch support local domain join Windows 10?
answer: |
Windows Autopatch doesn't support local (on-premises) domain join. Windows Autopatch supports [Hybrid AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or pure [Microsoft Entra join](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
@@ -54,8 +54,8 @@ sections:
- [Switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune](/mem/configmgr/comanage/how-to-switch-workloads) (minimum Pilot Intune. Pilot collection must contain the devices you want to register into Autopatch.)
- question: What are the licensing requirements for Windows Autopatch?
answer: |
- - Windows Autopatch is included with Window 10/11 Enterprise E3 or higher (user-based only). For more information, see [More about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses).
- - [Azure AD Premium](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses) (for Co-management)
+ - Windows Autopatch is included with Window 10/11 Enterprise E3 or higher (user-based only) or F3. For more information, see [More about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses).
+ - [Azure AD Premium](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses) (for co-management)
- [Microsoft Intune](/mem/intune/fundamentals/licenses) (includes Configuration Manager 2010 or greater via co-management)
- question: Are there hardware requirements for Windows Autopatch?
answer: |
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md
index 043db6fb77..0e481d7a66 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md
@@ -1,7 +1,7 @@
---
title: Privacy
description: This article provides details about the data platform and privacy compliance for Autopatch
-ms.date: 03/13/2023
+ms.date: 09/13/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: reference
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md
index 6588ea5a13..bc26753af7 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md
@@ -1,7 +1,7 @@
---
title: Submit a tenant enrollment support request
description: This article details how to submit a tenant enrollment support request
-ms.date: 01/13/2023
+ms.date: 09/13/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
index 8acdf328e5..f7a2045294 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
@@ -1,7 +1,7 @@
---
title: Fix issues found by the Readiness assessment tool
description: This article details how to fix issues found by the Readiness assessment tool.
-ms.date: 01/12/2023
+ms.date: 09/12/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
index b0df16842e..f1351f3709 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
@@ -1,7 +1,7 @@
---
title: Prerequisites
description: This article details the prerequisites needed for Windows Autopatch
-ms.date: 04/24/2023
+ms.date: 12/04/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
@@ -21,7 +21,7 @@ Getting started with Windows Autopatch has been designed to be easy. This articl
| Area | Prerequisite details |
| ----- | ----- |
-| Licensing | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Microsoft Entra ID P1 or P2 and Microsoft Intune are required. For details about the specific service plans, see [more about licenses](#more-about-licenses).
|
| Device management | [Devices must be already enrolled with Microsoft Intune](/mem/intune/user-help/enroll-windows-10-device) prior to registering with Windows Autopatch. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.
|
+
+## November service release
+
+| Message center post number | Description |
+| ----- | ----- |
+| [MC689492](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Planned Maintenance: Service maintenance to improve Windows Autopatch performance |
+
## October 2023
### October feature releases or updates
diff --git a/windows/hub/breadcrumb/toc.yml b/windows/hub/breadcrumb/toc.yml
index 211570e4b0..cb49bed653 100644
--- a/windows/hub/breadcrumb/toc.yml
+++ b/windows/hub/breadcrumb/toc.yml
@@ -1,3 +1,27 @@
-- name: Windows
- tocHref: /windows/
- topicHref: /windows/index
+items:
+ - name: Docs
+ tocHref: /
+ topicHref: /
+ items:
+ - name: Windows
+ tocHref: /windows/
+ topicHref: /windows/resources/
+ items:
+ - name: What's new
+ tocHref: /windows/whats-new/
+ topicHref: /windows/whats-new/
+ - name: Configuration
+ tocHref: /windows/configuration/
+ topicHref: /windows/configuration/
+ - name: Deployment
+ tocHref: /windows/deployment/
+ topicHref: /windows/deployment/
+ - name: Client management
+ tocHref: /windows/client-management/
+ topicHref: /windows/client-management/
+ - name: Privacy
+ tocHref: /windows/privacy/
+ topicHref: /windows/privacy/
+ - name: Security
+ tocHref: /windows/security/
+ topicHref: /windows/security/
\ No newline at end of file
diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json
index 404d7adbfb..ed4832af6d 100644
--- a/windows/hub/docfx.json
+++ b/windows/hub/docfx.json
@@ -39,13 +39,13 @@
"tier1"
],
"audience": "ITPro",
+ "zone_pivot_group_filename": "resources/zone-pivot-groups.json",
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-Windows",
"ms.technology": "itpro-fundamentals",
"ms.topic": "article",
- "feedback_system": "GitHub",
- "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
- "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
+ "feedback_system": "Standard",
+ "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.windows-hub",
@@ -61,7 +61,10 @@
"jborsecnik",
"tiburd",
"garycentric",
- "beccarobins"
+ "beccarobins",
+ "Stacyrch140",
+ "v-stsavell",
+ "American-Dipper"
]
},
"fileMetadata": {},
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index 83dda7c0fe..e651c1901d 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -10,24 +10,23 @@ metadata:
ms.topic: hub-page
ms.prod: windows-client
ms.collection:
- - highpri
- tier1
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
- ms.date: 09/26/2023
+ ms.date: 10/31/2023
highlightedContent:
items:
- title: Get started with Windows 11
itemType: get-started
url: /windows/whats-new/windows-11-overview
- - title: Windows 11, version 22H2
+ - title: Windows 11, version 23H2
itemType: whats-new
- url: /windows/whats-new/whats-new-windows-11-version-22H2
- - title: Windows 11, version 22H2 group policy settings reference
+ url: /windows/whats-new/whats-new-windows-11-version-23h2
+ - title: Windows 11, version 23H2 group policy settings reference
itemType: download
- url: https://www.microsoft.com/en-us/download/details.aspx?id=104594
+ url: https://www.microsoft.com/download/details.aspx?id=105668
- title: Windows release health
itemType: whats-new
url: /windows/release-health
diff --git a/windows/hub/zone-pivot-groups.yml b/windows/hub/zone-pivot-groups.yml
new file mode 100644
index 0000000000..d426e4da0f
--- /dev/null
+++ b/windows/hub/zone-pivot-groups.yml
@@ -0,0 +1,18 @@
+# YamlMime:ZonePivotGroups
+groups:
+- id: windows-versions-11-10
+ title: Windows versions
+ prompt: "Select the Windows version you want to learn about:"
+ pivots:
+ - id: windows-11
+ title: Windows 11
+ - id: windows-10
+ title: Windows 10
+- id: windows-editions-proent-proedu
+ title: Windows editions
+ prompt: "Select the Windows edition you want to learn about:"
+ pivots:
+ - id: windows-pro
+ title: Windows Pro Edu/Education
+ - id: windows-ent
+ title: Windows Pro/Enterprise
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
index 4efbc4d3f5..c574ccb678 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
@@ -27,7 +27,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
-- [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
+- [Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
- [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md)
- [Required diagnostic events and fields for Windows 10: versions 22H2, 21H2, 21H1, 20H2, and 2004](required-windows-diagnostic-data-events-and-fields-2004.md)
- [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
index eea8e6ddd5..f4ff30a23c 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
@@ -27,7 +27,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
-- [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
+- [Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
- [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md)
- [Required diagnostic events and fields for Windows 10: versions 22H2, 21H2, 21H1, 20H2, and 2004](required-windows-diagnostic-data-events-and-fields-2004.md)
- [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
index a8356f8456..f5bdec7600 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
@@ -27,7 +27,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
-- [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
+- [Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
- [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md)
- [Required diagnostic events and fields for Windows 10: versions 22H2, 21H2, 21H1, 20H2, and 2004](required-windows-diagnostic-data-events-and-fields-2004.md)
- [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
index 3d03e6bc7b..56be393273 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
@@ -26,7 +26,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
-- [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
+- [Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
- [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md)
- [Required diagnostic events and fields for Windows 10: versions 22H2, 21H2, 21H1, 20H2, and 2004](required-windows-diagnostic-data-events-and-fields-2004.md)
- [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
index 9ae71c39f5..875429c841 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
@@ -28,7 +28,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
-- [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
+- [Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
- [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md)
- [Required diagnostic events and fields for Windows 10: versions 22H2, 21H2, 21H1, 20H2, and 2004](required-windows-diagnostic-data-events-and-fields-2004.md)
- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
index 945499c4b7..0eb6b38dc9 100644
--- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md
+++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
@@ -75,7 +75,7 @@ Customers who use services that depend on Windows diagnostic data, such as [Micr
> [!NOTE]
> The information in this section applies to the following versions of Windows:
> - Windows 10, versions 20H2, 21H2, 22H2, and newer
-> - Windows 11, versions 21H2, 22H2, and newer
+> - Windows 11, versions 21H2, 22H2, 23H2, and newer
Previously, IT admins could use policies (for example, the “Allow commercial data pipeline” policy) at the individual device level to enroll devices in the Windows diagnostic data processor configuration.
diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
index 3c8c0f57d5..c47bf6303c 100644
--- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
@@ -336,7 +336,7 @@ Tenants with billing addresses in countries or regions in the Middle East and Af
> [!NOTE]
> The information in this section applies to the following versions of Windows:
> - Windows 10, versions 20H2, 21H2, 22H2, and newer
-> - Windows 11, versions 21H2, 22H2, and newer
+> - Windows 11, versions 21H2, 22H2, 23H2, and newer
Starting with the January 2023 preview cumulative update, how you enable the processor configuration option depends on the billing address of the Azure AD tenant to which your devices are joined.
diff --git a/windows/privacy/copilot-supplemental-terms.md b/windows/privacy/copilot-supplemental-terms.md
index 55b0a3386a..caf816b1d7 100644
--- a/windows/privacy/copilot-supplemental-terms.md
+++ b/windows/privacy/copilot-supplemental-terms.md
@@ -35,9 +35,9 @@ Copilot in Windows is your AI companion that brings productivity to your fingert
3. Bing Chat
- a. Your Copilot in Windows experiences powered by Bing Chat are subject to [Bing Chat’s terms of use](https://go.microsoft.com/fwlink/p/?linkid=2247757).
+ a. Your Copilot in Windows experiences powered by Bing Chat are subject to [Bing Chat’s terms of use](https://www.bing.com/new/termsofuse).
- b. If your organization is allowing you to use Bing Chat Enterprise, your Copilot in Windows experiences will be powered by Bing Chat Enterprise and will be subject to [Bing Chat Enterprise’s terms of use](https://go.microsoft.com/fwlink/p/?linkid=2247908).
+ b. If your organization is allowing you to use Bing Chat Enterprise, your Copilot in Windows experiences will be powered by Bing Chat Enterprise and will be subject to [Bing Chat Enterprise’s terms of use](/bing-chat-enterprise/terms-of-use).
4. Using Copilot in Windows
diff --git a/windows/privacy/docfx.json b/windows/privacy/docfx.json
index 35522da4b4..c7cbe8e448 100644
--- a/windows/privacy/docfx.json
+++ b/windows/privacy/docfx.json
@@ -39,9 +39,8 @@
"uhfHeaderId": "MSDocsHeader-Windows",
"ms.technology": "itpro-privacy",
"ms.topic": "article",
- "feedback_system": "GitHub",
- "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
- "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
+ "feedback_system": "Standard",
+ "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.privacy",
@@ -57,7 +56,7 @@
"jborsecnik",
"tiburd",
"garycentric",
- "beccarobins",
+ "beccarobins",
"Stacyrch140",
"v-stsavell",
"American-Dipper"
diff --git a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
index 6ec3eb3ad7..f79b3dd872 100644
--- a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
+++ b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
@@ -1,6 +1,6 @@
---
-description: Learn more about the Windows 11, version 22H2 diagnostic data gathered.
-title: Required diagnostic events and fields for Windows 11, version 22H2
+description: Learn more about the diagnostic data gathered for Windows 11, versions 23H2 and 22H2.
+title: Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2
keywords: privacy, telemetry
ms.prod: windows-client
ms.technology: itpro-privacy
@@ -8,15 +8,15 @@ localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: laurawi
-ms.date: 09/26/2023
+ms.date: 10/31/2023
ms.topic: reference
---
+# Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2
-# Required diagnostic events and fields for Windows 11, version 22H2
-
- **Applies to**
+**Applies to**
+- Windows 11, version 23H2
- Windows 11, version 22H2
Required diagnostic data gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store.
@@ -199,13 +199,14 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd
-This event sends blocking data about any compatibility blocking entries on the system that are not directly related to specific applications or devices, to help keep Windows up to date.
+This event sends blocking data about any compatibility blocking entries on the system that aren't directly related to specific applications or devices, to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **AppraiserVersion** The version of the appraiser file generating the events.
+- **SdbEntries** Deprecated in RS3.
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove
@@ -221,13 +222,14 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd
-This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up to date.
+This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that aren't keyed by either applications or devices, to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **AppraiserVersion** The version of the appraiser file generating the events.
+- **SdbEntries** Deprecated in RS3.
### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd
@@ -239,6 +241,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **SdbEntries** Deprecated in RS3.
### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync
@@ -273,14 +276,14 @@ The following fields are available:
- **AssociatedDriverWillNotMigrate** Will the driver associated with this plug-and-play device migrate?
- **BlockAssociatedDriver** Should the driver associated with this PNP device be blocked?
- **BlockingDevice** Is this PNP device blocking upgrade?
-- **BlockUpgradeIfDriverBlocked** Is the PNP device both boot critical and does not have a driver included with the OS?
+- **BlockUpgradeIfDriverBlocked** Is the PNP device both boot critical and doesn't have a driver included with the OS?
- **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork** Is this PNP device the only active network device?
- **DisplayGenericMessage** Will a generic message be shown during Setup for this PNP device?
- **DisplayGenericMessageGated** Indicates whether a generic message will be shown during Setup for this PNP device.
- **DriverAvailableInbox** Is a driver included with the operating system for this PNP device?
- **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update?
- **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device?
-- **DriverBlockOverridden** Is there is a driver block on the device that has been overridden?
+- **DriverBlockOverridden** Is there a driver block on the device that has been overridden?
- **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device?
- **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS?
- **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade?
@@ -311,7 +314,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd
-This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date.
+This event sends compatibility decision data about blocking entries on the system that aren't keyed by either applications or devices, to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -350,7 +353,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd
-This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date.
+This event sends compatibility decision data about non-blocking entries on the system that aren't keyed by either applications or devices, to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -396,7 +399,7 @@ The following fields are available:
- **NeedsInstallPostUpgradeData** Will the file have a notification after upgrade to install a replacement for the app?
- **NeedsNotifyPostUpgradeData** Should a notification be shown for this file after upgrade?
- **NeedsReinstallPostUpgradeData** Will the file have a notification after upgrade to reinstall the app?
-- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade).
+- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but isn't blocking upgrade).
### Microsoft.Windows.Appraiser.General.DecisionSModeStateAdd
@@ -498,7 +501,7 @@ The following fields are available:
- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64.
- **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets.
- **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets.
-- **BoeProgramId** If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata.
+- **BoeProgramId** If there's no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata.
- **CompanyName** The company name of the vendor who developed this file.
- **FileId** A hash that uniquely identifies a file.
- **FileVersion** The File version field from the file metadata under Properties -> Details.
@@ -939,10 +942,10 @@ The following fields are available:
- **PCFP** An ID for the system calculated by hashing hardware identifiers.
- **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal.
- **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row.
-- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
+- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it's understood that data events won't be received from this device.
- **RunDate** The date that the diagnostic data run was stated, expressed as a filetime.
- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic.
-- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information.
+- **RunOnline** Indicates if appraiser was able to connect to Windows Update and therefore is making decisions using up-to-date driver coverage information.
- **RunResult** The hresult of the Appraiser diagnostic data run.
- **ScheduledUploadDay** The day scheduled for the upload.
- **SendingUtc** Indicates whether the Appraiser client is sending events during the current diagnostic data run.
@@ -956,7 +959,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.WmdrmAdd
-This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place.
+This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data doesn't indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -968,7 +971,7 @@ The following fields are available:
- **WmdrmApiResult** Raw value of the API used to gather DRM state.
- **WmdrmCdRipped** Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs.
- **WmdrmIndicators** WmdrmCdRipped OR WmdrmPurchased.
-- **WmdrmInUse** WmdrmIndicators AND dismissible block in setup was not dismissed.
+- **WmdrmInUse** WmdrmIndicators AND dismissible block in setup wasn't dismissed.
- **WmdrmNonPermanent** Indicates if the system has any files with non-permanent licenses.
- **WmdrmPurchased** Indicates if the system has any files with permanent licenses.
@@ -995,7 +998,7 @@ The following fields are available:
- **AzureOSIDPresent** Represents the field used to identify an Azure machine.
- **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs.
- **CDJType** Represents the type of cloud domain joined for the machine.
-- **CommercialId** Represents the GUID for the commercial entity which the device is a member of. Will be used to reflect insights back to customers.
+- **CommercialId** Represents the GUID for the commercial entity that the device is a member of. Will be used to reflect insights back to customers.
- **ContainerType** The type of container, such as process or virtual machine hosted.
- **EnrollmentType** Defines the type of MDM enrollment on the device.
- **HashedDomain** The hashed representation of the user domain used for login.
@@ -1007,7 +1010,7 @@ The following fields are available:
- **MDMServiceProvider** A hash of the specific MDM authority, such as Microsoft Intune, that is managing the device.
- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an enterprise Configuration Manager environment.
-- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
+- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
- **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier
@@ -1018,7 +1021,7 @@ This event sends data about the memory on the device, including ROM and RAM. The
The following fields are available:
- **TotalPhysicalRAM** Represents the physical memory (in MB).
-- **TotalVisibleMemory** Represents the memory that is not reserved by the system.
+- **TotalVisibleMemory** Represents the memory that isn't reserved by the system.
### Census.Network
@@ -1028,8 +1031,8 @@ This event sends data about the mobile and cellular network used by the device (
The following fields are available:
- **CellularModemHWInstanceId0** HardwareInstanceId of the embedded Mobile broadband modem, as reported and used by PnP system to identify the WWAN modem device in Windows system. Empty string (null string) indicates that this property is unknown for telemetry.
-- **IMEI0** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage.
-- **IMEI1** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage.
+- **IMEI0** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft doesn't have access to mobile operator billing data so collecting this data doesn't expose or identify the user. The two fields represent phone with dual sim coverage.
+- **IMEI1** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft doesn't have access to mobile operator billing data so collecting this data doesn't expose or identify the user. The two fields represent phone with dual sim coverage.
- **MCC0** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
- **MCC1** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
- **MNC0** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
@@ -1046,7 +1049,7 @@ The following fields are available:
### Census.OS
-This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device. The data collected with this event is used to help keep Windows secure and up to date.
+This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it's a virtual device. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1063,7 +1066,7 @@ The following fields are available:
- **IsPortableOperatingSystem** Retrieves whether OS is running Windows-To-Go
- **IsSecureBootEnabled** Retrieves whether Boot chain is signed under UEFI.
- **LanguagePacks** The list of language packages installed on the device.
-- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store.
+- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we're running an OS License granted by the MS store.
- **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine.
- **OSEdition** Retrieves the version of the current OS.
- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc
@@ -1080,7 +1083,7 @@ The following fields are available:
- **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy.
- **ServiceProductKeyID** Retrieves the License key of the KMS
- **SharedPCMode** Returns Boolean for devices that have enabled the configuration EnableSharedPCMode.
-- **Signature** Retrieves if it is a signature machine sold by Microsoft store.
+- **Signature** Retrieves if it's a signature machine sold by Microsoft store.
- **SLICStatus** Whether a SLIC table exists on the device.
- **SLICVersion** Returns OS type/version from SLIC table.
@@ -1148,12 +1151,6 @@ The following fields are available:
- **Language** String containing the incompatible language pack detected.
-### MicrosoftWindowsCodeIntegrityTraceLoggingProvider.CodeIntegrityHvciSysprepHvciAlreadyEnabled
-
-This event fires when HVCI is already enabled so no need to continue auto-enablement.
-
-
-
## Common data extensions
### Common Data Extensions.app
@@ -1192,7 +1189,7 @@ Describes the device-related fields.
The following fields are available:
- **deviceClass** The device classification. For example, Desktop, Server, or Mobile.
-- **localId** A locally-defined unique ID for the device. This is not the human-readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId
+- **localId** A locally-defined unique ID for the device. This isn't the human-readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId
- **make** Device manufacturer.
- **model** Device model.
@@ -1262,7 +1259,7 @@ The following fields are available:
- **authId** This is an ID of the user associated with this event that is deduced from a token such as a Microsoft Account ticket or an XBOX token.
- **locale** The language and region.
-- **localId** Represents a unique user identity that is created locally and added by the client. This is not the user's account ID.
+- **localId** Represents a unique user identity that is created locally and added by the client. This isn't the user's account ID.
### Common Data Extensions.utc
@@ -1285,7 +1282,7 @@ The following fields are available:
- **popSample** Represents the effective sample rate for this event at the time it was generated by a client.
- **providerGuid** The ETW provider ID associated with the provider name.
- **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW.
-- **seq** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server.
+- **seq** Represents the sequence field used to track absolute order of uploaded events. It's an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server.
- **sqmId** The Windows SQM (Software Quality Metrics—a precursor of Windows 10 Diagnostic Data collection) device identifier.
- **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID.
- **wcmp** The Windows Shell Composer ID.
@@ -1316,6 +1313,7 @@ The following fields are available:
- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts.
- **xid** A list of base10-encoded XBOX User IDs.
+
## Common data fields
### Ms.Device.DeviceInventoryChange
@@ -1330,7 +1328,6 @@ The following fields are available:
- **objectType** Indicates the object type that the event applies to.
- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
-
## Component-based servicing events
### CbsServicingProvider.CbsCapabilitySessionFinalize
@@ -1357,11 +1354,11 @@ The following fields are available:
### CbsServicingProvider.CbsLateAcquisition
-This event sends data to indicate if some Operating System packages could not be updated as part of an upgrade, to help keep Windows up to date.
+This event sends data to indicate if some Operating System packages couldn't be updated as part of an upgrade, to help keep Windows up to date.
The following fields are available:
-- **Features** The list of feature packages that could not be updated.
+- **Features** The list of feature packages that couldn't be updated.
- **RetryID** The ID identifying the retry attempt to update the listed packages.
@@ -1440,12 +1437,12 @@ The following fields are available:
### TelClientSynthetic.AbnormalShutdown_0
-This event sends data about boot IDs for which a normal clean shutdown was not observed. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+This event sends data about boot IDs for which a normal clean shutdown wasn't observed. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
- **AbnormalShutdownBootId** BootId of the abnormal shutdown being reported by this event.
-- **AbsCausedbyAutoChk** This flag is set when AutoCheck forces a device restart to indicate that the shutdown was not an abnormal shutdown.
+- **AbsCausedbyAutoChk** This flag is set when AutoCheck forces a device restart to indicate that the shutdown wasn't an abnormal shutdown.
- **AcDcStateAtLastShutdown** Identifies if the device was on battery or plugged in.
- **BatteryLevelAtLastShutdown** The last recorded battery level.
- **BatteryPercentageAtLastShutdown** The battery percentage at the last shutdown.
@@ -1486,7 +1483,7 @@ The following fields are available:
- **PowerButtonPressLastPowerWatchdogStage** Progress while the monitor is being turned on.
- **PowerButtonPressPowerWatchdogArmed** Indicates whether or not the watchdog for the monitor was active at the time of the last power button press.
- **ShutdownDeviceType** Identifies who triggered a shutdown. Is it because of battery, thermal zones, or through a Kernel API.
-- **SleepCheckpoint** Provides the last checkpoint when there is a failure during a sleep transition.
+- **SleepCheckpoint** Provides the last checkpoint when there's a failure during a sleep transition.
- **SleepCheckpointSource** Indicates whether the source is the EFI variable or bootstat file.
- **SleepCheckpointStatus** Indicates whether the checkpoint information is valid.
- **StaleBootStatData** Identifies if the data from bootstat is stale.
@@ -1514,26 +1511,26 @@ The following fields are available:
### TelClientSynthetic.AuthorizationInfo_Startup
-This event is fired by UTC at startup to signal what data we are allowed to collect. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+This event is fired by UTC at startup to signal what data we're allowed to collect. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise.
-- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise.
-- **CanCollectClearUserIds** True if we are allowed to collect clear user IDs, false if we can only collect omitted IDs.
+- **CanCollectAnyTelemetry** True if we're allowed to collect partner telemetry, false otherwise.
+- **CanCollectClearUserIds** True if we're allowed to collect clear user IDs, false if we can only collect omitted IDs.
- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise.
- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise.
- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise.
- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise.
-- **CanIncludeDeviceNameInDiagnosticData** True if we are allowed to add the device name to diagnostic data, false otherwise.
+- **CanIncludeDeviceNameInDiagnosticData** True if we're allowed to add the device name to diagnostic data, false otherwise.
- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise.
- **CanPerformSiufEscalations** True if we can perform System Initiated User Feedback escalation collection, false otherwise.
- **CanReportScenarios** True if we can report scenario completions, false otherwise.
- **CanReportUifEscalations** True if we can perform User Initiated Feedback escalation collection, false otherwise.
- **CanUseAuthenticatedProxy** True if we can use an authenticated proxy to send data, false otherwise.
-- **IsProcessorMode** True if it is Processor Mode, false otherwise.
+- **IsProcessorMode** True if it's Processor Mode, false otherwise.
- **PreviousPermissions** Bitmask of previous telemetry state.
-- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise.
+- **TransitionFromEverythingOff** True if we're transitioning from all telemetry being disabled, false otherwise.
### TelClientSynthetic.ConnectivityHeartBeat_0
@@ -1601,7 +1598,7 @@ The following fields are available:
- **VortexHttpAttempts** Number of attempts to contact Vortex.
- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex.
- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex.
-- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400.
+- **VortexHttpResponseFailures** Number of Vortex responses that aren't 2XX or 400.
- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event.
@@ -1625,7 +1622,7 @@ The following fields are available:
### Microsoft.Windows.DriverInstall.NewDevInstallDeviceEnd
-This event sends data about the driver installation once it is completed. The data collected with this event is used to help keep Windows up to date and performing properly.
+This event sends data about the driver installation once it's completed. The data collected with this event is used to help keep Windows up to date and performing properly.
The following fields are available:
@@ -1667,7 +1664,7 @@ The following fields are available:
### Microsoft.Windows.FaultReporting.AppCrashEvent
-This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event.
+This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It doesn't contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event.
The following fields are available:
@@ -1677,7 +1674,7 @@ The following fields are available:
- **AppVersion** The version of the app that has crashed.
- **ExceptionCode** The exception code returned by the process that has crashed.
- **ExceptionOffset** The address where the exception had occurred.
-- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting.
+- **Flags** Flags indicating how reporting is done. For example, queue the report, don't offer JIT debugging, or don't terminate the process after reporting.
- **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name.
- **IsFatal** True/False to indicate whether the crash resulted in process termination.
- **ModName** Exception module name (e.g. bar.dll).
@@ -1731,7 +1728,7 @@ The following fields are available:
### Microsoft.Windows.HangReporting.AppHangEvent
-This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events.
+This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It doesn't contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events.
The following fields are available:
@@ -1750,13 +1747,38 @@ The following fields are available:
- **TargetAsId** The sequence number for the hanging process.
- **TypeCode** Bitmap describing the hang type.
- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application.
-- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting.
-- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting.
+- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it's waiting.
+- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it's waiting.
- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package.
## Holographic events
+### Microsoft.Windows.Analog.HydrogenCompositor.ExclusiveMode_Entered
+
+This event sends data indicating the start of augmented reality application experience. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **SessionID** Unique value for each attempt.
+- **TargetAsId** The sequence number for the process.
+- **windowInstanceId** Unique value for each window instance.
+
+
+### Microsoft.Windows.Analog.HydrogenCompositor.ExclusiveMode_Leave
+
+This event sends data indicating the end of augmented reality application experience. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **EventHistory** Unique number of event history.
+- **ExternalComponentState** State of external component.
+- **LastEvent** Unique number of last event.
+- **SessionID** Unique value for each attempt.
+- **TargetAsId** The sequence number for the process.
+- **windowInstanceId** Unique value for each window instance.
+
+
### Microsoft.Windows.Analog.Spectrum.TelemetryHolographicSpaceCreated
This event indicates the state of Windows holographic scene. The data collected with this event is used to keep Windows performing properly.
@@ -1821,7 +1843,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
-This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object. The data collected with this event is used to keep Windows performing properly.
+This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they'll always represent a count of a given object. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -2124,6 +2146,23 @@ The following fields are available:
- **ServiceName** The name of the driver or service attached to the device.
+### Microsoft.Windows.Kernel.Power.AbnormalShutdown
+
+This event provides diagnostic information of the most recent abnormal shutdown.
+
+The following fields are available:
+
+- **BootEnvironment** Errors from boot environment.
+- **BootStatValid** Status of bootstat file.
+- **Bugcheck** Bugcheck information.
+- **CrashDump** Crash dump information.
+- **CurrentBootId** ID of this boot.
+- **FirmwareReset** System reset by firmware.
+- **LastShutdownBootId** BootID of last shutdown.
+- **LongPowerButtonHold** Long power button hold information.
+- **SystemStateTransition** State transition information.
+- **Watchdog** Watchdog information.
+
## Microsoft Edge events
### Aria.af397ef28e484961ba48646a5d38cf54.Microsoft.WebBrowser.Installer.EdgeUpdate.Ping
@@ -2133,7 +2172,7 @@ This Ping event sends a detailed inventory of software and hardware information
The following fields are available:
- **appAp** Any additional parameters for the specified application. Default: ''.
-- **appAppId** The GUID that identifies the product. Compatible clients must transmit this attribute. Please see the wiki for additional information. Default: undefined.
+- **appAppId** The GUID that identifies the product. Compatible clients must transmit this attribute. Default: undefined.
- **appBrandCode** The brand code under which the product was installed, if any. A brand code is a short (4-character) string used to identify installations that took place as a result of partner deals or website promotions. Default: ''.
- **appChannel** An integer indicating the channel of the installation (i.e. Canary or Dev).
- **appClientId** A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''.
@@ -2141,15 +2180,15 @@ The following fields are available:
- **appCohortHint** A machine-readable enum indicating that the client has a desire to switch to a different release cohort. The exact legal values are app-specific and should be shared between the server and app implementations. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
- **appCohortName** A stable non-localized human-readable enum indicating which (if any) set of messages the app should display to the user. For example, an app with a cohort Name of 'beta' might display beta-specific branding to the user. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
- **appConsentState** Bit flags describing the diagnostic data disclosure and response flow where 1 indicates the affirmative and 0 indicates the negative or unspecified data. Bit 1 indicates consent was given, bit 2 indicates data originated from the download page, bit 18 indicates choice for sending data about how the browser is used, and bit 19 indicates choice for sending data about websites visited.
-- **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value is not known. Please see the wiki for additional information. Default: '-2'.
-- **appExperiments** A key/value list of experiment identifiers. Experiment labels are used to track membership in different experimental groups, and may be set at install or update time. The experiments string is formatted as a semicolon-delimited concatenation of experiment label strings. An experiment label string is an experiment Name, followed by the '=' character, followed by an experimental label value. For example: 'crdiff=got_bsdiff;optimized=O3'. The client should not transmit the expiration date of any experiments it has, even if the server previously specified a specific expiration date. Default: ''.
+- **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value isn't known. Default: '-2'.
+- **appExperiments** A key/value list of experiment identifiers. Experiment labels are used to track membership in different experimental groups, and may be set at install or update time. The experiments string is formatted as a semicolon-delimited concatenation of experiment label strings. An experiment label string is an experiment Name, followed by the '=' character, followed by an experimental label value. For example: 'crdiff=got_bsdiff;optimized=O3'. The client shouldn't transmit the expiration date of any experiments it has, even if the server previously specified a specific expiration date. Default: ''.
- **appInstallTime** The product install time in seconds. '0' if unknown. Default: '-1'.
- **appInstallTimeDiffSec** The difference between the current time and the install date in seconds. '0' if unknown. Default: '-1'.
- **appLang** The language of the product install, in IETF BCP 47 representation. Default: ''.
- **appLastLaunchTime** The time when browser was last launched.
-- **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Please see the wiki for additional information. Default: '0.0.0.0'.
+- **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Default: '0.0.0.0'.
- **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'.
-- **appPingEventDoneBeforeOOBEComplete** Indicates whether the install or update was completed before Windows Out of the Box Experience ends. 1 means event completed before OOBE finishes; 0 means event was not completed before OOBE finishes; -1 means the field does not apply.
+- **appPingEventDoneBeforeOOBEComplete** Indicates whether the install or update was completed before Windows Out of the Box Experience ends. 1 means event completed before OOBE finishes; 0 means event wasn't completed before OOBE finishes; -1 means the field doesn't apply.
- **appPingEventDownloadMetricsCdnCCC** ISO 2 character country or region code that matches to the country or region updated binaries are delivered from. E.g.: US.
- **appPingEventDownloadMetricsCdnCID** Numeric value used to internally track the origins of the updated binaries. For example, 2.
- **appPingEventDownloadMetricsDownloadedBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'.
@@ -2161,31 +2200,31 @@ The following fields are available:
- **appPingEventDownloadMetricsUrl** For events representing a download, the CDN URL provided by the update server for the client to download the update, the URL is controlled by Microsoft servers and always maps back to either *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''.
- **appPingEventDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'.
- **appPingEventErrorCode** The error code (if any) of the operation, encoded as a signed, base-10 integer. Default: '0'.
-- **appPingEventEventResult** An enum indicating the result of the event. Please see the wiki for additional information. Default: '0'.
-- **appPingEventEventType** An enum indicating the type of the event. Compatible clients MUST transmit this attribute. Please see the wiki for additional information.
+- **appPingEventEventResult** An enum indicating the result of the event. Default: '0'.
+- **appPingEventEventType** An enum indicating the type of the event. Compatible clients MUST transmit this attribute.
- **appPingEventExtraCode1** Additional numeric information about the operation's result, encoded as a signed, base-10 integer. Default: '0'.
- **appPingEventInstallTimeMs** For events representing an install, the time elapsed between the start of the install and the end of the install, in milliseconds. For events representing an entire update flow, the sum of all such durations. Sent in events that have an event type of '2' and '3' only. Default: '0'.
- **appPingEventNumBytesDownloaded** The number of bytes downloaded for the specified application. Default: '0'.
-- **appPingEventPackageCacheResult** Whether there is an existing package cached in the system to update or install. 1 means that there's a cache hit under the expected key, 2 means there's a cache hit under a different key, 0 means that there's a cache miss. -1 means the field does not apply.
+- **appPingEventPackageCacheResult** Whether there's an existing package cached in the system to update or install. 1 means that there's a cache hit under the expected key, 2 means there's a cache hit under a different key, 0 means that there's a cache miss. -1 means the field doesn't apply.
- **appPingEventSequenceId** An id that uniquely identifies particular events within one requestId. Since a request can contain multiple ping events, this field is necessary to uniquely identify each possible event.
- **appPingEventSourceUrlIndex** For events representing a download, the position of the download URL in the list of URLs supplied by the server in a "urls" tag.
- **appPingEventUpdateCheckTimeMs** For events representing an entire update flow, the time elapsed between the start of the update check and the end of the update check, in milliseconds. Sent in events that have an event type of '2' and '3' only. Default: '0'.
- **appReferralHash** The hash of the referral code used to install the product. '0' if unknown. Default: '0'.
-- **appUpdateCheckIsUpdateDisabled** The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they have not.
-- **appUpdateCheckTargetVersionPrefix** A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The server should not return an update instruction to a version number that does not match the prefix or complete version number. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it is not a lexical prefix (for example, '1.2.3' must match '1.2.3.4' but must not match '1.2.34'). Default: ''.
+- **appUpdateCheckIsUpdateDisabled** The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they haven't.
+- **appUpdateCheckTargetVersionPrefix** A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The server shouldn't return an update instruction to a version number that doesn't match the prefix or complete version number. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it isn't a lexical prefix (for example, '1.2.3' must match '1.2.3.4' but must not match '1.2.34'). Default: ''.
- **appUpdateCheckTtToken** An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request should be sent over SSL or another secure protocol. Default: ''.
-- **appVersion** The version of the product install. Please see the wiki for additional information. Default: '0.0.0.0'.
+- **appVersion** The version of the product install. Default: '0.0.0.0'.
- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
-- **eventType** A string indicating the type of the event. Please see the wiki for additional information.
+- **eventType** A string indicating the type of the event.
- **expETag** An identifier representing all service applied configurations and experiments when current update happens. Used for testing only.
- **hwDiskType** Device’s hardware disk type.
-- **hwHasAvx** '1' if the client's hardware supports the AVX instruction set. '0' if the client's hardware does not support the AVX instruction set. '-1' if unknown. Default: '-1'.
-- **hwHasSse** '1' if the client's hardware supports the SSE instruction set. '0' if the client's hardware does not support the SSE instruction set. '-1' if unknown. Default: '-1'.
-- **hwHasSse2** '1' if the client's hardware supports the SSE2 instruction set. '0' if the client's hardware does not support the SSE2 instruction set. '-1' if unknown. Default: '-1'.
-- **hwHasSse3** '1' if the client's hardware supports the SSE3 instruction set. '0' if the client's hardware does not support the SSE3 instruction set. '-1' if unknown. Default: '-1'.
-- **hwHasSse41** '1' if the client's hardware supports the SSE4.1 instruction set. '0' if the client's hardware does not support the SSE4.1 instruction set. '-1' if unknown. Default: '-1'.
-- **hwHasSse42** '1' if the client's hardware supports the SSE4.2 instruction set. '0' if the client's hardware does not support the SSE4.2 instruction set. '-1' if unknown. Default: '-1'.
-- **hwHasSsse3** '1' if the client's hardware supports the SSSE3 instruction set. '0' if the client's hardware does not support the SSSE3 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasAvx** '1' if the client's hardware supports the AVX instruction set. '0' if the client's hardware doesn't support the AVX instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse** '1' if the client's hardware supports the SSE instruction set. '0' if the client's hardware doesn't support the SSE instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse2** '1' if the client's hardware supports the SSE2 instruction set. '0' if the client's hardware doesn't support the SSE2 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse3** '1' if the client's hardware supports the SSE3 instruction set. '0' if the client's hardware doesn't support the SSE3 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse41** '1' if the client's hardware supports the SSE4.1 instruction set. '0' if the client's hardware doesn't support the SSE4.1 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse42** '1' if the client's hardware supports the SSE4.2 instruction set. '0' if the client's hardware doesn't support the SSE4.2 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSsse3** '1' if the client's hardware supports the SSSE3 instruction set. '0' if the client's hardware doesn't support the SSSE3 instruction set. '-1' if unknown. Default: '-1'.
- **hwLogicalCpus** Number of logical CPUs of the device.
- **hwPhysmemory** The physical memory available to the client, truncated down to the nearest gibibyte. '-1' if unknown. This value is intended to reflect the maximum theoretical storage capacity of the client, not including any hard drive or paging to a hard drive or peripheral. Default: '-1'.
- **isMsftDomainJoined** '1' if the client is a member of a Microsoft domain. '0' otherwise. Default: '0'.
@@ -2206,26 +2245,10 @@ The following fields are available:
- **requestRequestId** A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha request. Each request attempt should have (with high probability) a unique request id. Default: ''.
- **requestSessionCorrelationVectorBase** A client generated random MS Correlation Vector base code used to correlate the update session with update and CDN servers. Default: ''.
- **requestSessionId** A randomly-generated (uniformly distributed) GUID. Each single update flow (e.g. update check, update application, event ping sequence) should have (with high probability) a single unique session ID. Default: ''.
-- **requestTestSource** Either '', 'dev', 'qa', 'prober', 'auto', or 'ossdev'. Any value except '' indicates that the request is a test and should not be counted toward normal metrics. Default: ''.
+- **requestTestSource** Either '', 'dev', 'qa', 'prober', 'auto', or 'ossdev'. Any value except '' indicates that the request is a test and shouldn't be counted toward normal metrics. Default: ''.
- **requestUid** A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha user. Each request attempt SHOULD have (with high probability) a unique request id. Default: ''.
-### Microsoft.Edge.Crashpad.HangEvent
-
-This event sends simple Product and Service Performance data on a hanging/frozen Microsoft Edge browser process to help mitigate future instances of the hang.
-
-The following fields are available:
-
-- **app_name** The name of the hanging process.
-- **app_session_guid** Encodes the boot session, process, and process start time.
-- **app_version** The version of the hanging process.
-- **client_id_hash** Hash of the browser client id to help identify the installation.
-- **etag** Identifier to help identify running browser experiments.
-- **hang_source** Identifies how the hang was detected.
-- **process_type** The type of the hanging browser process, for example, gpu-process, renderer, etc.
-- **stack_hash** A hash of the hanging stack. Currently not used or set to zero.
-
-
## OneSettings events
### Microsoft.Windows.OneSettingsClient.Status
@@ -2242,7 +2265,7 @@ The following fields are available:
### Microsoft.Windows.Shell.Oobe.ZDP.ZdpTaskCancelled
-This event is the result of an attempt to cancel ZDP task.
+This event is the result of an attempt to cancel ZDP task
The following fields are available:
@@ -2252,30 +2275,20 @@ The following fields are available:
## Other events
-### Microsoft.Windows.Analog.HydrogenCompositor.ExclusiveMode_Entered
+### Microsoft.Edge.Crashpad.HangEvent
-This event sends data indicating the start of augmented reality application experience. The data collected with this event is used to keep Windows performing properly.
+This event sends simple Product and Service Performance data on a hanging/frozen Microsoft Edge browser process to help mitigate future instances of the hang.
The following fields are available:
-- **SessionID** Unique value for each attempt.
-- **TargetAsId** The sequence number for the process.
-- **windowInstanceId** Unique value for each window instance.
-
-
-### Microsoft.Windows.Analog.HydrogenCompositor.ExclusiveMode_Leave
-
-This event sends data indicating the end of augmented reality application experience. The data collected with this event is used to keep Windows performing properly.
-
-The following fields are available:
-
-- **EventHistory** Unique number of event history.
-- **ExternalComponentState** State of external component.
-- **LastEvent** Unique number of last event.
-- **SessionID** Unique value for each attempt.
-- **TargetAsId** The sequence number for the process.
-- **windowInstanceId** Unique value for each window instance.
-
+- **app_name** The name of the hanging process.
+- **app_session_guid** Encodes the boot session, process, and process start time.
+- **app_version** The version of the hanging process.
+- **client_id_hash** Hash of the browser client id to help identify the installation.
+- **etag** Identifier to help identify running browser experiments.
+- **hang_source** Identifies how the hang was detected.
+- **process_type** The type of the hanging browser process, for example, gpu-process, renderer, etc.
+- **stack_hash** A hash of the hanging stack. Currently not used or set to zero.
### Microsoft.Windows.Defender.Engine.Maps.Heartbeat
@@ -2302,6 +2315,77 @@ The following fields are available:
- **SignatureRing** Signature ring used for deployments
- **SigVersion** Version of signature VDMs
+### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStartState
+
+This event marks the start of an Update Assistant State. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **CV** The correlation vector.
+- **GlobalEventCounter** The global event counter for all telemetry on the device.
+- **UpdateAssistantStateDownloading** True at the start Downloading.
+- **UpdateAssistantStateInitializingApplication** True at the start of the state InitializingApplication.
+- **UpdateAssistantStateInitializingStates** True at the start of InitializingStates.
+- **UpdateAssistantStateInstalling** True at the start of Installing.
+- **UpdateAssistantStatePostInstall** True at the start of PostInstall.
+- **UpdateAssistantVersion** Current package version of UpdateAssistant.
+
+
+### MicrosoftWindowsCodeIntegrityTraceLoggingProvider.CodeIntegrityHvciSysprepHvciAlreadyEnabled
+
+This event fires when HVCI is already enabled so no need to continue auto-enablement.
+
+
+
+### ShellWNSRegistration.SLSChannelRegistrationFailed
+
+This event is logged when the upload of a channel URI to the SLS service fails.
+
+The following fields are available:
+
+- **baseData** JSON blob.
+- **baseType** PartB schema type.
+- **RetryAttempt** The retry attempt number for attempting to open and register the channel.
+- **RetryTimeInMilliseconds** The amount of time taken to retry the channel request in milliseconds.
+
+
+### ShellWNSRegistration.SLSChannelRegistrationSuccess
+
+This event is logged when a channel URI is successfully uploaded to the SLS service.
+
+The following fields are available:
+
+- **RegistrationPayload** JSON payload containing Channel Uri and other data uploaded to SLS.
+- **RetryAttempts** The retry attempt number for attempting to open and register the channel.
+- **RetryTimeInMilliseconds** The amount of time taken to retry the channel request in milliseconds.
+- **TitleId** TitleId for which channel is uploaded.
+
+
+### ShellWNSRegistration.WNSChannelRequestFailed
+
+This event is logged when a Channel Request fails. Contains error code and AppUserModelId for which channel was requested.
+
+The following fields are available:
+
+- **baseData** JSON blob.
+- **baseType** PartB schema type.
+- **RetryAttempt** The retry attempt number for attempting to open and register the channel.
+- **RetryTimeInMilliseconds** The amount of time taken to retry the channel request in milliseconds.
+
+
+### ShellWNSRegistration.WNSChannelRequestSuccess
+
+This event is triggered immediately following the completion of a Channel Request API call. Contains channel URI and AppUserModelId for which channel was requested.
+
+The following fields are available:
+
+- **AppUserModelId** Unique identifier for app requesting a channel.
+- **ChannelUri** Channel URI returned by WNS.
+- **RetryAttempt** The retry attempt number for attempting to open and register the channel.
+- **RetryTimeInMilliseconds** The amount of time taken to retry the channel request in milliseconds.
+
+
+
## Privacy consent logging events
### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted
@@ -2320,13 +2404,13 @@ The following fields are available:
### Microsoft.Windows.Setup.WinSetupMon.ProtectionViolation
-This event provides information about move or deletion of a file or a directory which is being monitored for data safety during feature updates. The data collected with this event is used to help keep Windows up to date.
+This event provides information about move or deletion of a file or a directory that is being monitored for data safety during feature updates. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
-- **Path** Path to the file or the directory which is being moved or deleted.
-- **Process** Path to the process which is requesting the move or the deletion.
-- **SessionId** Identifier to correlate this component's telemetry with that of others.
+- **Path** Path to the file or the directory that is being moved or deleted.
+- **Process** Path to the process that is requesting the move or the deletion.
+- **SessionId** Identifier to correlate this component's telemetry with that of others.
- **TargetPath** (Optional) If the operation is a move, the target path to which the file or directory is being moved.
@@ -2337,7 +2421,7 @@ Provides details about error in the functioning of upgrade data safety monitorin
The following fields are available:
- **Message** Text string describing the error condition.
-- **SessionId** Identifier to correlate this component's telemetry with that of others.
+- **SessionId** Identifier to correlate this component's telemetry with that of others.
- **Status** NTSTATUS code related to the error.
@@ -2526,24 +2610,6 @@ The following fields are available:
- **UpdateAttempted** Indicates if installation of the current update has been attempted before.
-## Update Assistant events
-
-### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStartState
-
-This event marks the start of an Update Assistant State. The data collected with this event is used to help keep Windows up to date.
-
-The following fields are available:
-
-- **CV** The correlation vector.
-- **GlobalEventCounter** The global event counter for all telemetry on the device.
-- **UpdateAssistantStateDownloading** True at the start Downloading.
-- **UpdateAssistantStateInitializingApplication** True at the start of the state InitializingApplication.
-- **UpdateAssistantStateInitializingStates** True at the start of InitializingStates.
-- **UpdateAssistantStateInstalling** True at the start of Installing.
-- **UpdateAssistantStatePostInstall** True at the start of PostInstall.
-- **UpdateAssistantVersion** Current package version of UpdateAssistant.
-
-
## Update events
### Update360Telemetry.FellBackToDownloadingAllPackageFiles
@@ -2695,7 +2761,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentMitigationSummary
-This event sends a summary of all the update agent mitigations available for an this update. The data collected with this event is used to help keep Windows secure and up to date.
+This event sends a summary of all the update agent mitigations available for an update. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2755,7 +2821,7 @@ The following fields are available:
- **FlightId** Unique ID for the flight (test instance version).
- **IsSuspendable** Indicates whether the update has the ability to be suspended and resumed at the time of reboot. When the machine is rebooted and the update is in middle of Predownload or Install and Setup.exe is running, this field is TRUE, if not its FALSE.
- **ObjectId** The unique value for each Update Agent mode.
-- **Reason** Indicates the HResult why the machine could not be suspended. If it is successfully suspended, the result is 0.
+- **Reason** Indicates the HResult why the machine couldn't be suspended. If it's successfully suspended, the result is 0.
- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
- **ScenarioId** The ID of the update scenario.
- **SessionId** The ID of the update attempt.
@@ -2804,7 +2870,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
- **TestId** ID that uniquely identifies a group of events.
- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
@@ -2826,7 +2892,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
- **TestId** ID that uniquely identifies a group of events.
- **WuId** Windows Update client ID.
@@ -2848,7 +2914,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
- **TestId** A string to uniquely identify a group of events.
- **WuId** Windows Update client ID.
@@ -2930,7 +2996,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
- **TestId** A string to uniquely identify a group of events.
- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
@@ -2977,8 +3043,8 @@ The following fields are available:
- **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on.
- **usingBackupFeatureAssessment** Relying on backup feature assessment.
- **usingBackupQualityAssessment** Relying on backup quality assessment.
-- **usingCachedFeatureAssessment** WaaS Medic run did not get OS build age from the network on the previous run.
-- **usingCachedQualityAssessment** WaaS Medic run did not get OS revision age from the network on the previous run.
+- **usingCachedFeatureAssessment** WaaS Medic run didn't get OS build age from the network on the previous run.
+- **usingCachedQualityAssessment** WaaS Medic run didn't get OS revision age from the network on the previous run.
- **uusVersion** The version of the UUS package.
- **versionString** Version of the WaaSMedic engine.
- **waasMedicRunMode** Indicates whether this was a background regular run of the medic or whether it was triggered by a user launching Windows Update Troubleshooter.
@@ -3120,7 +3186,7 @@ The following fields are available:
### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages
-This event is sent after searching for update packages to install. It is used to help keep Windows up-to-date and secure.
+This event is sent after searching for update packages to install. It's used to help keep Windows up-to-date and secure.
The following fields are available:
@@ -3225,7 +3291,7 @@ The following fields are available:
### Microsoft.Windows.StoreAgent.Telemetry.StateTransition
-Products in the process of being fulfilled (installed or updated) are maintained in a list. This event is sent any time there is a change in a product's fulfillment status (pending, working, paused, cancelled, or complete), to help keep Windows up to date and secure.
+Products in the process of being fulfilled (installed or updated) are maintained in a list. This event is sent any time there's a change in a product's fulfillment status (pending, working, paused, canceled, or complete), to help keep Windows up to date and secure.
The following fields are available:
@@ -3348,12 +3414,12 @@ The following fields are available:
### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary
-This event collects information regarding the state of devices and drivers on the system following a reboot after the install phase of the new device manifest UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date.
+This event collects information regarding the state of devices and drivers on the system following a reboot after the install phase of the new device manifest UUP (Unified Update Platform) update scenario that is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
- **activated** Whether the entire device manifest update is considered activated and in use.
-- **analysisErrorCount** The number of driver packages that could not be analyzed because errors occurred during analysis.
+- **analysisErrorCount** The number of driver packages that couldn't be analyzed because errors occurred during analysis.
- **flightId** Unique ID for each flight.
- **missingDriverCount** The number of driver packages delivered by the device manifest that are missing from the system.
- **missingUpdateCount** The number of updates in the device manifest that are missing from the system.
@@ -3364,8 +3430,8 @@ The following fields are available:
- **sessionId** Unique value for each update session.
- **summary** A summary string that contains basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match.
- **summaryAppendError** A Boolean indicating if there was an error appending more information to the summary string.
-- **truncatedDeviceCount** The number of devices missing from the summary string because there is not enough room in the string.
-- **truncatedDriverCount** The number of driver packages missing from the summary string because there is not enough room in the string.
+- **truncatedDeviceCount** The number of devices missing from the summary string because there isn't enough room in the string.
+- **truncatedDriverCount** The number of driver packages missing from the summary string because there isn't enough room in the string.
- **unpublishedCount** How many drivers packages that were delivered by the device manifest that are still unpublished and unavailable to be used on devices.
- **updateId** The unique ID for each update.
@@ -3506,12 +3572,12 @@ This event is fired when the Download stage is paused.
The following fields are available:
-- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleId** Identifier associated with the specific content bundle; shouldn't be all zeros if the bundleID was found.
- **CallerName** Name of application making the Windows Update request. Used to identify context of request.
- **ClassificationId** Classification identifier of the update content.
- **DownloadPriority** Indicates the priority of the download activity.
- **EventType** Indicates the purpose of the event - whether because scan started, succeeded, failed, etc.
-- **FlightId** Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **FlightId** Secondary status code for certain scenarios where StatusCode wasn't specific enough.
- **HandlerInfo** Blob of Handler related information.
- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.).
- **Props** Commit Props {MergedUpdate}
@@ -3524,13 +3590,11 @@ The following fields are available:
### Microsoft.Windows.Update.WUClientExt.UpdateMetadataIntegrityGeneral
-Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack
-
-The following fields are available:
+Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack.
- **CallerName** Name of the application making the Windows Update Request. Used to identify context of the request.
- **EndpointUrl** Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack.
-- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode wasn't specific enough.
- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
- **RawMode** Raw unparsed mode string from the SLS response. May be null if not applicable.
- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc)
@@ -3591,4 +3655,4 @@ The following fields are available:
- **ScenarioSupported** Whether the updated scenario that was passed in was supported.
- **SessionId** The UpdateAgent “SessionId” value.
- **UpdateId** Unique identifier for the Update.
-- **WuId** Unique identifier for the Windows Update client.
\ No newline at end of file
+- **WuId** Unique identifier for the Windows Update client.
diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
index 5a65ea94c0..9b5cb9c9db 100644
--- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
+++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
@@ -28,7 +28,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
-- [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
+- [Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
- [Required diagnostic events and fields for Windows 10: versions 22H2, 21H2, 21H1, 20H2, and 2004](required-windows-diagnostic-data-events-and-fields-2004.md)
- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
index 1d88770967..dd99685ad0 100644
--- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
+++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
@@ -32,7 +32,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
-- [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
+- [Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
- [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md)
- [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
diff --git a/windows/privacy/toc.yml b/windows/privacy/toc.yml
index 295d4bf26f..b6ad626c23 100644
--- a/windows/privacy/toc.yml
+++ b/windows/privacy/toc.yml
@@ -15,7 +15,7 @@
href: Microsoft-DiagnosticDataViewer.md
- name: Required Windows diagnostic data events and fields
items:
- - name: Windows 11, version 22H2
+ - name: Windows 11, versions 23H2 and 22H2
href: required-diagnostic-events-fields-windows-11-22H2.md
- name: Windows 11, version 21H2
href: required-windows-11-diagnostic-events-and-fields.md
diff --git a/windows/privacy/windows-diagnostic-data.md b/windows/privacy/windows-diagnostic-data.md
index 07b2b5073b..8f05003e77 100644
--- a/windows/privacy/windows-diagnostic-data.md
+++ b/windows/privacy/windows-diagnostic-data.md
@@ -15,6 +15,7 @@ ms.topic: reference
# Windows 10, version 1709 and later and Windows 11 optional diagnostic data
Applies to:
+- Windows 11, version 23H2
- Windows 11, version 22H2
- Windows 11, version 21H2
- Windows 10, version 22H2
diff --git a/windows/security/application-security/application-control/user-account-control/how-it-works.md b/windows/security/application-security/application-control/user-account-control/how-it-works.md
index 2e4ec8b5e5..27338890ca 100644
--- a/windows/security/application-security/application-control/user-account-control/how-it-works.md
+++ b/windows/security/application-security/application-control/user-account-control/how-it-works.md
@@ -1,9 +1,6 @@
---
title: How User Account Control works
description: Learn about User Account Control (UAC) components and how it interacts with the end users.
-ms.collection:
- - highpri
- - tier2
ms.topic: concept-article
ms.date: 05/24/2023
---
@@ -19,7 +16,7 @@ With UAC, each application that requires the *administrator access token* must p
Windows protects processes by marking their integrity levels. Integrity levels are measurements of trust:
- A *high integrity application* is one that performs tasks that modify system data, such as a disk partitioning application
-- A *low integrity application* is one that performs tasks that could potentially compromise the operating system, like as a Web brows
+- A *low integrity application* is one that performs tasks that could potentially compromise the operating system, like as a Web browser
Applications with lower integrity levels can't modify data in applications with higher integrity levels. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provides valid administrator credentials.
diff --git a/windows/security/application-security/application-control/user-account-control/index.md b/windows/security/application-security/application-control/user-account-control/index.md
index aad3fb9eab..3b5e6e8561 100644
--- a/windows/security/application-security/application-control/user-account-control/index.md
+++ b/windows/security/application-security/application-control/user-account-control/index.md
@@ -1,9 +1,6 @@
---
title: User Account Control
description: Learn how User Account Control (UAC) helps to prevent unauthorized changes to Windows devices.
-ms.collection:
- - highpri
- - tier2
ms.topic: overview
ms.date: 05/24/2023
---
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md
index 7c130ac1f2..8bc7a51202 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md
@@ -2,7 +2,6 @@
title: AppLocker
description: This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies.
ms.collection:
-- highpri
- tier3
- must-keep
ms.topic: conceptual
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md
index 3eac346b20..615226657c 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md
@@ -3,7 +3,6 @@ title: Microsoft recommended driver block rules
description: View a list of recommended block rules to block vulnerable third-party drivers discovered by Microsoft and the security research community.
ms.localizationpriority: medium
ms.collection:
-- highpri
- tier3
- must-keep
ms.date: 06/06/2023
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/plan-wdac-management.md b/windows/security/application-security/application-control/windows-defender-application-control/design/plan-wdac-management.md
index c51eebd95c..c1eee0110d 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/plan-wdac-management.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/plan-wdac-management.md
@@ -2,7 +2,7 @@
title: Plan for WDAC policy management
description: Learn about the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control policies.
ms.localizationpriority: medium
-ms.date: 11/02/2022
+ms.date: 11/22/2023
ms.topic: article
---
@@ -11,7 +11,7 @@ ms.topic: article
>[!NOTE]
>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
-This topic describes the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control (WDAC) policies.
+This article describes the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control (WDAC) policies.
## Policy XML lifecycle management
@@ -23,7 +23,7 @@ Most Windows Defender Application Control policies will evolve over time and pro
2. [Deploy the audit mode policy](/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies) to intended devices.
3. [Monitor audit block events](/windows/security/threat-protection/windows-defender-application-control/event-id-explanations) from the intended devices and add/edit/delete rules as needed to address unexpected/unwanted blocks.
4. Repeat steps 2-3 until the remaining block events meet expectations.
-5. [Generate the enforced mode version](/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies) of the policy. In enforced mode, files that aren't allowed by the policy are prevented from executing and corresponding block events are generated.
+5. [Generate the enforced mode version](/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies) of the policy. In enforced mode, files that the policy doesn't allow are prevented from running and corresponding block events are generated.
6. [Deploy the enforced mode policy](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide) to intended devices. We recommend using staged rollouts for enforced policies to detect and respond to issues before deploying the policy broadly.
7. Repeat steps 1-6 anytime the desired "circle-of-trust" changes.
@@ -35,7 +35,7 @@ To effectively manage Windows Defender Application Control policies, you should
### Set PolicyName, PolicyID, and Version metadata for each policy
-Use the [Set-CIPolicyIDInfo](/powershell/module/configci/set-cipolicyidinfo) cmdlet to give each policy a descriptive name and set a unique ID in order to differentiate each policy when reviewing Windows Defender Application Control events or when viewing the policy XML document. Although you can specify a string value for PolicyId, for policies using the multiple policy format we recommend using the -ResetPolicyId switch to let the system autogenerate a unique ID for the policy.
+Use the [Set-CIPolicyIDInfo](/powershell/module/configci/set-cipolicyidinfo) cmdlet to give each policy a descriptive name and set a unique policy ID. These unique attributes help you differentiate each policy when reviewing Windows Defender Application Control events or when viewing the policy XML document. Although you can specify a string value for PolicyId, for policies using the multiple policy format we recommend using the -ResetPolicyId switch to let the system autogenerate a unique ID for the policy.
> [!NOTE]
> PolicyID only applies to policies using the [multiple policy format](deploy-multiple-wdac-policies.md) on computers running Windows 10, version 1903 and above, or Windows 11. Running -ResetPolicyId on a policy created for pre-1903 computers will convert it to multiple policy format and prevent it from running on those earlier versions of Windows 10.
@@ -45,15 +45,15 @@ In addition, we recommend using the [Set-CIPolicyVersion](/powershell/module/con
### Policy rule updates
-As new apps are deployed or existing apps are updated by the software publisher, you may need to make revisions to your rules to ensure that these apps run correctly. Whether policy rule updates are required will depend significantly on the types of rules your policy includes. Rules based on codesigning certificates provide the most resiliency against app changes while rules based on file attributes or hash are most likely to require updates when apps change. Alternatively, if you use WDAC [managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) functionality and consistently deploy all apps and their updates through your managed installer, then you're less likely to need policy updates.
+You might need to revise your policy when new apps are deployed or existing apps are updated by the software publisher to ensure that apps run correctly. Whether policy rule updates are required will depend significantly on the types of rules your policy includes. Rules based on codesigning certificates provide the most resiliency against app changes while rules based on file attributes or hash are most likely to require updates when apps change. Alternatively, if you use WDAC [managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) functionality and consistently deploy all apps and their updates through your managed installer, then you're less likely to need policy updates.
## WDAC event management
-Each time that a process is blocked by Windows Defender Application Control, events will be written to either the CodeIntegrity\Operational or the AppLocker\MSI and Script Windows event logs. The event details which file tried to run, the attributes of that file and its signatures, and the process that attempted to run the blocked file.
+Each time that WDAC blocks a process, events are written to either the CodeIntegrity\Operational or the AppLocker\MSI and Script Windows event logs. The event describes the file that tried to run, the attributes of that file and its signatures, and the process that attempted to run the blocked file.
-Collecting these events in a central location can help you maintain your Windows Defender Application Control policy and troubleshoot rule configuration problems. Event collection technologies such as those available in Windows allow administrators to subscribe to specific event channels and have the events from source computers aggregated into a forwarded event log on a Windows Server operating system collector. For more info about setting up an event subscription, see [Configure Computers to Collect and Forward Events](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc748890(v=ws.11)).
+Collecting these events in a central location can help you maintain your Windows Defender Application Control policy and troubleshoot rule configuration problems. You can [use the Azure Monitor Agent](/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent) to automatically collect your WDAC events for analysis.
-Additionally, Windows Defender Application Control events are collected by [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) and can be queried using the [advanced hunting](../operations/querying-application-control-events-centrally-using-advanced-hunting.md) feature.
+Additionally, [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) collects WDAC events which can be queried using the [advanced hunting](../operations/querying-application-control-events-centrally-using-advanced-hunting.md) feature.
## Application and user support policy
@@ -75,9 +75,9 @@ If your organization has an established help desk support department in place, c
### End-user support
-Because Windows Defender Application Control is preventing unapproved apps from running, it's important that your organization carefully plan how to provide end-user support. Considerations include:
+Because Windows Defender Application Control is preventing unapproved apps from running, it's important that your organization carefully plans how to provide end-user support. Considerations include:
-- Do you want to use an intranet site as a first line of support for users who have tried to run a blocked app?
+- Do you want to use an intranet site as a frontline of support for users who try to run a blocked app?
- How do you want to support exceptions to the policy? Will you allow users to run a script to temporarily allow access to a blocked app?
## Document your plan
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md b/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md
index 68d101d832..961a1e4dc4 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md
@@ -2,7 +2,7 @@
title: Understand Windows Defender Application Control (WDAC) policy rules and file rules
description: Learn how WDAC policy rules and file rules can control your Windows 10 and Windows 11 computers.
ms.localizationpriority: medium
-ms.date: 08/11/2023
+ms.date: 11/22/2023
ms.topic: article
---
@@ -11,7 +11,7 @@ ms.topic: article
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [WDAC feature availability](../feature-availability.md).
-Windows Defender Application Control (WDAC) can control what runs on Windows 10, Windows 11, and Windows Server 2016 and later, by setting policies that specify whether a driver or application is trusted. A policy includes *policy rules* that control options such as audit mode, and *file rules* (or *file rule levels*) that specify how applications are identified and trusted.
+Windows Defender Application Control (WDAC) can control what runs on your Windows devices by setting policies that specify whether a driver or application is trusted. A policy includes *policy rules* that control options such as audit mode, and *file rules* (or *file rule levels*) that specify how to identify applications your organization trusts.
## Windows Defender Application Control policy rules
@@ -20,7 +20,9 @@ To modify the policy rule options of an existing WDAC policy XML, use the [WDAC
You can set several rule options within a WDAC policy. Table 1 describes each rule option, and whether supplemental policies can set them. Some rule options are reserved for future work or not supported.
> [!NOTE]
-> We recommend that you use **Enabled:Audit Mode** initially because it allows you to test new WDAC policies before you enforce them. With audit mode, no application is blocked-instead the policy logs an event whenever an application outside the policy is started. To allow these applications, you can capture the policy information from the event log, and then merge that information into the existing policy. When the **Enabled:Audit Mode** is deleted, the policy runs in enforced mode.
+> We recommend that you use **Enabled:Audit Mode** initially because it allows you to test new WDAC policies before you enforce them. With audit mode, applications run normally but WDAC logs events whenever a file runs that isn't allowed by the policy. To allow these files, you can capture the policy information from the event log, and then merge that information into the existing policy. When the **Enabled:Audit Mode** is deleted, the policy runs in enforced mode.
+>
+> Some apps may behave differently even when your policy is in audit mode. When an option may change behaviors in audit mode, that is noted in Table 1. You should always test your apps thoroughly when deploying significant updates to your WDAC policies.
### Table 1. Windows Defender Application Control policy - policy rule options
@@ -37,7 +39,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
| **8 Required:EV Signers** | This option isn't currently supported. | No |
| **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. | No |
| **10 Enabled:Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a boot-critical driver fails during startup, the WDAC policy is placed in audit mode so that Windows loads. Administrators can validate the reason for the failure in the CodeIntegrity event log. | No |
-| **11 Disabled:Script Enforcement** | This option disables script enforcement options, covering PowerShell, Windows Based Script Host (wscript.exe), Windows Console Based Script Host (cscript.exe), HTA files run in Microsoft HTML Application Host (mshta.exe), and MSXML. For more information on script enforcement, see [Script enforcement with WDAC](/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement).
NOTE: This option isn't supported on Windows Server 2016 or Windows 10 1607 LTSB and shouldn't be used on those operating systems. | No |
+| **11 Disabled:Script Enforcement** | This option disables script enforcement options, covering PowerShell, Windows Based Script Host (wscript.exe), Windows Console Based Script Host (cscript.exe), HTA files run in Microsoft HTML Application Host (mshta.exe), and MSXML. Some script hosts may behave differently even when your policy is in audit mode. For more information on script enforcement, see [Script enforcement with WDAC](/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement).
NOTE: This option isn't supported on Windows Server 2016 or Windows 10 1607 LTSB and shouldn't be used on those operating systems. | No |
| **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies also apply to Universal Windows applications. | No |
| **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a managed installer. For more information, see [Authorize apps deployed with a WDAC managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) | Yes |
| **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft's Intelligent Security Graph (ISG). | Yes |
@@ -45,7 +47,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
| **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot.
NOTE: This option is only supported on Windows 10, version 1709 and later, or Windows Server 2019 and later.| No |
| **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it.
NOTE: This option is only supported on Windows 10, version 1903 and later, or Windows Server 2022 and later. | No |
| **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator.
NOTE: This option is only supported on Windows 10, version 1903 and later, or Windows Server 2022 and later. | Yes |
-| **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries.
NOTE: This option is only supported on Windows 10, version 1803 and later, or Windows Server 2019 and later. | No |
+| **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries.
NOTE: This option is only supported on Windows 10, version 1803 and later, or Windows Server 2019 and later.
NOTE: This option is always enforced if *any* WDAC UMCI policy enables it. There's no audit mode for .NET dynamic code security hardening. | No |
| **20 Enabled:Revoked Expired As Unsigned** | Use this option to treat binaries signed with revoked certificates, or expired certificates with the Lifetime Signing EKU on the signature, as "Unsigned binaries" for user-mode process/components, under enterprise signing scenarios. | No |
| **Enabled:Developer Mode Dynamic Code Trust** | Use this option to trust UWP apps that are [debugged in Visual Studio](/visualstudio/debugger/run-windows-store-apps-on-a-remote-machine) or deployed through device portal when Developer Mode is enabled on the system. | No |
@@ -71,7 +73,7 @@ Each file rule level has advantages and disadvantages. Use Table 2 to select the
| **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product have different hash values but typically the same signing certificate. When this level is used, no policy update would be needed to run the new version of the application. However, leaf certificates typically have shorter validity periods than other certificate levels, so the WDAC policy must be updated whenever these certificates change. |
| **PcaCertificate** | Adds the highest available certificate in the provided certificate chain to signers. This level is typically one certificate below the root because the scan doesn't resolve the complete certificate chain via the local root stores or with an online check. |
| **RootCertificate** | Not supported. |
-| **WHQL** | Only trusts binaries that have been submitted to Microsoft and signed by the Windows Hardware Qualification Lab (WHQL). This level is primarily for kernel binaries. |
+| **WHQL** | Only trusts binaries that were submitted to Microsoft and signed by the Windows Hardware Qualification Lab (WHQL). This level is primarily for kernel binaries. |
| **WHQLPublisher** | This level combines the WHQL level and the CN on the leaf certificate, and is primarily for kernel binaries. |
| **WHQLFilePublisher** | This level combines the "FileName" attribute of the signed file, plus "WHQLPublisher", plus a minimum version number. This level is primarily for kernel binaries. By default, this level uses the OriginalFileName attribute of the file's resource header. Use [-SpecificFileNameLevel](#use--specificfilenamelevel-with-filename-filepublisher-or-whqlfilepublisher-level-rules) to choose an alternative attribute, such as ProductName. |
@@ -96,7 +98,7 @@ For example, consider an IT professional in a department that runs many servers.
To create the WDAC policy, they build a reference server on their standard hardware, and install all of the software that their servers are known to run. Then they run [New-CIPolicy](/powershell/module/configci/new-cipolicy) with **-Level Publisher** (to allow software from their software providers, the "Publishers") and **-Fallback Hash** (to allow the internal, unsigned application). They deploy the policy in auditing mode to determine the potential impact from enforcing the policy. With the help of the audit data, they update their WDAC policies to include any other software they want to run. Then they enable the WDAC policy in enforced mode for their servers.
-As part of normal operations, they'll eventually install software updates, or perhaps add software from the same software providers. Because the "Publisher" remains the same on those updates and software, they won't need to update their WDAC policy. If the unsigned, internal application is updated, they must also update the WDAC policy to allow the new version.
+As part of normal operations, they'll eventually install software updates, or perhaps add software from the same software providers. Because the "Publisher" remains the same on those updates and software, they don't need to update their WDAC policy. If the unsigned, internal application is updated, they must also update the WDAC policy to allow the new version.
## File rule precedence order
@@ -107,7 +109,7 @@ WDAC has a built-in file rule conflict logic that translates to precedence order
## Use -SpecificFileNameLevel with FileName, FilePublisher, or WHQLFilePublisher level rules
-By default, the FileName, FilePublisher, and WHQLFilePublisher rule levels will use the OriginalFileName attribute from the file's resource header. You can use an alternative resource header attribute for your rules by setting the **-SpecificFileNameLevel**. For instance, a software developer may use the same ProductName for all binaries that are part of an app. Using -SpecificFileNameLevel, you can create a single rule to cover all of those binaries in your policy rather than individual rules for every file.
+By default, the FileName, FilePublisher, and WHQLFilePublisher rule levels use the OriginalFileName attribute from the file's resource header. You can use an alternative resource header attribute for your rules by setting the **-SpecificFileNameLevel**. For instance, a software developer might use the same ProductName for all binaries that are part of an app. Using -SpecificFileNameLevel, you can create a single rule to cover all of those binaries in your policy rather than individual rules for every file.
Table 3 describes the available resource header attribute options you can set with -SpecificFileNameLevel.
@@ -124,7 +126,7 @@ Table 3 describes the available resource header attribute options you can set wi
## More information about filepath rules
-Filepath rules don't provide the same security guarantees that explicit signer rules do, since they're based on mutable access permissions. Filepath rules are best suited for environments where most users are running as standard rather than admin. Path rules are best suited to allow paths that you expect to remain admin-writeable only. You may want to avoid path rules for directories where standard users can modify ACLs on the folder.
+Filepath rules don't provide the same security guarantees that explicit signer rules do, since they're based on mutable access permissions. Filepath rules are best suited for environments where most users are running as standard rather than admin. Path rules are best suited to allow paths that you expect to remain admin-writeable only. You might want to avoid path rules for directories where standard users can modify ACLs on the folder.
### User-writable filepaths
@@ -182,8 +184,8 @@ In the cmdlets, rather than try to predict which hash will be used, we precalcul
### Why does scan create eight hash rules for certain files?
-Separate rules are created for UMCI and KMCI. If the cmdlets can't determine that a file will only run in user-mode or in the kernel, then rules are created for both signing scenarios out of an abundance of caution. If you know that a particular file will only load in either user-mode or kernel, then you can safely remove the extra rules.
+Separate rules are created for UMCI and KMCI. If the cmdlets can't determine that a file only runs in user-mode or in the kernel, then rules are created for both signing scenarios out of an abundance of caution. If you know that a particular file only loads in either user-mode or kernel, then you can safely remove the extra rules.
### When does WDAC use the flat file hash value?
-There are some rare cases where a file's format doesn't conform to the Authenticode spec and so WDAC falls back to use the flat file hash. This can occur for a number of reasons, such as if changes are made to the in-memory version of the file at runtime. In such cases, you'll see that the hash shown in the correlated 3089 signature information event matches the flat file hash from the 3076/3077 block event. To create rules for files with an invalid format, you can add hash rules to the policy for the flat file hash using the WDAC Wizard or by editing the policy XML directly.
+There are some rare cases where a file's format doesn't conform to the Authenticode spec and so WDAC falls back to use the flat file hash. This behavior can occur for many reasons, such as if changes are made to the in-memory version of the file at runtime. In such cases, you'll see that the hash shown in the correlated 3089 signature information event matches the flat file hash from the 3076/3077 block event. To create rules for files with an invalid format, you can add hash rules to the policy for the flat file hash using the WDAC Wizard or by editing the policy XML directly.
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-and-dotnet.md b/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-and-dotnet.md
index 8f866fa055..b0ec0ebfe9 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-and-dotnet.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-and-dotnet.md
@@ -2,7 +2,7 @@
title: Windows Defender Application Control and .NET
description: Understand how WDAC and .NET work together and use Dynamic Code Security to verify code loaded by .NET at runtime.
ms.localizationpriority: medium
-ms.date: 08/10/2022
+ms.date: 11/22/2023
ms.topic: article
---
@@ -10,9 +10,9 @@ ms.topic: article
.NET apps (as written in a high-level language like C#) are compiled to an Intermediate Language (IL). IL is a compact code format that can be supported on any operating system or architecture. Most .NET apps use APIs that are supported in multiple environments, requiring only the .NET runtime to run. IL needs to be compiled to native code in order to execute on a CPU, for example Arm64 or x64. When .NET compiles IL to native image (NI) on a device with a WDAC user mode policy, it first checks whether the original IL file passes the current WDAC policies. If so, .NET sets an NTFS extended attribute (EA) on the generated NI file so that WDAC knows to trust it as well. When the .NET app runs, WDAC sees the EA on the NI file and allows it.
-The EA set on the NI file only applies to the currently active WDAC policies. If one of the active WDAC policies is updated or a new policy is applied, the EA on the NI file is invalidated. The next time the app runs, WDAC will block the NI file. .NET handles the block gracefully and will fall back to the original IL code. If the IL still passes the latest WDAC policies, then the app runs without any functional impact. Since the IL is now being compiled at runtime, you may notice a slight impact to performance of the app. When .NET must fall back to IL, .NET will also schedule a process to run at the next maintenance window to regenerate all NI files, thus reestablishing the WDAC EA for all code that passes the latest WDAC policies.
+The EA set on the NI file only applies to the currently active WDAC policies. If one of the active WDAC policies is updated or a new policy is applied, the EA on the NI file is invalidated. The next time the app runs, WDAC will block the NI file. .NET handles the block gracefully and falls back to the original IL code. If the IL still passes the latest WDAC policies, then the app runs without any functional impact. Since the IL is now being compiled at runtime, you might notice a slight impact to performance of the app. When .NET must fall back to IL, .NET will also schedule a process to run at the next maintenance window to regenerate all NI files, thus reestablishing the WDAC EA for all code that passes the latest WDAC policies.
-In some cases, if an NI file is blocked, you may see a "false positive" block event in the *CodeIntegrity - Operational* event log as described in [WDAC Admin Tips & Known Issues](/windows/security/threat-protection/windows-defender-application-control/operations/known-issues#net-native-images-may-generate-false-positive-block-events).
+In some cases, if an NI file is blocked, you might see a "false positive" block event in the *CodeIntegrity - Operational* event log as described in [WDAC Admin Tips & Known Issues](/windows/security/threat-protection/windows-defender-application-control/operations/known-issues#net-native-images-may-generate-false-positive-block-events).
To mitigate any performance impact caused when the WDAC EA isn't valid or missing:
@@ -22,14 +22,17 @@ To mitigate any performance impact caused when the WDAC EA isn't valid or missin
## WDAC and .NET hardening
-Security researchers have found that some .NET capabilities that allow apps to load libraries from external sources or generate new code at runtime can be used to circumvent WDAC controls.
-Beginning with Windows 10, version 1803, WDAC includes a new option, called *Dynamic Code Security* that works with .NET to verify code loaded at runtime.
+Security researchers found that some .NET capabilities that allow apps to load libraries from external sources or generate new code at runtime can be used to circumvent WDAC controls.
+To address this potential vulnerability, WDAC includes an option called *Dynamic Code Security* that works with .NET to verify code loaded at runtime.
-When the Dynamic Code Security option is enabled, Application Control policy is applied to libraries that .NET loads from external sources. For example, any non-local sources, such as the internet or a network share.
+When the Dynamic Code Security option is enabled, Application Control policy is applied to libraries that .NET loads from external sources. For example, any remote sources, such as the internet or a network share.
-Additionally, it detects tampering in code generated to disk by .NET and blocks loading code that has been tampered with.
+> [!IMPORTANT]
+> .Net dynamic code security hardening is *turned on and enforced* if any WDAC policy with UMCI enabled has set option **19 Enabled:Dynamic Code Security**. There is no audit mode for this feature. You should test your apps with this option set before turning it on across large numbers of devices.
-Dynamic Code Security isn't enabled by default because existing policies may not account for externally loaded libraries.
+Additionally, it detects tampering in code generated to disk by .NET and blocks loading code that was tampered with.
+
+Dynamic Code Security isn't enabled by default because existing policies might not account for externally loaded libraries.
Additionally, a few .NET loading features, including loading unsigned assemblies built with System.Reflection.Emit, aren't currently supported with Dynamic Code Security enabled.
Microsoft recommends testing Dynamic Code Security in audit mode before enforcing it to discover whether any new libraries should be included in the policy.
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/operations/configure-wdac-managed-installer.md b/windows/security/application-security/application-control/windows-defender-application-control/operations/configure-wdac-managed-installer.md
index 44d5693f5a..98e2c42da8 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/operations/configure-wdac-managed-installer.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/operations/configure-wdac-managed-installer.md
@@ -1,9 +1,9 @@
---
title: Managed installer and ISG technical reference and troubleshooting guide
-description: Explains how to configure a custom Manged Installer.
+description: A technical reference and troubleshooting guide for managed installer and Intelligent Security Graph (ISG).
ms.localizationpriority: medium
ms.date: 11/11/2022
-ms.topic: article
+ms.topic: troubleshooting
---
# Managed installer and ISG technical reference and troubleshooting guide
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md b/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md
index 0666d011c5..91af264958 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md
@@ -2,7 +2,7 @@
title: WDAC Admin Tips & Known Issues
description: WDAC Known Issues
ms.manager: jsuther
-ms.date: 05/09/2023
+ms.date: 11/22/2023
ms.topic: article
ms.localizationpriority: medium
---
@@ -23,7 +23,7 @@ This article covers tips and tricks for admins and known issues with Windows Def
The *\{PolicyId GUID\}* value is unique by policy and defined in the policy XML with the <PolicyId> element.
-For **single policy format WDAC policies**, in addition to the two preceding locations, also look for a file called SiPolicy.p7b that may be found in the following locations:
+For **single policy format WDAC policies**, in addition to the two preceding locations, also look for a file called SiPolicy.p7b in the following locations:
- <EFI System Partition>\\Microsoft\\Boot\\SiPolicy.p7b
- <OS Volume>\\Windows\\System32\\CodeIntegrity\\SiPolicy.p7b
@@ -35,7 +35,7 @@ For **single policy format WDAC policies**, in addition to the two preceding loc
When the WDAC engine evaluates files against the active set of policies on the device, rules are applied in the following order. Once a file encounters a match, WDAC stops further processing.
-1. Explicit deny rules - if any explicit deny rule exists for the file, it's blocked even if other rules are created to try to allow it. Deny rules can use any [rule level](/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create#windows-defender-application-control-file-rule-levels). Use the most specific rule level practical when creating deny rules to avoid blocking more than you intend.
+1. Explicit deny rules - a file is blocked if any explicit deny rule exists for it, even if other rules are created to try to allow it. Deny rules can use any [rule level](/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create#windows-defender-application-control-file-rule-levels). Use the most specific rule level practical when creating deny rules to avoid blocking more than you intend.
2. Explicit allow rules - if any explicit allow rule exists for the file, the file runs.
@@ -43,17 +43,24 @@ When the WDAC engine evaluates files against the active set of policies on the d
4. Lastly, WDAC makes a cloud call to the ISG to get reputation about the file, if the policy enables the ISG option.
-5. If no rule exists for the file and it's not allowed based on ISG or MI, then the file is blocked implicitly.
+5. If no explicit rule exists for the file and it's not allowed based on ISG or MI, then the file is blocked implicitly.
## Known issues
### Boot stop failure (blue screen) occurs if more than 32 policies are active
-If the maximum number of policies is exceeded, the device may bluescreen referencing ci.dll with a bug check value of 0x0000003b. Consider this maximum policy count limit when planning your WDAC policies. Any [Windows inbox policies](/windows/security/threat-protection/windows-defender-application-control/operations/inbox-wdac-policies) that are active on the device also count towards this limit.
+If the maximum number of policies is exceeded, the device will bluescreen referencing ci.dll with a bug check value of 0x0000003b. Consider this maximum policy count limit when planning your WDAC policies. Any [Windows inbox policies](/windows/security/threat-protection/windows-defender-application-control/operations/inbox-wdac-policies) that are active on the device also count towards this limit.
+
+### Audit mode policies can change the behavior for some apps or cause app crashes
+
+Although WDAC audit mode is designed to avoid impact to apps, some features are always on/always enforced with any WDAC policy that includes the option **0 Enabled:UMCI**. Here's a list of known system changes in audit mode:
+
+- Some script hosts might block code or run code with fewer privileges even in audit mode. See [Script enforcement with WDAC](/windows/security/application-security/application-control/windows-defender-application-control/design/script-enforcement) for information about individual script host behaviors.
+- Option **19 Enabled:Dynamic Code Security** is always enforced if any UMCI policy includes that option. See [WDAC and .NET](/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-and-dotnet#wdac-and-net-hardening).
### Managed Installer and ISG may cause excessive events
-When Managed Installer and ISG are enabled, 3091 and 3092 events are logged when a file didn't have Managed Installer or ISG authorization, regardless of whether the file was allowed. These events have been moved to the verbose channel beginning with the September 2022 Update Preview since the events don't indicate an issue with the policy.
+When Managed Installer and ISG are enabled, 3091 and 3092 events are logged when a file didn't have Managed Installer or ISG authorization, regardless of whether the file was allowed. These events were moved to the verbose channel beginning with the September 2022 Update Preview since the events don't indicate an issue with the policy.
### .NET native images may generate false positive block events
@@ -83,13 +90,13 @@ msiexec -i c:\temp\Windows10_Version_1511_ADMX.msi
```
### Slow boot and performance with custom policies
-WDAC will evaluate all running processes, including inbox Windows processes. If policies don't build off the WDAC templates or don't trust the Windows signers, you'll see slower boot times, degraded performance and possibly boot issues. For these reasons, it's strongly recommended to build off the [WDAC base templates](../design/example-wdac-base-policies.md).
+WDAC evaluates all processes that run, including inbox Windows processes. If policies don't build off the WDAC templates or don't trust the Windows signers, you'll see slower boot times, degraded performance and possibly boot issues. For these reasons, you should use the [WDAC base templates](../design/example-wdac-base-policies.md) whenever possible to create your policies.
#### AppId Tagging policy considerations
If the AppId Tagging Policy wasn't built off the WDAC base templates or doesn't allow the Windows in-box signers, you'll notice a significant increase in boot times (~2 minutes).
-If you can't allowlist the Windows signers, or build off the WDAC base templates, it is strongly recommended to add the following rule to your policies to improve the performance:
+If you can't allowlist the Windows signers, or build off the WDAC base templates, it's recommended to add the following rule to your policies to improve the performance:
:::image type="content" source="../images/known-issue-appid-dll-rule.png" alt-text="Allow all dlls in the policy.":::
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/wdac.md b/windows/security/application-security/application-control/windows-defender-application-control/wdac.md
index 22e5196913..500f4c397b 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/wdac.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/wdac.md
@@ -3,7 +3,6 @@ title: Application Control for Windows
description: Application Control restricts which applications users are allowed to run and the code that runs in the system core.
ms.localizationpriority: medium
ms.collection:
-- highpri
- tier3
- must-keep
ms.date: 08/30/2023
diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/faq-md-app-guard.yml
index 370243790a..5f3515a26b 100644
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/faq-md-app-guard.yml
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/faq-md-app-guard.yml
@@ -119,10 +119,7 @@ sections:
- question: |
Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach the PAC file?
answer: |
- This issue is a known one. To mitigate this issue, you need to create two firewall rules. For information about creating a firewall rule by using Group Policy, see the following resources:
-
- - [Create an inbound icmp rule](../../../operating-system-security/network-security/windows-firewall/create-an-inbound-icmp-rule.md)
- - [Open Group Policy management console for Microsoft Defender Firewall](../../../operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
+ This issue is a known one. To mitigate this issue, you need to create two firewall rules. For information about creating a firewall rule with Group Policy, see [Configure Windows Firewall rules with group policy](../../../operating-system-security/network-security/windows-firewall/configure.md)
### First rule (DHCP Server)
- Program path: `%SystemRoot%\System32\svchost.exe`
diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md
index ac710efb7a..5deab8192a 100644
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md
@@ -3,9 +3,6 @@ title: Enable hardware-based isolation for Microsoft Edge
description: Learn about the Microsoft Defender Application Guard modes (Standalone or Enterprise-managed), and how to install Application Guard in your enterprise.
ms.date: 07/11/2023
ms.topic: how-to
-ms.collection:
- - highpri
- - tier2
---
# Prepare to install Microsoft Defender Application Guard
diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-browser-extension.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-browser-extension.md
index b5b54f3574..79a92c0c24 100644
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-browser-extension.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-browser-extension.md
@@ -19,7 +19,7 @@ Microsoft Defender Application Guard Extension defends devices in your organizat
## Prerequisites
-Microsoft Defender Application Guard Extension works with the following editions of Windows 10, version 1803 or later:
+Microsoft Defender Application Guard Extension works with the following editions of Windows 10, version 1809 or later:
- Windows 10 Professional
- Windows 10 Enterprise
@@ -84,4 +84,4 @@ Unexpected response while processing trusted state | The extension was able to c
## Related articles
- [Microsoft Defender Application Guard overview](md-app-guard-overview.md)
-- [Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)
\ No newline at end of file
+- [Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)
diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md
index d1547ce21e..8b2235111a 100644
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md
@@ -1,11 +1,7 @@
---
title: Microsoft Defender Application Guard
description: Learn about Microsoft Defender Application Guard and how it helps combat malicious content and malware out on the Internet.
-ms.localizationpriority: medium
ms.date: 07/11/2023
-ms.collection:
- - highpri
- - tier2
ms.topic: conceptual
---
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
index 888bca39ce..b33a5b9f67 100644
--- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
@@ -1,9 +1,6 @@
---
title: Windows Sandbox configuration
description: Windows Sandbox configuration
-ms.collection:
- - highpri
- - tier2
ms.topic: article
ms.date: 05/25/2023
---
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md
index 928d31e27b..676b2a8179 100644
--- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md
@@ -1,9 +1,6 @@
---
title: Windows Sandbox
description: Windows Sandbox overview
-ms.collection:
- - highpri
- - tier2
ms.topic: article
ms.date: 05/25/2023
---
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index 040348819b..21e56b80c7 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -39,14 +39,14 @@
"tier2"
],
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
+ "zone_pivot_group_filename": "resources/zone-pivot-groups.json",
"uhfHeaderId": "MSDocsHeader-Windows",
"ms.localizationpriority": "medium",
"ms.prod": "windows-client",
"ms.technology": "itpro-security",
"manager": "aaroncz",
- "feedback_system": "GitHub",
- "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
- "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
+ "feedback_system": "Standard",
+ "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.security",
@@ -91,9 +91,7 @@
"operating-system-security/data-protection/**/*.md": "paolomatarazzo",
"operating-system-security/data-protection/**/*.yml": "paolomatarazzo",
"operating-system-security/network-security/**/*.md": "paolomatarazzo",
- "operating-system-security/network-security/**/*.yml": "paolomatarazzo",
- "operating-system-security/network-security/windows-firewall/**/*.md": "ngangulyms",
- "operating-system-security/network-security/windows-firewall/**/*.yml": "ngangulyms"
+ "operating-system-security/network-security/**/*.yml": "paolomatarazzo"
},
"ms.author":{
"application-security//**/*.md": "vinpa",
@@ -111,9 +109,7 @@
"operating-system-security/data-protection/**/*.md": "paoloma",
"operating-system-security/data-protection/**/*.yml": "paoloma",
"operating-system-security/network-security/**/*.md": "paoloma",
- "operating-system-security/network-security/**/*.yml": "paoloma",
- "operating-system-security/network-security/windows-firewall/*.md": "nganguly",
- "operating-system-security/network-security/windows-firewall/*.yml": "nganguly"
+ "operating-system-security/network-security/**/*.yml": "paoloma"
},
"appliesto": {
"application-security//**/*.md": [
@@ -218,20 +214,20 @@
"identity-protection/hello-for-business/*.md": "erikdau",
"identity-protection/credential-guard/*.md": "zwhittington",
"identity-protection/access-control/*.md": "sulahiri",
- "operating-system-security/network-security/windows-firewall/*.md": "paoloma",
+ "identity-protection/smart-cards/*.md": "ardenw",
+ "identity-protection/virtual-smart-cards/*.md": "ardenw",
+ "operating-system-security/network-security/windows-firewall/*.md": "nganguly",
"operating-system-security/network-security/vpn/*.md": "pesmith",
"operating-system-security/data-protection/personal-data-encryption/*.md":"rhonnegowda",
"operating-system-security/device-management/windows-security-configuration-framework/*.md": "jmunck"
},
"ms.collection": {
- "application-security/application-control/windows-defender-application-control/**/*.md": [ "tier3", "must-keep" ],
"identity-protection/hello-for-business/*.md": "tier1",
"information-protection/pluton/*.md": "tier1",
"information-protection/tpm/*.md": "tier1",
"threat-protection/auditing/*.md": "tier3",
"operating-system-security/data-protection/bitlocker/*.md": "tier1",
- "operating-system-security/data-protection/personal-data-encryption/*.md": "tier1",
- "operating-system-security/network-security/windows-firewall/*.md": [ "tier3", "must-keep" ]
+ "operating-system-security/data-protection/personal-data-encryption/*.md": "tier1"
}
},
"template": [],
diff --git a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
index a3404e644a..2748c9c816 100644
--- a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
@@ -1,10 +1,6 @@
---
title: Enable memory integrity
description: This article explains the steps to opt in to using memory integrity on Windows devices.
-ms.localizationpriority: medium
-ms.collection:
- - highpri
- - tier2
ms.topic: conceptual
ms.date: 03/16/2023
appliesto:
diff --git a/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md
index 077e6473de..d5451404d1 100644
--- a/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md
+++ b/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md
@@ -1,8 +1,8 @@
---
-title: How a Windows Defender System Guard helps protect Windows
-description: Windows Defender System Guard reorganizes the existing Windows system integrity features under one roof. Learn how it works.
+title: How Windows Defender System Guard helps protect Windows
+description: Learn how Windows Defender System Guard reorganizes the existing Windows system integrity features under one roof.
ms.localizationpriority: medium
-ms.date: 03/01/2019
+ms.date: 10/25/2023
ms.topic: conceptual
---
@@ -19,15 +19,11 @@ Windows Defender System Guard reorganizes the existing Windows system integrity
### Static Root of Trust for Measurement (SRTM)
-With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system.
-This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege.
+With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system. This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege.
-With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) a hardware-based root of trust helps ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader.
-This hardware-based root of trust comes from the device's Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI).
-This technique of measuring the static early boot UEFI components is called the Static Root of Trust for Measurement (SRTM).
+With Windows 10 running on modern hardware, a hardware-based root of trust helps ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader. This hardware-based root of trust comes from the device's Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI). This technique of measuring the static early boot UEFI components is called the Static Root of Trust for Measurement (SRTM).
-As there are thousands of PC vendors that produce many models with different UEFI BIOS versions, there becomes an incredibly large number of SRTM measurements upon bootup.
-Two techniques exist to establish trust here—either maintain a list of known 'bad' SRTM measurements (also known as a blocklist), or a list of known 'good' SRTM measurements (also known as an allowlist).
+As there are thousands of PC vendors that produce many models with different UEFI BIOS versions, there becomes an incredibly large number of SRTM measurements upon bootup. Two techniques exist to establish trust here—either maintain a list of known 'bad' SRTM measurements (also known as a blocklist), or a list of known 'good' SRTM measurements (also known as an allowlist).
Each option has a drawback:
@@ -37,9 +33,7 @@ Also, a bug fix for UEFI code can take a long time to design, build, retest, val
### Secure Launch—the Dynamic Root of Trust for Measurement (DRTM)
-[Windows Defender System Guard Secure Launch](system-guard-secure-launch-and-smm-protection.md), first introduced in Windows 10 version 1809, aims to alleviate these issues by leveraging a technology known as the Dynamic Root of Trust for Measurement (DRTM).
-DRTM lets the system freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path.
-This has the benefit of allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and measured state.
+[Windows Defender System Guard Secure Launch](system-guard-secure-launch-and-smm-protection.md), first introduced in Windows 10 version 1809, aims to alleviate these issues by leveraging a technology known as the Dynamic Root of Trust for Measurement (DRTM). DRTM lets the system freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path. This has the benefit of allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and measured state.
@@ -47,9 +41,7 @@ Secure Launch simplifies management of SRTM measurements because the launch code
### System Management Mode (SMM) protection
-System Management Mode (SMM) is a special-purpose CPU mode in x86 microcontrollers that handles power management, hardware configuration, thermal monitoring, and anything else the manufacturer deems useful.
-Whenever one of these system operations is requested, a non-maskable interrupt (SMI) is invoked at runtime, which executes SMM code installed by the BIOS.
-SMM code executes in the highest privilege level and is invisible to the OS, which makes it an attractive target for malicious activity. Even if System Guard Secure Launch is used to late launch, SMM code can potentially access hypervisor memory and change the hypervisor.
+System Management Mode (SMM) is a special-purpose CPU mode in x86 microcontrollers that handles power management, hardware configuration, thermal monitoring, and anything else the manufacturer deems useful. Whenever one of these system operations is requested, a non-maskable interrupt (SMI) is invoked at runtime, which executes SMM code installed by the BIOS. SMM code executes in the highest privilege level and is invisible to the OS, which makes it an attractive target for malicious activity. Even if System Guard Secure Launch is used to late launch, SMM code can potentially access hypervisor memory and change the hypervisor.
To defend against this, two techniques are used:
@@ -60,14 +52,13 @@ Paging protection can be implemented to lock certain code tables to be read-only
A hardware-enforced processor feature known as a supervisor SMI handler can monitor the SMM and make sure it doesn't access any part of the address space that it isn't supposed to.
-SMM protection is built on top of the Secure Launch technology and requires it to function.
-In the future, Windows 10 will also measure this SMI Handler's behavior and attest that no OS-owned memory has been tampered with.
+SMM protection is built on top of the Secure Launch technology and requires it to function. In the future, Windows 10 will also measure this SMI Handler's behavior and attest that no OS-owned memory has been tampered with.
## Validating platform integrity after Windows is running (run time)
While Windows Defender System Guard provides advanced protection that will help protect and maintain the integrity of the platform during boot and at run time, the reality is that we must apply an "assume breach" mentality to even our most sophisticated security technologies. We can trust that the technologies are successfully doing their jobs, but we also need the ability to verify that they were successful in achieving their goals. For platform integrity, we can't just trust the platform, which potentially could be compromised, to self-attest to its security state. So Windows Defender System Guard includes a series of technologies that enable remote analysis of the device's integrity.
-As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the device's Trusted Platform Module 2.0 (TPM 2.0). System Guard Secure Launch won't support earlier TPM versions, such as TPM 1.2. This process and data are hardware-isolated away from Windows to help ensure that the measurement data isn't subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device's firmware, hardware configuration state, and Windows boot-related components, just to name a few.
+As Windows boots, a series of integrity measurements are taken by Windows Defender System Guard using the device's Trusted Platform Module 2.0 (TPM 2.0). System Guard Secure Launch doesn't support earlier TPM versions, such as TPM 1.2. This process and data are hardware-isolated away from Windows to help ensure that the measurement data isn't subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device's firmware, hardware configuration state, and Windows boot-related components, to name a few.
diff --git a/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md b/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md
index f7fd8927c1..f4092a1bc3 100644
--- a/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md
@@ -2,7 +2,6 @@
title: Kernel DMA Protection
description: Learn how Kernel DMA Protection protects Windows devices against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices.
ms.collection:
- - highpri
- tier1
ms.topic: conceptual
ms.date: 07/31/2023
@@ -54,27 +53,27 @@ You can use the Windows Security settings to check if Kernel DMA Protection is e
1. Open **Windows Security**.
1. Select **Device security > Core isolation details > Memory access protection**
-:::image type="content" source="images/kernel-dma-protection-security-center.png" alt-text="Screenshot of Kernel DMA protection in Windows Security." lightbox="images/kernel-dma-protection-security-center.png" border="true":::
+ :::image type="content" source="images/kernel-dma-protection-security-center.png" alt-text="Screenshot of Kernel DMA protection in Windows Security." lightbox="images/kernel-dma-protection-security-center.png" border="true":::
-Alternatively, you can use the System Information desktop app (`msinfo32.exe`). If the system supports Kernel DMA Protection, the **Kernel DMA Protection** value will be set to **ON**.
+ Alternatively, you can use the System Information desktop app (`msinfo32.exe`). If the system supports Kernel DMA Protection, the **Kernel DMA Protection** value will be set to **ON**.
-:::image type="content" source="images/kernel-dma-protection.png" alt-text="Screenshot of Kernel DMA protection in System Information." lightbox="images/kernel-dma-protection.png" border="true":::
+ :::image type="content" source="images/kernel-dma-protection.png" alt-text="Screenshot of Kernel DMA protection in System Information." lightbox="images/kernel-dma-protection.png" border="true":::
-If the current state of **Kernel DMA Protection** is **OFF** and **Hyper-V - Virtualization Enabled in Firmware** is **NO**:
+ If the current state of **Kernel DMA Protection** is **OFF** and **Hyper-V - Virtualization Enabled in Firmware** is **NO**:
-- Reboot into UEFI settings
-- Turn on Intel Virtualization Technology
-- Turn on Intel Virtualization Technology for I/O (VT-d)
-- Reboot system into Windows
+ - Reboot into UEFI settings
+ - Turn on Intel Virtualization Technology
+ - Turn on Intel Virtualization Technology for I/O (VT-d)
+ - Reboot system into Windows
-> [!NOTE]
-> If the **Hyper-V** Windows feature is enabled, all the Hyper-V-related features will be hidden, and **A hypervisor has been detected. Features required for Hyper-V will not be displayed** entity will be shown at the bottom of the list. It means that **Hyper-V - Virtualization Enabled in Firmware** is set to **YES**.
->
-> Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of *ACPI Kernel DMA Protection Indicators* described in [Kernel DMA Protection (Memory Access Protection) for OEMs][LINK-3].
+ > [!NOTE]
+ > If the **Hyper-V** Windows feature is enabled, all the Hyper-V-related features will be hidden, and **A hypervisor has been detected. Features required for Hyper-V will not be displayed** entity will be shown at the bottom of the list. It means that **Hyper-V - Virtualization Enabled in Firmware** is set to **YES**.
+ >
+ > Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of *ACPI Kernel DMA Protection Indicators* described in [Kernel DMA Protection (Memory Access Protection) for OEMs][LINK-3].
-If the state of **Kernel DMA Protection** remains Off, then the system doesn't support Kernel DMA Protection.
+ If the state of **Kernel DMA Protection** remains Off, then the system doesn't support Kernel DMA Protection.
-For systems that don't support Kernel DMA Protection, refer to the [BitLocker countermeasures](../operating-system-security/data-protection/bitlocker/bitlocker-countermeasures.md) or [Thunderbolt 3 and Security on Microsoft Windows Operating system][EXT-1] for other means of DMA protection.
+For systems that don't support Kernel DMA Protection, refer to the [BitLocker countermeasures](../operating-system-security/data-protection/bitlocker/countermeasures.md) or [Thunderbolt 3 and Security on Microsoft Windows Operating system][EXT-1] for other means of DMA protection.
## Frequently asked questions
diff --git a/windows/security/hardware-security/toc.yml b/windows/security/hardware-security/toc.yml
index 1b95b86db3..c941dc715a 100644
--- a/windows/security/hardware-security/toc.yml
+++ b/windows/security/hardware-security/toc.yml
@@ -6,10 +6,8 @@ items:
- name: Windows Defender System Guard
href: how-hardware-based-root-of-trust-helps-protect-windows.md
- name: Trusted Platform Module
- href: tpm/trusted-platform-module-top-node.md
+ href: tpm/trusted-platform-module-overview.md
items:
- - name: Trusted Platform Module overview
- href: tpm/trusted-platform-module-overview.md
- name: TPM fundamentals
href: tpm/tpm-fundamentals.md
- name: How Windows uses the TPM
diff --git a/windows/security/hardware-security/tpm/backup-tpm-recovery-information-to-ad-ds.md b/windows/security/hardware-security/tpm/backup-tpm-recovery-information-to-ad-ds.md
index e2b7facad8..9be58182e9 100644
--- a/windows/security/hardware-security/tpm/backup-tpm-recovery-information-to-ad-ds.md
+++ b/windows/security/hardware-security/tpm/backup-tpm-recovery-information-to-ad-ds.md
@@ -2,7 +2,7 @@
title: Back up TPM recovery information to Active Directory
description: Learn how to back up the Trusted Platform Module (TPM) recovery information to Active Directory.
ms.topic: conceptual
-ms.date: 02/02/2023
+ms.date: 11/17/2023
---
# Back up the TPM recovery information to AD DS
diff --git a/windows/security/hardware-security/tpm/change-the-tpm-owner-password.md b/windows/security/hardware-security/tpm/change-the-tpm-owner-password.md
index 05ed6c63a9..29abbe115b 100644
--- a/windows/security/hardware-security/tpm/change-the-tpm-owner-password.md
+++ b/windows/security/hardware-security/tpm/change-the-tpm-owner-password.md
@@ -2,7 +2,7 @@
title: Change the TPM owner password
description: This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system.
ms.topic: conceptual
-ms.date: 04/26/2023
+ms.date: 11/17/2023
---
# Change the TPM owner password
@@ -14,12 +14,7 @@ This article for the IT professional describes how to change the password or PIN
Starting with Windows 10, version 1607, Windows doesn't retain the TPM owner password when provisioning the TPM. The password is set to a random high entropy value and then discarded.
> [!IMPORTANT]
->
-> Although the TPM owner password isn't retained starting with Windows 10, version 1607, you can change a default registry key to retain it. However, we strongly recommend that you don't make this change. To retain the TPM owner password, under the registry key of
->
-> `HKLM\Software\Policies\Microsoft\TPM`
->
-> create a `REG_DWORD` value of `OSManagedAuthLevel` and set it to `4`.
+> Although the TPM owner password isn't retained starting with Windows 10, version 1607, you can change a default registry key to retain it. However, we strongly recommend that you don't make this change. To retain the TPM owner password, under the registry key `HKLM\Software\Policies\Microsoft\TPM`, create a `REG_DWORD` value of `OSManagedAuthLevel` and set it to `4`.
>
> For Windows versions newer than Windows 10 1703, the default value for this key is 5. A value of 5 means:
>
@@ -52,4 +47,4 @@ You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets i
## Related articles
-- [Trusted Platform Module](trusted-platform-module-top-node.md)
+- [Trusted Platform Module](trusted-platform-module-overview.md)
diff --git a/windows/security/hardware-security/tpm/how-windows-uses-the-tpm.md b/windows/security/hardware-security/tpm/how-windows-uses-the-tpm.md
index e75ebe55d6..b513a67096 100644
--- a/windows/security/hardware-security/tpm/how-windows-uses-the-tpm.md
+++ b/windows/security/hardware-security/tpm/how-windows-uses-the-tpm.md
@@ -2,7 +2,7 @@
title: How Windows uses the TPM
description: Learn how Windows uses the Trusted Platform Module (TPM) to enhance security.
ms.topic: conceptual
-ms.date: 02/02/2023
+ms.date: 11/17/2023
---
# How Windows uses the Trusted Platform Module
@@ -31,11 +31,11 @@ The security features of Windows combined with the benefits of a TPM offer pract
## Platform Crypto Provider
-Windows includes a cryptography framework called *Cryptographic API: Next Generation* (CNG), the basic approach of which is to implement cryptographic algorithms in different ways but with a common application programming interface (API). Applications that use cryptography can use the common API without knowing the details of how an algorithm is implemented much less the algorithm itself.
+Windows includes a cryptography framework called Cryptographic API: Next Generation (CNG), the basic approach of which is to implement cryptographic algorithms in different ways but with a common application programming interface (API). Applications that use cryptography can use the common API without knowing the details of how an algorithm is implemented much less the algorithm itself.
Although CNG sounds like a mundane starting point, it illustrates some of the advantages that a TPM provides. Underneath the CNG interface, Windows or third parties supply a cryptographic provider (that is, an implementation of an algorithm) implemented as software libraries alone or in a combination of software and available system hardware or third-party hardware. If implemented through hardware, the cryptographic provider communicates with the hardware behind the software interface of CNG.
-The Platform Crypto Provider, introduced in the Windows 8 operating system, exposes the following special TPM properties, which software-only CNG providers can't offer or can't offer as effectively:
+The Platform Crypto Provider, introduced in the Windows 8, exposes the following special TPM properties, which software-only CNG providers can't offer or can't offer as effectively:
- **Key protection**. The Platform Crypto Provider can create keys in the TPM with restrictions on their use. The operating system can load and use the keys in the TPM without copying the keys to system memory, where they're vulnerable to malware. The Platform Crypto Provider can also configure keys that a TPM protects so that they aren't removable. If a TPM creates a key, the key is unique and resides only in that TPM. If the TPM imports a key, the Platform Crypto Provider can use the key in that TPM, but that TPM isn't a source for making more copies of the key or enabling the use of copies elsewhere. In sharp contrast, software solutions that protect keys from copying are subject to reverse-engineering attacks, in which someone figures out how the solution stores keys or makes copies of keys while they are in memory during use.
@@ -49,7 +49,7 @@ These TPM features give Platform Crypto Provider distinct advantages over softwa
Smart cards are physical devices that typically store a single certificate and the corresponding private key. Users insert a smart card into a built-in or USB card reader and enter a PIN to unlock it. Windows can then access the card's certificate and use the private key for authentication or to unlock BitLocker protected data volumes. Smart cards are popular because they provide two-factor authentication that requires both something the user has (that is, the smart card) and something the user knows (such as the smart card PIN). However, smart cards can be expensive because they require purchase and deployment of both smart cards and smart card readers.
-In Windows, the *Virtual Smart Card* feature allows the TPM to mimic a permanently inserted smart card. The TPM becomes *something the user has* but still requires a PIN. While physical smart cards limit the number of PIN attempts before locking the card and requiring a reset, a virtual smart card relies on the TPM's dictionary attack protection to prevent too many PIN guesses.
+In Windows, the Virtual Smart Card feature allows the TPM to mimic a permanently inserted smart card. The TPM becomes *something the user has* but still requires a PIN. While physical smart cards limit the number of PIN attempts before locking the card and requiring a reset, a virtual smart card relies on the TPM's dictionary attack protection to prevent too many PIN guesses.
For TPM-based virtual smart cards, the TPM protects the use and storage of the certificate private key, so that it can't be copied when it is in use or stored and used elsewhere. Using a component that is part of the system rather than a separate physical smart card, can reduce total cost of ownership. The *lost card* or *card left at home* scenarios are not applicable, and the benefits of smart card-based multifactor authentication is preserved. For users, virtual smart cards are simple to use, requiring only a PIN to unlock. Virtual smart cards support the same scenarios that physical smart cards support, including signing in to Windows or authenticating for resource access.
@@ -61,7 +61,7 @@ The adoption of new authentication technology requires that identity providers a
Identity providers have flexibility in how they provision credentials on client devices. For example, an organization might provision only those devices that have a TPM so that the organization knows that a TPM protects the credentials. The ability to distinguish a TPM from malware acting like a TPM requires the following TPM capabilities (see Figure 1):
-- **Endorsement key**. The TPM manufacturer can create a special key in the TPM called an *endorsement key*. An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that the manufacturer made. Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM).
+- **Endorsement key**. The TPM manufacturer can create a special key in the TPM called an endorsement key. An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that the manufacturer made. Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM).
- **Attestation identity key**. To protect privacy, most TPM scenarios do not directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. The identity CA issues attestation identity key certificates. More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios.
@@ -129,16 +129,16 @@ The TPM adds hardware-based security benefits to Windows. When installed on hard
-|Feature | Benefits when used on a system with a TPM|
-|---|---|
-| Platform Crypto Provider |
|
-| Virtual Smart Card |
|
-| Windows Hello for Business |
|
-| BitLocker Drive Encryption |
|
-|Device Encryption |
|
-| Measured Boot |
|
-| Health Attestation |
|
-| Credential Guard |
|
+| Feature | Benefits when used on a system with a TPM |
+|----------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Platform Crypto Provider | - If the machine is compromised, the private key associated with the certificate can't be copied off the device.
- The TPM's dictionary attack mechanism protects PIN values to use a certificate. |
+| Virtual Smart Card | Achieve security similar to that of physical smart cards without deploying physical smart cards or card readers. |
+| Windows Hello for Business | - Credentials provisioned on a device can't be copied elsewhere.
- Confirm a device's TPM before credentials are provisioned. |
+| BitLocker Drive Encryption | Multiple options are available for enterprises to protect data at rest while balancing security requirements with different device hardware. |
+| Device Encryption | With a Microsoft account and the right hardware, consumers' devices seamlessly benefit from data-at-rest protection. |
+| Measured Boot | A hardware root of trust contains boot measurements that help detect malware during remote attestation. |
+| Health Attestation | MDM solutions can easily perform remote attestation and evaluate client health before granting access to resources or cloud services such as Office 365. |
+| Credential Guard | Defense in depth increases so that even if malware has administrative rights on one machine, it is significantly more difficult to compromise additional machines in an organization. |
diff --git a/windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm.md
index e9374612fe..9e08708019 100644
--- a/windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm.md
+++ b/windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm.md
@@ -2,9 +2,8 @@
title: Troubleshoot the TPM
description: Learn how to view and troubleshoot the Trusted Platform Module (TPM).
ms.topic: conceptual
-ms.date: 02/02/2023
+ms.date: 11/17/2023
ms.collection:
-- highpri
- tier1
---
@@ -16,13 +15,14 @@ This article provides information how to troubleshoot the Trusted Platform Modul
- [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm)
With TPM 1.2 and Windows 11, you can also take the following actions:
-- [Turn on or turn off the TPM](#turn-on-or-turn-off)
+
+- [Turn on or turn off the TPM](#turn-on-or-turn-off-the-tpm)
For information about the TPM cmdlets, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true).
## About TPM initialization and ownership
-Windows automatically initializes and takes ownership of the TPM. This is a change from previous operating systems, where you had to initialize the TPM and create an owner password.
+Windows automatically initializes and takes ownership of the TPM. There's no need for you to initialize the TPM and create an owner password.
### TPM initialization
@@ -69,7 +69,7 @@ Clearing the TPM can result in data loss. To protect against such loss, review t
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.
-**To clear the TPM**
+#### To clear the TPM
1. Open the Windows Defender Security Center app.
1. Select **Device security**.
@@ -79,7 +79,7 @@ Membership in the local Administrators group, or equivalent, is the minimum requ
- You'll be prompted to restart the computer. During the restart, you might be prompted by the UEFI to press a button to confirm that you wish to clear the TPM.
- After the device restarts, your TPM will be automatically prepared for use by Windows.
-## Turn on or turn off the TPM
+## Turn on or turn off the TPM
Normally, the TPM is turned on as part of the TPM initialization process. You don't normally need to turn the TPM on or off. However, if necessary you can do so by using the TPM MMC.
@@ -103,7 +103,7 @@ If you want to stop using the services that are provided by the TPM, you can use
- If you saved your TPM owner password on a removable storage device, insert it, and then select **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, select **Browse** to locate the *.tpm* file that is saved on your removable storage device, select **Open**, and then select **Turn TPM Off**.
- If you don't have the removable storage device with your saved TPM owner password, select **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then select **Turn TPM Off**.
- If you didn't save your TPM owner password or no longer know it, select **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent UEFI screens to turn off the TPM without entering the password.
-
+
## Use the TPM cmdlets
You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true).
diff --git a/windows/security/hardware-security/tpm/manage-tpm-commands.md b/windows/security/hardware-security/tpm/manage-tpm-commands.md
index 52a9473f9b..d309758d11 100644
--- a/windows/security/hardware-security/tpm/manage-tpm-commands.md
+++ b/windows/security/hardware-security/tpm/manage-tpm-commands.md
@@ -2,7 +2,7 @@
title: Manage TPM commands
description: This article for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users.
ms.topic: conceptual
-ms.date: 04/26/2023
+ms.date: 11/17/2023
---
# Manage TPM commands
@@ -15,10 +15,9 @@ The following procedures describe how to manage the TPM command lists. You must
## Block TPM commands by using the Local Group Policy Editor
-1. Open the Local Group Policy Editor (gpedit.msc). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
+1. Open the Local Group Policy Editor (`gpedit.msc`). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
> [!NOTE]
- >
> Administrators with appropriate rights in a domain can configure a Group Policy Object (GPO) that can be applied through Active Directory Domain Services (AD DS).
1. In the console tree, under **Computer Configuration**, expand **Administrative Templates**, and then expand **System**.
@@ -32,7 +31,6 @@ The following procedures describe how to manage the TPM command lists. You must
1. For each command that you want to block, select **Add**, enter the command number, and then select **OK**.
> [!NOTE]
- >
> For a list of commands, see links in the [TPM Specification](https://www.trustedcomputinggroup.org/tpm-main-specification/).
1. After you have added numbers for each command that you want to block, select **OK** twice.
@@ -41,9 +39,7 @@ The following procedures describe how to manage the TPM command lists. You must
## Block or allow TPM commands by using the TPM MMC
-1. Open the TPM MMC (tpm.msc)
-
-1. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
+1. Open the TPM MMC (`tpm.msc`). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
1. In the console tree, select **Command Management**. A list of TPM commands is displayed.
@@ -53,9 +49,7 @@ The following procedures describe how to manage the TPM command lists. You must
## Block new commands
-1. Open the TPM MMC (tpm.msc).
-
- If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
+1. Open the TPM MMC (`tpm.msc`). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
1. In the console tree, select **Command Management**. A list of TPM commands is displayed.
@@ -69,4 +63,4 @@ You can manage the TPM using Windows PowerShell. For details, see [TrustedPlatfo
## Related articles
-- [Trusted Platform Module](trusted-platform-module-top-node.md)
+- [Trusted Platform Module](trusted-platform-module-overview.md)
diff --git a/windows/security/hardware-security/tpm/manage-tpm-lockout.md b/windows/security/hardware-security/tpm/manage-tpm-lockout.md
index a281a8e40b..abf6374e8f 100644
--- a/windows/security/hardware-security/tpm/manage-tpm-lockout.md
+++ b/windows/security/hardware-security/tpm/manage-tpm-lockout.md
@@ -2,7 +2,7 @@
title: Manage TPM lockout
description: This article for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows.
ms.topic: conceptual
-ms.date: 04/26/2023
+ms.date: 11/17/2023
---
# Manage TPM lockout
@@ -17,20 +17,19 @@ Windows takes ownership of the TPM ownership upon first boot. By default, Window
In some cases, encryption keys are protected by a TPM by requiring a valid authorization value to access the key. A common example is configuring BitLocker Drive Encryption to use the TPM plus PIN key protector. In this scenario, the user must type the correct PIN during the boot process to access the volume encryption key protected by the TPM. To prevent malicious users or software from discovering authorization values, TPMs implement protection logic. The protection logic is designed to slow or stop responses from the TPM if it detects that an entity might be trying to guess authorization values.
-### TPM 1.2
-
-The industry standards from the Trusted Computing Group (TCG) specify that TPM manufacturers must implement some form of protection logic in TPM 1.2 and TPM 2.0 chips. TPM 1.2 devices implement different protection mechanisms and behavior. In general, the TPM chip takes exponentially longer to respond if incorrect authorization values are sent to the TPM. Some TPM chips may not store failed attempts over time. Other TPM chips may store every failed attempt indefinitely. Therefore, some users may experience increasingly longer delays when they mistype an authorization value that is sent to the TPM. These delays can prevent them from using the TPM for a period of time.
-
### TPM 2.0
TPM 2.0 devices have standardized lockout behavior which Windows configures. TPM 2.0 devices have a maximum count threshold and a healing time. Windows configures the maximum count to be 32 and the healing time to be 10 minutes. This configuration means that every continuous 10 minutes of powered on operation without an event causes the counter to decrease by 1.
If your TPM has entered lockout mode or is responding slowly to commands, you can reset the lockout value by using the following procedures. Resetting the TPM lockout requires the TPM owner's authorization. This value is no longer retained by default starting with Windows 10 version 1607 and higher.
+### TPM 1.2
+
+The industry standards from the Trusted Computing Group (TCG) specify that TPM manufacturers must implement some form of protection logic in TPM 1.2 and TPM 2.0 chips. TPM 1.2 devices implement different protection mechanisms and behavior. In general, the TPM chip takes exponentially longer to respond if incorrect authorization values are sent to the TPM. Some TPM chips may not store failed attempts over time. Other TPM chips may store every failed attempt indefinitely. Therefore, some users may experience increasingly longer delays when they mistype an authorization value that is sent to the TPM. These delays can prevent them from using the TPM for a period of time.
+
## Reset the TPM lockout by using the TPM MMC
> [!NOTE]
->
> This procedure is only available if you have configured Windows to retain the TPM Owner Password. By default, this password isn't available in Windows 10 starting with version 1607 and higher.
The following procedure explains the steps to reset the TPM lockout by using the TPM MMC.
@@ -39,7 +38,7 @@ The following procedure explains the steps to reset the TPM lockout by using the
1. Open the TPM MMC (tpm.msc).
-1 In the **Action** pane, select **Reset TPM Lockout** to start the Reset TPM Lockout Wizard.
+1. In the **Action** pane, select **Reset TPM Lockout** to start the Reset TPM Lockout Wizard.
1. Choose one of the following methods to enter the TPM owner password:
@@ -77,4 +76,4 @@ You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets i
## Related articles
-- [Trusted Platform Module](trusted-platform-module-top-node.md)
+- [Trusted Platform Module](trusted-platform-module-overview.md)
diff --git a/windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
index 01ddf58aa0..281201247a 100644
--- a/windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
+++ b/windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
@@ -2,14 +2,14 @@
title: UnderstandPCR banks on TPM 2.0 devices
description: Learn about what happens when you switch PCR banks on TPM 2.0 devices.
ms.topic: conceptual
-ms.date: 02/02/2023
+ms.date: 11/17/2023
---
# PCR banks on TPM 2.0 devices
For steps on how to switch PCR banks on TPM 2.0 devices on your PC, you should contact your OEM or UEFI vendor. This article provides background about what happens when you switch PCR banks on TPM 2.0 devices.
-A *Platform Configuration Register (PCR)* is a memory location in the TPM that has some unique properties. The size of the value that can be stored in a PCR is determined by the size of a digest generated by an associated hashing algorithm. A SHA-1 PCR can store 20 bytes - the size of a SHA-1 digest. Multiple PCRs associated with the same hashing algorithm are referred to as a *PCR bank*.
+A Platform Configuration Register (PCR) is a memory location in the TPM that has some unique properties. The size of the value that can be stored in a PCR is determined by the size of a digest generated by an associated hashing algorithm. A SHA-1 PCR can store 20 bytes - the size of a SHA-1 digest. Multiple PCRs associated with the same hashing algorithm are referred to as a *PCR bank*.
To store a new value in a PCR, the existing value is extended with a new value as follows: `PCR[N] = HASHalg( PCR[N] || ArgumentOfExtend)`
@@ -21,8 +21,7 @@ Some TPM PCRs are used as checksums of log events. The log events are extended i
## How does Windows use PCRs?
-To bind the use of a TPM based key to a certain state of the device, the key can be sealed to an expected set of PCR values.\
-For instance, PCRs 0 through 7 have a well-defined value after the boot process, when the OS is loaded. When the hardware, firmware, or boot loader of the machine changes, the change can be detected in the PCR values. Windows uses this capability to make certain cryptographic keys only available at certain times during the boot process. For instance, the BitLocker key can be used at a certain point in the boot, but not before or after.
+To bind the use of a TPM based key to a certain state of the device, the key can be sealed to an expected set of PCR values. For instance, PCRs 0 through 7 have a well-defined value after the boot process, when the OS is loaded. When the hardware, firmware, or boot loader of the machine changes, the change can be detected in the PCR values. Windows uses this capability to make certain cryptographic keys only available at certain times during the boot process. For instance, the BitLocker key can be used at a certain point in the boot, but not before or after.
It's important to note that this binding to PCR values also includes the hashing algorithm used for the PCR. For instance, a key can be bound to a specific value of the `SHA-1 PCR[12]`, if using the SHA-256 PCR bank, even with the same system configuration. Otherwise, the PCR values won't match.
@@ -30,7 +29,7 @@ It's important to note that this binding to PCR values also includes the hashing
When the PCR banks are switched, the algorithm used to compute the hashed values stored in the PCRs during extend operations is changed. Each hash algorithm will return a different cryptographic signature for the same inputs.
-As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR\[12\] and subsequently changed the PCR bank to SHA-256, the banks wouldn't match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows won't be able to unseal it if the PCR banks are switched while BitLocker is enabled.
+As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR[12] and subsequently changed the PCR bank to SHA-256, the banks wouldn't match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows won't be able to unseal it if the PCR banks are switched while BitLocker is enabled.
## What can I do to switch PCRs when BitLocker is already active?
@@ -42,7 +41,7 @@ You can configure a TPM to have multiple PCR banks active. When BIOS performs me
- Registry key: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices`
- DWORD: `TPMActivePCRBanks`
-- Defines which PCR banks are currently active. (This value should be interpreted as a bitmap for which the bits are defined in the [TCG Algorithm Registry](https://trustedcomputinggroup.org/resource/tcg-algorithm-registry/) Table 21 of Revision 1.27.)
+- Defines which PCR banks are currently active. This value should be interpreted as a bitmap for which the bits are defined in the [TCG Algorithm Registry](https://trustedcomputinggroup.org/resource/tcg-algorithm-registry/) Table 21 of Revision 1.27.
Windows checks which PCR banks are active and supported by the BIOS. Windows also checks if the measured boot log supports measurements for all active PCR banks. Windows will prefer the use of the SHA-256 bank for measurements and will fall back to SHA1 PCR bank if one of the pre-conditions isn't met.
@@ -50,6 +49,6 @@ You can identify which PCR bank is currently used by Windows by looking at the r
- Registry key: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices`
- DWORD: `TPMDigestAlgID`
-- Algorithm ID of the PCR bank that Windows is currently using. (This value represents an algorithm identifier as defined in the [TCG Algorithm Registry](https://trustedcomputinggroup.org/resource/tcg-algorithm-registry/) Table 3 of Revision 1.27.)
+- Algorithm ID of the PCR bank that Windows is currently using. This value represents an algorithm identifier as defined in the [TCG Algorithm Registry](https://trustedcomputinggroup.org/resource/tcg-algorithm-registry/) Table 3 of Revision 1.27.
Windows only uses one PCR bank to continue boot measurements. All other active PCR banks will be extended with a separator to indicate that they aren't used by Windows and measurements that appear to be from Windows shouldn't be trusted.
diff --git a/windows/security/hardware-security/tpm/tpm-fundamentals.md b/windows/security/hardware-security/tpm/tpm-fundamentals.md
index 4393c94d01..d4612701db 100644
--- a/windows/security/hardware-security/tpm/tpm-fundamentals.md
+++ b/windows/security/hardware-security/tpm/tpm-fundamentals.md
@@ -2,24 +2,27 @@
title: Trusted Platform Module (TPM) fundamentals
description: Learn about the components of the Trusted Platform Module and how they're used to mitigate dictionary attacks.
ms.topic: conceptual
-ms.date: 03/09/2023
+ms.date: 11/17/2023
---
# TPM fundamentals
-This article provides a description of the *Trusted Platform Module* (TPM 1.2 and TPM 2.0) components, and explains how they're used to mitigate dictionary attacks.
+This article provides a description of the Trusted Platform Module (TPM 1.2 and TPM 2.0) components, and explains how they're used to mitigate dictionary attacks.
A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is installed on the motherboard of a computer, and it communicates with the rest of the system by using a hardware bus.
-Devices that incorporate a TPM can create cryptographic keys and encrypt them, so that the keys can only be decrypted by the TPM. This process, often called *wrapping* or *binding a key*, can help protect the key from disclosure. Each TPM has a *master wrapping key*, called the *storage root key*, which is stored within the TPM itself. The private portion of a storage root key, or *endorsement key*, that is created in a TPM is never exposed to any other component, software, process, or user.
+Devices that incorporate a TPM can create cryptographic keys and encrypt them, so that the keys can only be decrypted by the TPM. This process, often called "wrapping" or "binding" a key, can help protect the key from disclosure. Each TPM has a primary wrapping key, called the **storage root key**, which is stored within the TPM itself. The private portion of a storage root key, or **endorsement key**, that is created in a TPM is never exposed to any other component, software, process, or user.
-You can specify whether encryption keys that are created by the TPM can be migrated or not. If you specify that they can be migrated, the public and private portions of the key can be exposed to other components, software, processes, or users. If you specify that encryption keys can't be migrated, the private portion of the key is never exposed outside the TPM.
+You can specify whether encryption keys that the TPM creates can be migrated or not. If you specify that they can be migrated, the public and private portions of the key can be exposed to other components, software, processes, or users. If you specify that encryption keys can't be migrated, the private portion of the key is never exposed outside the TPM.
Devices that incorporate a TPM can also create a key wrapped and tied to certain platform measurements. This type of key can be unwrapped only when those platform measurements have the same values that they had when the key was created. This process is referred to as *sealing the key to the TPM*. Decrypting the key is called *unsealing*. The TPM can also seal and unseal data that is generated outside the TPM. With sealed key and software, such as BitLocker Drive Encryption, data can be locked until specific hardware or software conditions are met.
With a TPM, private portions of key pairs are kept separate from the memory that is controlled by the operating system. Keys can be sealed to the TPM, and certain assurances about the state of a system (assurances that define the trustworthiness of a system) can be made before the keys are unsealed and released for use. The TPM uses its own internal firmware and logic circuits to process instructions. Hence, it doesn't rely on the operating system and it isn't exposed to vulnerabilities that might exist in the operating system or application software.
-For information about which versions of Windows support which versions of the TPM, see [Trusted Platform Module technology overview](trusted-platform-module-overview.md). The features that are available in the versions are defined in specifications by the Trusted Computing Group (TCG). For more information, see the Trusted Platform Module page on the Trusted Computing Group website: [Trusted Platform Module](http://www.trustedcomputinggroup.org/developers/trusted_platform_module).
+- For information about which versions of Windows support which versions of the TPM, see [Trusted Platform Module technology overview](trusted-platform-module-overview.md).
+- For more information about which TPM services can be controlled centrally by using Group Policy settings, see [TPM Group Policy Settings](trusted-platform-module-services-group-policy-settings.md).
+
+The features that are available in the versions are defined in specifications by the Trusted Computing Group (TCG). For more information, see the [Trusted Platform Module page](http://www.trustedcomputinggroup.org/developers/trusted_platform_module) on the Trusted Computing Group website.
The following sections provide an overview of the technologies that support the TPM:
@@ -33,12 +36,9 @@ The following sections provide an overview of the technologies that support the
- [TPM Key Attestation](#key-attestation)
- [Anti-hammering](#anti-hammering)
-The following article describes the TPM services that can be controlled centrally by using Group Policy settings:
-[TPM Group Policy Settings](trusted-platform-module-services-group-policy-settings.md).
-
## Measured Boot with support for attestation
-The *Measured Boot* feature provides anti-malware software with a trusted (resistant to spoofing and tampering) log of all boot components. Anti-malware software can use the log to determine whether components that ran before it are trustworthy or infected with malware. It can also send the Measured Boot logs to a remote server for evaluation. The remote server can start remediation actions by interacting with software on the client or through out-of-band mechanisms, as appropriate.
+The Measured Boot feature provides anti-malware software with a trusted (resistant to spoofing and tampering) log of all boot components. Anti-malware software can use the log to determine whether components that ran before it are trustworthy or infected with malware. It can also send the Measured Boot logs to a remote server for evaluation. The remote server can start remediation actions by interacting with software on the client or through out-of-band mechanisms, as appropriate.
## TPM-based Virtual Smart Card
@@ -48,7 +48,7 @@ The Virtual Smart Card emulates the functionality of traditional smart cards. Vi
## TPM-based certificate storage
-The TPM protects certificates and RSA keys. The TPM key storage provider (KSP) provides easy and convenient use of the TPM as a way of strongly protecting private keys. The TPM KSP generates keys when an organization enrolls for certificates. The TPM also protects certificates that are imported from an outside source. TPM-based certificates are standard certificates. The certificate can never leave the TPM from which the keys are generated. The TPM can now be used for crypto-operations through Cryptography API: Next Generation (CNG). For more info, see [Cryptography API: Next Generation](/windows/win32/seccng/cng-portal).
+The TPM protects certificates and RSA keys. The TPM key storage provider (KSP) provides easy and convenient use of the TPM as a way of strongly protecting private keys. The TPM KSP generates keys when an organization enrolls for certificates. The TPM also protects certificates that are imported from an outside source. TPM-based certificates are standard certificates. The certificate can never leave the TPM from which the keys are generated. The TPM can also be used for crypto-operations through [Cryptography API: Next Generation (CNG)](/windows/win32/seccng/cng-portal).
## TPM Cmdlets
@@ -68,7 +68,7 @@ A trusted application can use TPM only if the TPM contains an endorsement key, w
## Key attestation
-*TPM key attestation* allows a certification authority to verify that a private key is protected by a TPM and that the TPM is one that the certification authority trusts. Endorsement keys proven valid are used to bind the user identity to a device. The user certificate with a TPM-attested key provides higher security assurance backed up by non-exportability, anti-hammering, and isolation of keys provided by a TPM.
+TPM key attestation allows a certification authority to verify that a private key is protected by a TPM and that the TPM is one that the certification authority trusts. Endorsement keys proven valid are used to bind the user identity to a device. The user certificate with a TPM-attested key provides higher security assurance backed up by nonexportability, anti-hammering, and isolation of keys provided by a TPM.
## Anti-hammering
@@ -84,12 +84,9 @@ TPM 2.0 has well defined anti-hammering behavior. This is in contrast to TPM 1.2
For systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every 10 minutes. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts.
-Attempts to use a key with an authorization value for the next 10 minutes wouldn't return success or failure. Instead, the response indicates that the TPM is locked.\
-After 10 minutes, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31. The TPM leaves the locked state and returns to normal operation.\
-With the correct authorization value, keys could be used normally if no authorization failures occur during the next 10 minutes. If a period of 320 minutes elapses with no authorization failures, the TPM doesn't remember any authorization failures, and 32 failed attempts could occur again.
+Attempts to use a key with an authorization value for the next 10 minutes wouldn't return success or failure. Instead, the response indicates that the TPM is locked. After 10 minutes, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31. The TPM leaves the locked state and returns to normal operation. With the correct authorization value, keys could be used normally if no authorization failures occur during the next 10 minutes. If a period of 320 minutes elapses with no authorization failures, the TPM doesn't remember any authorization failures, and 32 failed attempts could occur again.
-Windows doesn't require TPM 2.0 systems to forget about authorization failures when the system is fully powered off or when the system has hibernated.\
-Windows requires that authorization failures are forgotten when the system is running normally, in a sleep mode, or in low power states other than off. If a Windows system with TPM 2.0 is locked, the TPM leaves lockout mode if the system is left on for 10 minutes.
+Windows doesn't require TPM 2.0 systems to forget about authorization failures when the system is fully powered off or when the system has hibernated. Windows requires that authorization failures are forgotten when the system is running normally, in a sleep mode, or in low power states other than off. If a Windows system with TPM 2.0 is locked, the TPM leaves lockout mode if the system is left on for 10 minutes.
The anti-hammering protection for TPM 2.0 can be fully reset immediately by sending a reset lockout command to the TPM, and providing the TPM owner password. By default, Windows automatically provisions TPM 2.0 and stores the TPM owner password for use by system administrators.
@@ -99,18 +96,16 @@ TPM 2.0 allows some keys to be created without an authorization value associated
### Rationale behind the defaults
-Originally, BitLocker allowed from 4 to 20 characters for a PIN.
-Windows Hello has its own PIN for sign-in, which can be 4 to 127 characters.
-Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
+Originally, BitLocker allowed from 4 to 20 characters for a PIN. Windows Hello has its own PIN for sign-in, which can be 4 to 127 characters. Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
Windows 10, version 1607 and earlier used Dictionary Attack Prevention parameters. The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This totals a maximum of about 4415 guesses per year. If the PIN is four digits, all 9999 possible PIN combinations could be attempted in a little over two years.
-Staring in Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to six characters, to better align with other Windows features that use TPM 2.0, including Windows Hello. Increasing the PIN length requires a greater number of guesses for an attacker. Therefore, the lockout duration between each guess was shortened to allow legitimate users to retry a failed attempt sooner while maintaining a similar level of protection. In case the legacy parameters for lockout threshold and recovery time need to be used, make sure that GPO is enabled and [configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0](/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings#configure-the-system-to-use-legacy-dictionary-attack-prevention-parameters-setting-for-tpm-20).
+Starting in Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to six characters, to better align with other Windows features that use TPM 2.0, including Windows Hello. Increasing the PIN length requires a greater number of guesses for an attacker. Therefore, the lockout duration between each guess was shortened to allow legitimate users to retry a failed attempt sooner while maintaining a similar level of protection. In case the legacy parameters for lockout threshold and recovery time need to be used, make sure that GPO is enabled and [configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0](/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings#configure-the-system-to-use-legacy-dictionary-attack-prevention-parameters-setting-for-tpm-20).
### TPM-based smart cards
The Windows TPM-based smart card, which is a virtual smart card, can be configured to allow sign in to the system. In contrast with physical smart cards, the sign-in process uses a TPM-based key with an authorization value. The following list shows the advantages of virtual smart cards:
-- Physical smart cards can enforce lockout for only the physical smart card PIN, and they can reset the lockout after the correct PIN is entered.
- With a virtual smart card, the TPM's anti-hammering protection isn't reset after a successful authentication. The allowed number of authorization failures before the TPM enters lockout includes many factors
-- Hardware manufacturers and software developers can use the security features of the TPM to meet their requirements
-- The intent of selecting 32 failures as the lock-out threshold is to avoid users to lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must wait 10 minutes or use other credentials to sign in, such as a user name and password
+
+- Physical smart cards can enforce lockout for only the physical smart card PIN, and they can reset the lockout after the correct PIN is entered. With a virtual smart card, the TPM's anti-hammering protection isn't reset after a successful authentication. The allowed number of authorization failures before the TPM enters lockout includes many factors.
+- Hardware manufacturers and software developers can use the security features of the TPM to meet their requirements.
+- The intent of selecting 32 failures as the lock-out threshold is to avoid users to lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must wait 10 minutes or use other credentials to sign in, such as a user name and password.
diff --git a/windows/security/hardware-security/tpm/tpm-recommendations.md b/windows/security/hardware-security/tpm/tpm-recommendations.md
index afea335006..4471400a65 100644
--- a/windows/security/hardware-security/tpm/tpm-recommendations.md
+++ b/windows/security/hardware-security/tpm/tpm-recommendations.md
@@ -2,9 +2,8 @@
title: TPM recommendations
description: This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows.
ms.topic: conceptual
-ms.date: 02/02/2023
+ms.date: 11/17/2023
ms.collection:
-- highpri
- tier1
---
@@ -35,25 +34,15 @@ From an industry standard, Microsoft has been an industry leader in moving and s
TPM 2.0 products and systems have important security advantages over TPM 1.2, including:
- The TPM 1.2 spec only allows for the use of RSA and the SHA-1 hashing algorithm.
-
- For security reasons, some entities are moving away from SHA-1. Notably, NIST has required many federal agencies to move to SHA-256 as of 2014, and technology leaders, including Microsoft and Google have announced they will remove support for SHA-1 based signing or certificates in 2017.
-
- TPM 2.0 **enables greater crypto agility** by being more flexible with respect to cryptographic algorithms.
-
- TPM 2.0 supports newer algorithms, which can improve drive signing and key generation performance. For the full list of supported algorithms, see the [TCG Algorithm Registry](http://www.trustedcomputinggroup.org/tcg-algorithm-registry/). Some TPMs don't support all algorithms.
-
- For the list of algorithms that Windows supports in the platform cryptographic storage provider, see [CNG Cryptographic Algorithm Providers](/windows/win32/seccertenroll/cng-cryptographic-algorithm-providers).
-
- TPM 2.0 achieved ISO standardization ([ISO/IEC 11889:2015](https://www.microsoft.com/security/blog/2015/06/29/governments-recognize-the-importance-of-tpm-2-0-through-iso-adoption)).
-
- Use of TPM 2.0 may help eliminate the need for OEMs to make exception to standard configurations for certain countries and regions.
-
- TPM 2.0 offers a more **consistent experience** across different implementations.
-
- TPM 1.2 implementations vary in policy settings. This may result in support issues as lockout policies vary.
-
- TPM 2.0 lockout policy is configured by Windows, ensuring a consistent dictionary attack protection guarantee.
-
- While TPM 1.2 parts are discrete silicon components, which are typically soldered on the motherboard, TPM 2.0 is available as a **discrete (dTPM)** silicon component in a single semiconductor package, an **integrated** component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s), and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on a general purpose SoC.
> [!NOTE]
@@ -65,11 +54,9 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in
There are three implementation options for TPMs:
-- Discrete TPM chip as a separate component in its own semiconductor package
-
-- Integrated TPM solution, using dedicated hardware integrated into one or more semiconductor packages alongside, but logically separate from, other components
-
-- Firmware TPM solution, running the TPM in firmware in a Trusted Execution mode of a general purpose computation unit
+- Discrete TPM chip as a separate component in its own semiconductor package.
+- Integrated TPM solution, using dedicated hardware integrated into one or more semiconductor packages alongside, but logically separate from, other components.
+- Firmware TPM solution, running the TPM in firmware in a Trusted Execution mode of a general purpose computation unit.
Windows uses any compatible TPM in the same way. Microsoft does not take a position on which way a TPM should be implemented and there is a wide ecosystem of available TPM solutions, which should suit all needs.
@@ -95,22 +82,22 @@ For end consumers, TPM is behind the scenes but is still relevant. TPM is used f
The following table defines which Windows features require TPM support.
- Windows Features | TPM Required | Supports TPM 1.2 | Supports TPM 2.0 | Details |
--|-|-|-|-
- Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot. TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm which is being deprecated.
- BitLocker | No | Yes | Yes | TPM 1.2 or 2.0 are supported but TPM 2.0 is recommended. [Automatic Device Encryption requires Modern Standby](../../operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) including TPM 2.0 support
- Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0.
- Windows Defender Application Control (Device Guard) | No | Yes | Yes
- Windows Defender System Guard (DRTM) | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.
- Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported. Paired with Windows Defender System Guard, TPM 2.0 provides enhanced security for Credential Guard. Windows 11 requires TPM 2.0 by default to facilitate easier enablement of this enhanced security for customers.
- Device Health Attestation| Yes | Yes | Yes | TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm which is being deprecated.
- Windows Hello/Windows Hello for Business| No | Yes | Yes | Microsoft Entra join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support. TPM 2.0 is recommended over TPM 1.2 for better performance and security. Windows Hello as a FIDO platform authenticator will take advantage of TPM 2.0 for key storage.
- UEFI Secure Boot | No | Yes | Yes
- TPM Platform Crypto Provider Key Storage Provider| Yes | Yes | Yes
- Virtual Smart Card | Yes | Yes | Yes
- Certificate storage | No | Yes | Yes | TPM is only required when the certificate is stored in the TPM.
- Autopilot | No | N/A | Yes | If you intend to deploy a scenario which requires TPM (such as white glove and self-deploying mode), then TPM 2.0 and UEFI firmware are required.
- SecureBIO | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.
+| Windows Features | TPM Required | Supports TPM 1.2 | Supports TPM 2.0 | Details |
+|--|--|--|--|--|
+| Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot. TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm which is being deprecated. |
+| BitLocker | No | Yes | Yes | TPM 1.2 or 2.0 are supported but TPM 2.0 is recommended. [Device Encryption requires Modern Standby](../../operating-system-security/data-protection/bitlocker/index.md#device-encryption) including TPM 2.0 support |
+| Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0. |
+| Windows Defender Application Control (Device Guard) | No | Yes | Yes |
+| Windows Defender System Guard (DRTM) | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. |
+| Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported. Paired with Windows Defender System Guard, TPM 2.0 provides enhanced security for Credential Guard. Windows 11 requires TPM 2.0 by default to facilitate easier enablement of this enhanced security for customers. |
+| Device Health Attestation | Yes | Yes | Yes | TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm which is being deprecated. |
+| Windows Hello/Windows Hello for Business | No | Yes | Yes | Microsoft Entra join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support. TPM 2.0 is recommended over TPM 1.2 for better performance and security. Windows Hello as a FIDO platform authenticator will take advantage of TPM 2.0 for key storage. |
+| UEFI Secure Boot | No | Yes | Yes |
+| TPM Platform Crypto Provider Key Storage Provider | Yes | Yes | Yes |
+| Virtual Smart Card | Yes | Yes | Yes |
+| Certificate storage | No | Yes | Yes | TPM is only required when the certificate is stored in the TPM. |
+| Autopilot | No | N/A | Yes | If you intend to deploy a scenario which requires TPM (such as white glove and self-deploying mode), then TPM 2.0 and UEFI firmware are required. |
+| SecureBIO | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. |
## OEM Status on TPM 2.0 system availability and certified parts
@@ -118,4 +105,4 @@ Government customers and enterprise customers in regulated industries may have a
## Related topics
-- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
+- [Trusted Platform Module](trusted-platform-module-overview.md)
diff --git a/windows/security/hardware-security/tpm/trusted-platform-module-overview.md b/windows/security/hardware-security/tpm/trusted-platform-module-overview.md
index 8d35f5065b..46a0c61d51 100644
--- a/windows/security/hardware-security/tpm/trusted-platform-module-overview.md
+++ b/windows/security/hardware-security/tpm/trusted-platform-module-overview.md
@@ -2,9 +2,8 @@
title: Trusted Platform Module Technology Overview
description: Learn about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
ms.topic: conceptual
-ms.date: 02/22/2023
+ms.date: 11/17/2023
ms.collection:
-- highpri
- tier1
---
@@ -14,21 +13,26 @@ This article describes the Trusted Platform Module (TPM) and how Windows uses it
## Feature description
-The [*Trusted Platform Module (TPM)*](/windows/security/information-protection/tpm/trusted-platform-module-top-node) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the advantages of using TPM technology are:
+The [Trusted Platform Module (TPM)](/windows/security/information-protection/tpm/trusted-platform-module-overview) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the advantages of using TPM technology are:
-- Generate, store, and limit the use of cryptographic keys
-- Use it for device authentication by using the TPM's unique RSA key, which is burned into the chip
-- Help ensure platform integrity by taking and storing security measurements of the boot process
+- Generate, store, and limit the use of cryptographic keys.
+- Use it for device authentication by using the TPM's unique RSA key, which is burned into the chip.
+- Help ensure platform integrity by taking and storing security measurements of the boot process.
The most common TPM functions are used for system integrity measurements and for key creation and use. During the boot process of a system, the boot code that is loaded (including firmware and the operating system components) can be measured and recorded in the TPM. The integrity measurements can be used as evidence for how a system started and to make sure that a TPM-based key was used only when the correct software was used to boot the system.
-TPM-based keys can be configured in a variety of ways. One option is to make a TPM-based key unavailable outside the TPM. This is good to mitigate phishing attacks because it prevents the key from being copied and used without the TPM. TPM-based keys can also be configured to require an authorization value to use them. If too many incorrect authorization guesses occur, the TPM will activate its dictionary attack logic and prevent further authorization value guesses.
+TPM-based keys can be configured in various ways. One option is to make a TPM-based key unavailable outside the TPM. This is good to mitigate phishing attacks because it prevents the key from being copied and used without the TPM. TPM-based keys can also be configured to require an authorization value to use them. If too many incorrect authorization guesses occur, the TPM activates its dictionary attack logic and prevents further authorization value guesses.
Different versions of the TPM are defined in specifications by the Trusted Computing Group (TCG). For more information, see the [TCG Web site](http://www.trustedcomputinggroup.org/work-groups/trusted-platform-module/).
-### Automatic initialization of the TPM with Windows
+[!INCLUDE [trusted-platform-module-tpm-20](../../../../includes/licensing/trusted-platform-module-tpm.md)]
-Starting with Windows 10 and Windows 11, the operating system automatically initializes and takes ownership of the TPM. This means that in most cases, we recommend that you avoid configuring the TPM through the TPM management console, **TPM.msc**. There are a few exceptions, mostly related to resetting or performing a clean installation on a PC. For more information, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). We're [no longer actively developing the TPM management console](/windows-server/get-started-19/removed-features-19#features-were-no-longer-developing) beginning with Windows Server 2019 and Windows 10, version 1809.
+## Automatic initialization of the TPM with Windows
+
+Starting with Windows 10 and Windows 11, the operating system automatically initializes and takes ownership of the TPM. This means that in most cases, we recommend that you avoid configuring the TPM through the TPM management console, **TPM.msc**. There are a few exceptions, mostly related to resetting or performing a clean installation on a PC. For more information, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm).
+
+> [!NOTE]
+> We're [no longer actively developing the TPM management console](/windows-server/get-started-19/removed-features-19#features-were-no-longer-developing) beginning with Windows Server 2019 and Windows 10, version 1809.
In certain specific enterprise scenarios limited to Windows 10, versions 1507 and 1511, Group Policy might be used to back up the TPM owner authorization value in Active Directory. Because the TPM state persists across operating system installations, this TPM information is stored in a location in Active Directory that is separate from computer objects.
@@ -38,21 +42,15 @@ Certificates can be installed or created on computers that are using the TPM. Af
Automated provisioning in the TPM reduces the cost of TPM deployment in an enterprise. New APIs for TPM management can determine if TPM provisioning actions require physical presence of a service technician to approve TPM state change requests during the boot process.
-Anti-malware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10 or Windows 11 or Windows Server 2016. These measurements include the launch of Hyper-V to test that datacenters using virtualization aren't running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry.
+Anti-malware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows. These measurements include the launch of Hyper-V to test that datacenters using virtualization aren't running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry.
The TPM has several Group Policy settings that might be useful in certain enterprise scenarios. For more info, see [TPM Group Policy Settings](trusted-platform-module-services-group-policy-settings.md).
-[!INCLUDE [trusted-platform-module-tpm-20](../../../../includes/licensing/trusted-platform-module-tpm.md)]
-
-## New and changed functionality
-
-For more info on new and changed functionality for Trusted Platform Module in Windows, see [What's new in Trusted Platform Module?](/windows/whats-new/whats-new-windows-10-version-1507-and-1511#trusted-platform-module)
-
## Device health attestation
-Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device heath attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource.
+Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device heath attestation, you can configure an MDM server to query a health attestation service that allows or denies a managed device access to a secure resource.
-Some security issues that you can check on the device include the following:
+Some security issues that you can check on the devices include:
- Is Data Execution Prevention supported and enabled?
- Is BitLocker Drive Encryption supported and enabled?
diff --git a/windows/security/hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md
index d74612ae4a..4ea0c0f2d7 100644
--- a/windows/security/hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md
+++ b/windows/security/hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md
@@ -2,18 +2,12 @@
title: TPM Group Policy settings
description: This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
ms.topic: conceptual
-ms.date: 07/31/2023
+ms.date: 11/17/2023
---
# TPM Group Policy settings
-This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
-
-The Group Policy settings for TPM services are located at:
-
-**Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\**
-
-The following Group Policy settings were introduced in Windows.
+This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings. The Group Policy settings for TPM services are located under **Computer Configuration** > **Administrative Templates** > **System** > **Trusted Platform Module Services**.
## Configure the level of TPM owner authorization information available to the operating system
@@ -22,28 +16,27 @@ The following Group Policy settings were introduced in Windows.
This policy setting configured which TPM authorization values are stored in the registry of the local computer. Certain authorization values are required in order to allow Windows to perform certain actions.
-|TPM 1.2 value | TPM 2.0 value | Purpose | Kept at level 0?| Kept at level 2?| Kept at level 4? |
-|--------------|---------------|---------|-----------------|-----------------|------------------|
-| OwnerAuthAdmin | StorageOwnerAuth | Create SRK | No | Yes | Yes |
-| OwnerAuthEndorsement | EndorsementAuth | Create or use EK (1.2 only: Create AIK) | No | Yes | Yes |
-| OwnerAuthFull | LockoutAuth | Reset/change Dictionary Attack Protection | No | No | Yes |
+| TPM 1.2 value | TPM 2.0 value | Purpose | Kept at level 0? | Kept at level 2? | Kept at level 4? |
+|----------------------|------------------|-------------------------------------------|------------------|------------------|------------------|
+| OwnerAuthAdmin | StorageOwnerAuth | Create SRK | No | Yes | Yes |
+| OwnerAuthEndorsement | EndorsementAuth | Create or use EK (1.2 only: Create AIK) | No | Yes | Yes |
+| OwnerAuthFull | LockoutAuth | Reset/change Dictionary Attack Protection | No | No | Yes |
There are three TPM owner authentication settings that are managed by the Windows operating system. You can choose a value of **Full**, **Delegate**, or **None**.
-- **Full** This setting stores the full TPM owner authorization, the TPM administrative delegation blob, and the TPM user delegation blob in the local registry. With this setting, you can use the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that do not require you to reset the TPM anti-hammering logic or change the TPM owner authorization value. Some TPM-based applications may require that this setting is changed before features that depend on the TPM anti-hammering logic can be used. Full owner authorization in TPM 1.2 is similar to lockout authorization in TPM 2.0. Owner authorization has a different meaning for TPM 2.0.
+- **Full**: This setting stores the full TPM owner authorization, the TPM administrative delegation blob, and the TPM user delegation blob in the local registry. With this setting, you can use the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that do not require you to reset the TPM anti-hammering logic or change the TPM owner authorization value. Some TPM-based applications may require that this setting is changed before features that depend on the TPM anti-hammering logic can be used. Full owner authorization in TPM 1.2 is similar to lockout authorization in TPM 2.0. Owner authorization has a different meaning for TPM 2.0.
-- **Delegated** This setting stores only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM antihammering logic. This is the default setting in Windows prior to version 1703.
+- **Delegated**: This setting stores only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM antihammering logic. This is the default setting in Windows prior to version 1703.
-- **None** This setting provides compatibility with previous operating systems and applications. You can also use it for scenarios when TPM owner authorization cannot be stored locally. Using this setting might cause issues with some TPM-based applications.
+- **None**: This setting provides compatibility with previous operating systems and applications. You can also use it for scenarios when TPM owner authorization cannot be stored locally. Using this setting might cause issues with some TPM-based applications.
> [!NOTE]
> If the operating system managed TPM authentication setting is changed from **Full** to **Delegated**, the full TPM owner authorization value will be regenerated, and any copies of the previously set TPM owner authorization value will be invalid.
**Registry information**
-Registry key: HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\TPM
-
-DWORD: OSManagedAuthLevel
+Registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM`
+DWORD: `OSManagedAuthLevel`
The following table shows the TPM owner authorization values in the registry.
@@ -68,9 +61,8 @@ This setting helps administrators prevent the TPM hardware from entering a locko
For each standard user, two thresholds apply. Exceeding either threshold prevents the user from sending a command that requires authorization to the TPM. Use the following policy settings to set the lockout duration:
-- [Standard User Individual Lockout Threshold](#standard-user-individual-lockout-threshold) This value is the maximum number of authorization failures that each standard user can have before the user is not allowed to send commands that require authorization to the TPM.
-
-- [Standard User Total Lockout Threshold](#standard-user-total-lockout-threshold) This value is the maximum total number of authorization failures that all standard users can have before all standard users are not allowed to send commands that require authorization to the TPM.
+- [Standard User Individual Lockout Threshold](#standard-user-individual-lockout-threshold): This value is the maximum number of authorization failures that each standard user can have before the user is not allowed to send commands that require authorization to the TPM.
+- [Standard User Total Lockout Threshold](#standard-user-total-lockout-threshold): This value is the maximum total number of authorization failures that all standard users can have before all standard users are not allowed to send commands that require authorization to the TPM.
An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the Windows Defender Security Center. Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally.
@@ -118,9 +110,7 @@ Introduced in Windows 10, version 1703, this policy setting configures the TPM t
## TPM Group Policy settings in Windows Security
-You can change what users see about TPM in **Windows Security**. The Group Policy settings for the TPM area in **Windows Security** are located at:
-
-**Computer Configuration\\Administrative Templates\\Windows Components\\Windows Security\\Device security**
+You can change what users see about TPM in **Windows Security**. The Group Policy settings for the TPM area in **Windows Security** are located under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Security** > **Device security**.
### Disable the Clear TPM button
@@ -132,6 +122,6 @@ If you don't want users to see the recommendation to update TPM firmware, you ca
## Related topics
-- [Trusted Platform Module](trusted-platform-module-top-node.md)
+- [Trusted Platform Module](trusted-platform-module-overview.md)
- [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true)
-- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](../../operating-system-security/data-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md)
+- [BitLocker planning guide](../../operating-system-security/data-protection/bitlocker/planning-guide.md)
diff --git a/windows/security/hardware-security/tpm/trusted-platform-module-top-node.md b/windows/security/hardware-security/tpm/trusted-platform-module-top-node.md
deleted file mode 100644
index c19e762bdf..0000000000
--- a/windows/security/hardware-security/tpm/trusted-platform-module-top-node.md
+++ /dev/null
@@ -1,25 +0,0 @@
----
-title: Trusted Platform Module
-description: This topic for the IT professional provides links to information about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
-ms.topic: conceptual
-ms.date: 02/02/2023
-ms.collection:
-- highpri
-- tier1
----
-
-# Trusted Platform Module
-
-Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that helps you with actions such as generating, storing, and limiting the use of cryptographic keys. The following topics provide details.
-
-
-
-| Topic | Description |
-|-------|-------------|
-| [Trusted Platform Module Overview](trusted-platform-module-overview.md) | Provides an overview of the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. |
-| [TPM fundamentals](tpm-fundamentals.md) | Provides background about how a TPM can work with cryptographic keys. Also describes technologies that work with the TPM, such as TPM-based virtual smart cards. |
-| [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md) | Describes TPM services that can be controlled centrally by using Group Policy settings. |
-| [Back up the TPM recovery information to AD DS](backup-tpm-recovery-information-to-ad-ds.md) | For Windows 10, version 1511 and Windows 10, version 1507 only, describes how to back up a computer's TPM information to Active Directory Domain Services. |
-| [Troubleshoot the TPM](initialize-and-configure-ownership-of-the-tpm.md) | Describes actions you can take through the TPM snap-in, TPM.msc: view TPM status, troubleshoot TPM initialization, and clear keys from the TPM. Also, for TPM 1.2 and Windows 10, version 1507 or 1511, or Windows 11, describes how to turn the TPM on or off. |
-| [Understanding PCR banks on TPM 2.0 devices](switch-pcr-banks-on-tpm-2-0-devices.md) | Provides background about what happens when you switch PCR banks on TPM 2.0 devices. |
-| [TPM recommendations](tpm-recommendations.md) | Discusses aspects of TPMs such as the difference between TPM 1.2 and 2.0, and the Windows features for which a TPM is required or recommended. |
diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md
index 0cc106f7cb..3a7b6d25bd 100644
--- a/windows/security/identity-protection/access-control/access-control.md
+++ b/windows/security/identity-protection/access-control/access-control.md
@@ -1,7 +1,7 @@
---
-ms.date: 11/22/2022
-title: Access Control Overview
-description: Description of the access controls in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer.
+ms.date: 11/07/2023
+title: Access Control overview
+description: Learn about access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer.
ms.topic: overview
appliesto:
- ✅ Windows 11
@@ -11,33 +11,37 @@ appliesto:
- ✅ Windows Server 2016
---
-# Access Control Overview
+# Access control overview
-This topic for the IT professional describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing.
+This article describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are:
-## Feature description
+- permissions
+- ownership of objects
+- inheritance of permissions
+- user rights
+- object auditing
Computers that are running a supported version of Windows can control the use of system and network resources through the interrelated mechanisms of authentication and authorization. After a user is authenticated, the Windows operating system uses built-in authorization and access control technologies to implement the second phase of protecting resources: determining if an authenticated user has the correct permissions to access a resource.
-Shared resources are available to users and groups other than the resource's owner, and they need to be protected from unauthorized use. In the access control model, users and groups (also referred to as security principals) are represented by unique security identifiers (SIDs). They are assigned rights and permissions that inform the operating system what each user and group can do. Each resource has an owner who grants permissions to security principals. During the access control check, these permissions are examined to determine which security principals can access the resource and how they can access it.
+Shared resources are available to users and groups other than the resource's owner, and they need to be protected from unauthorized use. In the access control model, users and groups (also referred to as security principals) are represented by unique security identifiers (SIDs). They're assigned rights and permissions that inform the operating system what each user and group can do. Each resource has an owner who grants permissions to security principals. During the access control check, these permissions are examined to determine which security principals can access the resource and how they can access it.
Security principals perform actions (which include Read, Write, Modify, or Full control) on objects. Objects include files, folders, printers, registry keys, and Active Directory Domain Services (AD DS) objects. Shared resources use access control lists (ACLs) to assign permissions. This enables resource managers to enforce access control in the following ways:
- Deny access to unauthorized users and groups
- Set well-defined limits on the access that is provided to authorized users and groups
-Object owners generally grant permissions to security groups rather than to individual users. Users and computers that are added to existing groups assume the permissions of that group. If an object (such as a folder) can hold other objects (such as subfolders and files), it is called a container. In a hierarchy of objects, the relationship between a container and its content is expressed by referring to the container as the parent. An object in the container is referred to as the child, and the child inherits the access control settings of the parent. Object owners often define permissions for container objects, rather than individual child objects, to ease access control management.
+Object owners generally grant permissions to security groups rather than to individual users. Users and computers that are added to existing groups assume the permissions of that group. If an object (such as a folder) can hold other objects (such as subfolders and files), it's called a container. In a hierarchy of objects, the relationship between a container and its content is expressed by referring to the container as the parent. An object in the container is referred to as the child, and the child inherits the access control settings of the parent. Object owners often define permissions for container objects, rather than individual child objects, to ease access control management.
This content set contains:
-- [Dynamic Access Control Overview](/windows-server/identity/solution-guides/dynamic-access-control-overview)
-- [Security identifiers](/windows-server/identity/ad-ds/manage/understand-security-identifiers)
-- [Security Principals](/windows-server/identity/ad-ds/manage/understand-security-principals)
+- [Dynamic Access Control Overview][SERV-1]
+- [Security identifiers][SERV-2]
+- [Security Principals][SERV-3]
- [Local Accounts](local-accounts.md)
- - [Active Directory Accounts](/windows-server/identity/ad-ds/manage/understand-default-user-accounts)
- - [Microsoft Accounts](/windows-server/identity/ad-ds/manage/understand-microsoft-accounts)
- - [Service Accounts](/windows-server/identity/ad-ds/manage/understand-service-accounts)
- - [Active Directory Security Groups](/windows-server/identity/ad-ds/manage/understand-security-groups)
+ - [Active Directory Accounts][SERV-4]
+ - [Microsoft Accounts][SERV-5]
+ - [Service Accounts][SERV-6]
+ - [Active Directory Security Groups][SERV-7]
[!INCLUDE [access-control-aclsacl](../../../../includes/licensing/access-control-aclsacl.md)]
@@ -45,18 +49,18 @@ This content set contains:
Administrators who use the supported version of Windows can refine the application and management of access control to objects and subjects to provide the following security:
-- Protect a greater number and variety of network resources from misuse.
-- Provision users to access resources in a manner that is consistent with organizational policies and the requirements of their jobs.
-- Enable users to access resources from a variety of devices in numerous locations.
-- Update users' ability to access resources on a regular basis as an organization's policies change or as users' jobs change.
-- Account for a growing number of use scenarios (such as access from remote locations or from a rapidly expanding variety of devices, such as tablet computers and mobile phones).
-- Identify and resolve access issues when legitimate users are unable to access resources that they need to perform their jobs.
+- Protect a greater number and variety of network resources from misuse
+- Provision users to access resources in a manner that is consistent with organizational policies and the requirements of their jobs
+- Enable users to access resources from various devices in numerous locations
+- Update users' ability to access resources regularly as an organization's policies change or as users' jobs change
+- Account for a growing number of use scenarios (such as access from remote locations or from a rapidly expanding variety of devices, such as tablet computers and mobile phones)
+- Identify and resolve access issues when legitimate users are unable to access resources that they need to perform their jobs
## Permissions
Permissions define the type of access that is granted to a user or group for an object or object property. For example, the Finance group can be granted Read and Write permissions for a file named Payroll.dat.
-By using the access control user interface, you can set NTFS permissions for objects such as files, Active Directory objects, registry objects, or system objects such as processes. Permissions can be granted to any user, group, or computer. It is a good practice to assign permissions to groups because it improves system performance when verifying access to an object.
+By using the access control user interface, you can set NTFS permissions for objects such as files, Active Directory objects, registry objects, or system objects such as processes. Permissions can be granted to any user, group, or computer. It's a good practice to assign permissions to groups because it improves system performance when verifying access to an object.
For any object, you can grant permissions to:
@@ -73,26 +77,25 @@ The permissions attached to an object depend on the type of object. For example,
When you set permissions, you specify the level of access for groups and users. For example, you can let one user read the contents of a file, let another user make changes to the file, and prevent all other users from accessing the file. You can set similar permissions on printers so that certain users can configure the printer and other users can only print.
-When you need to change the permissions on a file, you can run Windows Explorer, right-click the file name, and click **Properties**. On the **Security** tab, you can change permissions on the file. For more information, see [Managing Permissions](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770962(v=ws.11)).
+When you need to change the permissions on a file, you can run Windows Explorer, right-click the file name, and select **Properties**. On the **Security** tab, you can change permissions on the file. For more information, see [Managing Permissions][PREV-1].
> [!NOTE]
-> Another kind of permissions, called share permissions, is set on the Sharing tab of a folder's **Properties** page or by using the Shared Folder Wizard. For more information see [Share and NTFS Permissions on a File Server](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754178(v=ws.11)).
-
+> Another kind of permissions, called share permissions, is set on the Sharing tab of a folder's **Properties** page or by using the Shared Folder Wizard. For more information, see [Share and NTFS Permissions on a File Server][PREV-2].
### Ownership of objects
-An owner is assigned to an object when that object is created. By default, the owner is the creator of the object. No matter what permissions are set on an object, the owner of the object can always change the permissions. For more information, see [Manage Object Ownership](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732983(v=ws.11)).
+An owner is assigned to an object when that object is created. By default, the owner is the creator of the object. No matter what permissions are set on an object, the owner of the object can always change the permissions. For more information, see [Manage Object Ownership][PREV-3].
### Inheritance of permissions
-Inheritance allows administrators to easily assign and manage permissions. This feature automatically causes objects within a container to inherit all the inheritable permissions of that container. For example, the files within a folder inherit the permissions of the folder. Only permissions marked to be inherited will be inherited.
+Inheritance allows administrators to easily assign and manage permissions. This feature automatically causes objects within a container to inherit all the inheritable permissions of that container. For example, the files within a folder inherit the permissions of the folder. Only permissions marked to be inherited are inherited.
## User rights
User rights grant specific privileges and sign-in rights to users and groups in your computing environment. Administrators can assign specific rights to group accounts or to individual user accounts. These rights authorize users to perform specific actions, such as signing in to a system interactively or backing up files and directories.
-User rights are different from permissions because user rights apply to user accounts, and permissions are associated with objects. Although user rights can apply to individual user accounts, user rights are best administered on a group account basis. There is no support in the access control user interface to grant user rights. However, user rights assignment can be administered through **Local Security Settings**.
+User rights are different from permissions because user rights apply to user accounts, and permissions are associated with objects. Although user rights can apply to individual user accounts, user rights are best administered on a group account basis. There's no support in the access control user interface to grant user rights. However, user rights assignment can be administered through **Local Security Settings**.
-For more information about user rights, see [User Rights Assignment](/windows/device-security/security-policy-settings/user-rights-assignment).
+For more information about user rights, see [User Rights Assignment](../../threat-protection/security-policy-settings/user-rights-assignment.md).
## Object auditing
@@ -102,4 +105,18 @@ For more information about auditing, see [Security Auditing Overview](../../thre
## See also
-- For more information about access control and authorization, see [Access Control and Authorization Overview](/previous-versions/windows/it-pro/windows-8.1-and-8/jj134043(v=ws.11)).
+For more information about access control and authorization, see [Access Control and Authorization Overview][PREV-4].
+
+
+
+[SERV-1]: /windows-server/identity/solution-guides/dynamic-access-control-overview
+[SERV-2]: /windows-server/identity/ad-ds/manage/understand-security-identifiers
+[SERV-3]: /windows-server/identity/ad-ds/manage/understand-security-principals
+[SERV-4]: /windows-server/identity/ad-ds/manage/understand-default-user-accounts
+[SERV-5]: /windows-server/identity/ad-ds/manage/understand-microsoft-accounts
+[SERV-6]: /windows-server/identity/ad-ds/manage/understand-service-accounts
+[SERV-7]: /windows-server/identity/ad-ds/manage/understand-security-groups
+[PREV-1]: /previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770962(v=ws.11)
+[PREV-2]: /previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754178(v=ws.11)
+[PREV-3]: /previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732983(v=ws.11)
+[PREV-4]: /previous-versions/windows/it-pro/windows-8.1-and-8/jj134043(v=ws.11)
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index 1b41b86816..ba0aa757cc 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -1,5 +1,5 @@
---
-ms.date: 08/03/2023
+ms.date: 11/07/2023
title: Local Accounts
description: Learn how to secure and manage access to the resources on a standalone or member server for services or users.
ms.topic: concept-article
@@ -99,7 +99,7 @@ For details about the HelpAssistant account attributes, see the following table.
|Type|User|
|Default container|`CN=Users, DC=
Guests|
+|Default member of|Domain Guests
Guests|
|Protected by ADMINSDHOLDER?|No|
|Safe to move out of default container?|Can be moved out, but we don't recommend it.|
|Safe to delegate management of this group to non-Service admins?|No|
@@ -114,7 +114,7 @@ The DSMA has a well-known RID of `503`. The security identifier (SID) of the DSM
The DSMA is a member of the well-known group **System Managed Accounts Group**, which has a well-known SID of `S-1-5-32-581`.
-The DSMA alias can be granted access to resources during offline staging even before the account itself has been created. The account and the group are created during first boot of the machine within the Security Accounts Manager (SAM).
+The DSMA alias can be granted access to resources during offline staging even before the account itself is created. The account and the group are created during first boot of the machine within the Security Accounts Manager (SAM).
#### How Windows uses the DefaultAccount
@@ -133,10 +133,10 @@ Similarly, Phone auto logs in as a *DefApps* account, which is akin to the stand
In the converged user model, the multi-user-aware apps and multi-user-aware brokers will need to run in a context different from that of the users.
For this purpose, the system creates DSMA.
-#### How the DefaultAccount gets created on domain controllers
+#### How the DefaultAccount is created on domain controllers
-If the domain was created with domain controllers running Windows Server 2016, the DefaultAccount will exist on all domain controllers in the domain.
-If the domain was created with domain controllers running an earlier version of Windows Server, the DefaultAccount will be created after the PDC Emulator role is transferred to a domain controller that runs Windows Server 2016. The DefaultAccount will then be replicated to all other domain controllers in the domain.
+If the domain was created with domain controllers running Windows Server 2016, the DefaultAccount exists on all domain controllers in the domain.
+If the domain was created with domain controllers running an earlier version of Windows Server, the DefaultAccount is created after the PDC Emulator role is transferred to a domain controller that runs Windows Server 2016. The DefaultAccount is then replicated to all other domain controllers in the domain.
#### Recommendations for managing the Default Account (DSMA)
@@ -195,7 +195,7 @@ Each of these approaches is described in the following sections.
User Account Control (UAC) is a security feature that informs you when a program makes a change that requires administrative permissions. UAC works by adjusting the permission level of your user account. By default, UAC is set to notify you when applications try to make changes to your computer, but you can change when UAC notifies you.
-UAC makes it possible for an account with administrative rights to be treated as a standard user non-administrator account until full rights, also called elevation, is requested and approved. For example, UAC lets an administrator enter credentials during a non-administrator's user session to perform occasional administrative tasks without having to switch users, sign out, or use the *Run as* command.
+UAC makes it possible for an account with administrative rights to be treated as a standard user nonadministrator account until full rights, also called elevation, is requested and approved. For example, UAC lets an administrator enter credentials during a nonadministrator's user session to perform occasional administrative tasks without having to switch users, sign out, or use the *Run as* command.
In addition, UAC can require administrators to specifically approve applications that make system-wide changes before those applications are granted permission to run, even in the administrator's user session.
diff --git a/windows/security/identity-protection/credential-guard/configure.md b/windows/security/identity-protection/credential-guard/configure.md
index 21c87bfeeb..e6e9d95ed6 100644
--- a/windows/security/identity-protection/credential-guard/configure.md
+++ b/windows/security/identity-protection/credential-guard/configure.md
@@ -2,9 +2,6 @@
title: Configure Credential Guard
description: Learn how to configure Credential Guard using MDM, Group Policy, or the registry.
ms.date: 08/31/2023
-ms.collection:
- - highpri
- - tier2
ms.topic: how-to
---
diff --git a/windows/security/identity-protection/credential-guard/index.md b/windows/security/identity-protection/credential-guard/index.md
index 710f148343..0fe80abdd8 100644
--- a/windows/security/identity-protection/credential-guard/index.md
+++ b/windows/security/identity-protection/credential-guard/index.md
@@ -3,9 +3,6 @@ title: Credential Guard overview
description: Learn about Credential Guard and how it isolates secrets so that only privileged system software can access them.
ms.date: 08/31/2023
ms.topic: overview
-ms.collection:
- - highpri
- - tier1
---
# Credential Guard overview
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
index 8a414df385..830d49e11a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
@@ -1,9 +1,6 @@
---
title: Configure Windows Hello for Business Policy settings in an on-premises certificate trust
description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises certificate trust scenario
-ms.collection:
-- highpri
-- tier1
ms.date: 09/07/2023
ms.topic: tutorial
---
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
deleted file mode 100644
index 315ce4361f..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ /dev/null
@@ -1,174 +0,0 @@
----
-title: Deploy certificates for remote desktop sign-in
-description: Learn how to deploy certificates to cloud Kerberos trust and key trust users, to enable remote desktop sign-in with supplied credentials.
-ms.collection:
- - tier1
-ms.topic: how-to
-ms.date: 07/25/2023
----
-
-# Deploy certificates for remote desktop (RDP) sign-in
-
-This document describes Windows Hello for Business functionalities or scenarios that apply to:
-- **Deployment type:** [!INCLUDE [hybrid](./includes/hello-deployment-hybrid.md)]
-- **Trust type:** [!INCLUDE [cloud-kerberos](./includes/hello-trust-cloud-kerberos.md)], [!INCLUDE [key](./includes/hello-trust-key.md)]
-- **Join type:** [!INCLUDE [hello-join-aadj](./includes/hello-join-aad.md)], [!INCLUDE [hello-join-hybrid](./includes/hello-join-hybrid.md)]
----
-
-Windows Hello for Business supports using a certificate as the supplied credential, when establishing a remote desktop connection to another Windows device. This document discusses three approaches for *cloud Kerberos trust* and *key trust* deployments, where authentication certificates can be deployed to an existing Windows Hello for Business user:
-
-- Deploy certificates to hybrid joined devices using an on-premises Active Directory Certificate Services enrollment policy
-- Deploy certificates to hybrid or Microsoft Entra joined devices using Intune
-- Work with third-party PKIs
-
-## Deploy certificates via Active Directory Certificate Services (AD CS)
-
-> [!NOTE]
-> This process is applicable to *Microsoft Entra hybrid joined* devices only.
-
-To deploy certificates using an on-premises Active Directory Certificate Services enrollment policy, you must first create a *certificate template*, and then deploy certificates based on that template.
-
-### Create a Windows Hello for Business certificate template
-
-Follow these steps to create a certificate template:
-
-1. Sign in to your issuing certificate authority (CA) and open *Server Manager*
-1. Select **Tools > Certification Authority**. The Certification Authority Microsoft Management Console (MMC) opens
-1. In the MMC, expand the CA name and right-click **Certificate Templates > Manage**
-1. The Certificate Templates console opens. All of the certificate templates are displayed in the details pane
-1. Right-click the **Smartcard Logon** template and select **Duplicate Template**
-1. Use the following table to configure the template:
-
- | Tab Name | Configurations |
- | --- | --- |
- | *Compatibility* |
|
- | *General* |
|
- | *Extensions* | Verify the **Application Policies** extension includes **Smart Card Logon**|
- | *Subject Name* |
**Note:** If you deploy certificates via Intune, select **Supply in the request** instead of *Build from this Active Directory*.|
- |*Request Handling*|
|
- |*Cryptography*|
|
- |*Security*|Add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them|
-
-1. Select **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates
-1. Close the Certificate Templates console
-1. Open an elevated command prompt and change to a temporary working directory
-1. Execute the following command, replacing `
|
- |*Renewal threshold (%)*|Configure a value of your choosing|
- |*SCEP Server URLs*|Provide the public endpoint(s) that you configured during the deployment of your SCEP infrastructure|
-
-1. Select **Next**
-1. In the *Assignments* panel, assign the policy to a security group that contains as members the devices or users that you want to configure and select **Next**
-1. In the *Applicability Rules* panel, configure issuance restrictions, if needed, and select **Next**
-1. In the *Review + create* panel, review the policy configuration and select **Create**
-
-For more information how to configure SCEP policies, see [Configure SCEP certificate profiles in Intune][MEM-3].
-To configure PKCS policies, see [Configure and use PKCS certificate with Intune][MEM-4].
-
-### Request a certificate for Intune clients
-
-Once the Intune policy is created, targeted clients will request a certificate during their next policy refresh cycle. To validate that the certificate is present in the user store, follow these steps:
-
-1. Sign in to a client targeted by the Intune policy
-1. Open the **Certificates - Current User** Microsoft Management Console (MMC). To do so, you can execute the command `certmgr.msc`
-1. In the left pane of the MMC, expand **Personal** and select **Certificates**
-1. In the right-hand pane of the MMC, check for the new certificate
-
-## Use third-party certification authorities
-
-If you're using a non-Microsoft PKI, the certificate templates published to the on-premises Active Directory may not be available. For guidance with integration of Intune/SCEP with non-Microsoft PKI deployments, refer to [Use third-party certification authorities (CA) with SCEP in Microsoft Intune][MEM-6].
-
-As an alternative to using SCEP or if none of the previously covered solutions will work in your environment, you can manually generate Certificate Signing Requests (CSR) for submission to your PKI. To assist with this approach, you can use the [Generate-CertificateRequest][HTTP-1] PowerShell commandlet.
-
-The `Generate-CertificateRequest` commandlet will generate an *.inf* file for a pre-existing Windows Hello for Business key. The *.inf* can be used to generate a certificate request manually using `certreq.exe`. The commandlet will also generate a *.req* file, which can be submitted to your PKI for a certificate.
-
-## RDP sign-in with Windows Hello for Business certificate authentication
-
-After obtaining a certificate, users can RDP to any Windows devices in the same Active Directory forest as the user's Active Directory account.
-
-> [!NOTE]
-> The certificate chain of the issuing CA must be trusted by the target server.
-
-1. Open the Remote Desktop Client (`mstsc.exe`) on the client where the authentication certificate has been deployed
-1. Attempt an RDP session to a target server
-1. Use the certificate credential protected by your Windows Hello for Business gesture to authenticate
-
-[MEM-1]: /mem/intune/protect/certificates-scep-configure
-[MEM-2]: /mem/intune/protect/certificates-pfx-configure
-[MEM-3]: /mem/intune/protect/certificates-profile-scep
-[MEM-4]: /mem/intune/protect/certificates-pfx-configure
-[MEM-5]: /mem/intune/protect/certificates-trusted-root
-[MEM-6]: /mem/intune/protect/certificate-authority-add-scep-overview
-
-[HTTP-1]: https://www.powershellgallery.com/packages/Generate-CertificateRequest
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml
index 661971662b..6f42bde365 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml
@@ -4,11 +4,8 @@ metadata:
description: Use these frequently asked questions (FAQ) to learn important details about Windows Hello for Business.
author: paolomatarazzo
ms.author: paoloma
- ms.collection:
- - highpri
- - tier1
ms.topic: faq
- ms.date: 08/03/2023
+ ms.date: 12/08/2023
title: Common questions about Windows Hello for Business
summary: Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This Frequently Asked Questions (FAQ) article is intended to help you learn more about Windows Hello for Business.
@@ -245,7 +242,7 @@ sections:
- attempting to access on-premises resources secured by Active Directory
- question: Can I use RDP/VDI with Windows Hello for Business cloud Kerberos trust?
answer: |
- Windows Hello for Business cloud Kerberos trust can't be used as a supplied credential with RDP/VDI. Similar to key trust, cloud Kerberos trust can be used for RDP with [Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard) or if a [certificate is enrolled into Windows Hello for Business](hello-deployment-rdp-certs.md) for this purpose.
+ Windows Hello for Business cloud Kerberos trust can't be used as a supplied credential with RDP/VDI. Similar to key trust, cloud Kerberos trust can be used for RDP with [Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard) or if a [certificate is enrolled into Windows Hello for Business](rdp-sign-in.md) for this purpose.
- question: Do all my domain controllers need to be fully patched as per the prerequisites for me to use Windows Hello for Business cloud Kerberos trust?
answer: |
No, only the number necessary to handle the load from all cloud Kerberos trust devices.
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index bf642eef73..5dda9f66b2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -1,9 +1,6 @@
---
title: PIN reset
description: Learn how Microsoft PIN reset service enables your users to recover a forgotten Windows Hello for Business PIN.
-ms.collection:
- - highpri
- - tier1
ms.date: 08/15/2023
ms.topic: how-to
---
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
deleted file mode 100644
index 8e7e89b38e..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
+++ /dev/null
@@ -1,49 +0,0 @@
----
-title: Remote Desktop
-description: Learn how Windows Hello for Business supports using biometrics with remote desktop
-ms.date: 09/01/2023
-ms.topic: conceptual
-ms.collection:
-- tier1
----
-
-# Remote Desktop
-
-**Requirements**
-
-- Hybrid and On-premises Windows Hello for Business deployments
-- Microsoft Entra joined, Microsoft Entra hybrid joined, and Enterprise joined devices
-
-Windows Hello for Business supports using a certificate deployed to a Windows Hello for Business container as a supplied credential to establish a remote desktop connection to a server or another device. This feature takes advantage of the redirected smart card capabilities of the remote desktop protocol. Windows Hello for Business key trust can be used with [Remote Credential Guard](../remote-credential-guard.md) to establish a remote desktop protocol connection.
-
-Microsoft continues to investigate supporting using keys trust for supplied credentials in a future release.
-
-## Remote Desktop with Biometrics
-
-**Requirements**
-
-- Hybrid and On-premises Windows Hello for Business deployments
-- Microsoft Entra joined, Microsoft Entra hybrid joined, and Enterprise joined devices
-- Biometric enrollments
-
-The ability for users to authenticate to a remote desktop session using their Windows Hello for Business biometric is on by default.
-
-### How does it work
-
-Windows generates and stores cryptographic keys using a software component called a key storage provider (KSP). Software-based keys are created and stored using the Microsoft Software Key Storage Provider. Smart card keys are created and stored using the Microsoft Smart Card Key Storage Provider. Keys created and protected by Windows Hello for Business are created and stored using the Microsoft Passport Key Storage Provider.
-
-A certificate on a smart card starts with creating an asymmetric key pair using the Microsoft Smart Card KSP. Windows requests a certificate based on the key pair from your enterprises issuing certificate authority, which returns a certificate that is stored in the user's Personal certificate store. The private key remains on the smart card and the public key is stored with the certificate. Metadata on the certificate (and the key) stores the key storage provider used to create the key (remember the certificate contains the public key).
-
-The same concept applies to Windows Hello for Business, except that the keys are created using the Microsoft Passport KSP. The user's private key remains protected by the device's security module (TPM) and the user's gesture (PIN/biometric). The certificate APIs hide the complexity. When an application uses a certificate, the certificate APIs locate the keys using the saved key storage provider. The key storage providers direct the certificate APIs on which provider they use to find the private key associated with the certificate. This is how Windows knows you have a smart card certificate without the smart card inserted (and prompts you to insert the smart card).
-
-Windows Hello for Business emulates a smart card for application compatibility, and the Microsoft Passport KSP prompts the user for their biometric gesture or PIN.
-
-### Compatibility
-
-Users appreciate convenience of biometrics and administrators value the security however, you may experience compatibility issues with your applications and Windows Hello for Business certificates. You can relax knowing a Group Policy setting and a [MDM URI](/windows/client-management/mdm/passportforwork-csp) exist to help you revert to the previous behavior for those users who need it.
-
-> [!div class="mx-imgBorder"]
-> 
-
-> [!IMPORTANT]
-> The remote desktop with biometric feature does not work with [Dual Enrollment](hello-feature-dual-enrollment.md) feature or scenarios where the user provides alternative credentials. Microsoft continues to investigate supporting the feature.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index fab3db4894..c522b57d52 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -79,45 +79,45 @@ The easiest way to verify that the onPremisesDistingushedNamne attribute is sync
2. Select **Sign in to Graph Explorer** and provide Azure credentials.
-> [!NOTE]
-> To successfully query the Graph API, adequate [permissions](/graph/api/user-get?) must be granted.
+ > [!NOTE]
+ > To successfully query the Graph API, adequate [permissions](/graph/api/user-get?) must be granted.
3. Select **Modify permissions (Preview)**. Scroll down and locate **User.Read.All** (or any other required permission) and select **Consent**. You'll now be prompted for delegated permissions consent.
4. In the Graph Explorer URL, enter `https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName`, where **[userid]** is the user principal name of a user in Microsoft Entra ID. Select **Run query**.
-> [!NOTE]
-> Because the v1.0 endpoint of the Graph API only provides a limited set of parameters, we will use the $select [Optional OData query parameter](/graph/api/user-get?). For convenience, it is possible to switch the API version selector from **v1.0** to **beta** before performing the query. This will provide all available user information, but remember, **beta** endpoint queries should not be used in production scenarios.
+ > [!NOTE]
+ > Because the v1.0 endpoint of the Graph API only provides a limited set of parameters, we will use the $select [Optional OData query parameter](/graph/api/user-get?). For convenience, it is possible to switch the API version selector from **v1.0** to **beta** before performing the query. This will provide all available user information, but remember, **beta** endpoint queries should not be used in production scenarios.
-#### Request
+ #### Request
-
-```msgraph-interactive
-GET https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}?$select=displayName,userPrincipalName,onPremisesDistinguishedName
-```
+
+ ```msgraph-interactive
+ GET https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}?$select=displayName,userPrincipalName,onPremisesDistinguishedName
+ ```
5. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and that the value is accurate for the given user. If the **onPremisesDistinguishedName** attribute isn't synchronized the value will be **null**.
-#### Response
-
-```http
-HTTP/1.1 200 OK
-Content-type: application/json
+ #### Response
+
+ ```http
+ HTTP/1.1 200 OK
+ Content-type: application/json
-{
- "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(displayName,userPrincipalName,onPremisesDistinguishedName)/$entity",
- "displayName": "Nestor Wilke",
- "userPrincipalName": "NestorW@contoso.com",
- "onPremisesDistinguishedName" : "CN=Nestor Wilke,OU=Operations,DC=contoso,DC=com"
-}
-```
+ {
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(displayName,userPrincipalName,onPremisesDistinguishedName)/$entity",
+ "displayName": "Nestor Wilke",
+ "userPrincipalName": "NestorW@contoso.com",
+ "onPremisesDistinguishedName" : "CN=Nestor Wilke,OU=Operations,DC=contoso,DC=com"
+ }
+ ```
## Prepare the Network Device Enrollment Services (NDES) Service Account
@@ -250,7 +250,7 @@ Sign-in to the issuing certificate authority with access equivalent to _local ad
1. Open an elevated command prompt and type the following command:
- ```console
+ ```cmd
certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE
```
@@ -428,13 +428,13 @@ Sign-in the NDES server with access equivalent to _Domain Admins_.
2. Type the following command to register the service principal name
- ```console
+ ```cmd
setspn -s http/[FqdnOfNdesServer] [DomainName\\NdesServiceAccount]
```
where **[FqdnOfNdesServer]** is the fully qualified domain name of the NDES server and **[DomainName\NdesServiceAccount]** is the domain name and NDES service account name separated by a backslash (\\). An example of the command looks like the following:
- ```console
+ ```cmd
setspn -s http/ndes.corp.contoso.com contoso\ndessvc
```
@@ -486,7 +486,7 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
> [!NOTE]
> If you closed Server Manger from the last set of tasks, start Server Manager and click the action flag that shows a yellow exclamation point.
-
+:::image type="content" alt-text="Server Manager Post-Install Yellow flag." source="images/aadjcert/servermanager-post-ndes-yellowactionflag.png" lightbox="images/aadjcert/servermanager-post-ndes-yellowactionflag.png":::
1. Select the **Configure Active Directory Certificate Services on the destination server** link.
@@ -544,13 +544,13 @@ Sign-in to the NDES Server with _local administrator_ equivalent credentials.
3. Type the following command:
- ```console
+ ```cmd
reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v [registryValueName] /t REG_SZ /d [certificateTemplateName]
```
where **registryValueName** is one of the three value names from the above table and where **certificateTemplateName** is the name of the certificate template you created for Windows Hello for Business Microsoft Entra joined devices. Example:
- ```console
+ ```cmd
reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v SignatureTemplate /t REG_SZ /d AADJWHFBAuthentication
```
@@ -583,7 +583,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
4. Select **Download connector service**. Select **Accept terms & Download**. Save the file (AADApplicationProxyConnectorInstaller.exe) in a location accessible by others on the domain.
- 
+ :::image type="content" alt-text="Azure Application Proxy Connectors." source="images/aadjcert/azureconsole-applicationproxy-connectors-empty.png" lightbox="images/aadjcert/azureconsole-applicationproxy-connectors-empty.png":::
5. Sign-in the computer that will run the connector with access equivalent to a _domain user_.
@@ -616,11 +616,11 @@ Sign-in a workstation with access equivalent to a _domain user_.
3. Under **MANAGE**, select **Application proxy**.
- 
+ :::image type="content" alt-text="Azure Application Proxy Connector groups." source="images/aadjcert/azureconsole-applicationproxy-connectors-default.png" lightbox="images/aadjcert/azureconsole-applicationproxy-connectors-default.png":::
4. Select **New Connector Group**. Under **Name**, type **NDES WHFB Connectors**.
- 
+ :::image type="content" alt-text="Azure Application New Connector Group." source="images/aadjcert/azureconsole-applicationproxy-connectors-newconnectorgroup.png" lightbox="images/aadjcert/azureconsole-applicationproxy-connectors-newconnectorgroup.png":::
5. Select each connector agent in the **Connectors** list that will service Windows Hello for Business certificate enrollment requests.
@@ -644,7 +644,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
7. Under **Internal URL**, select **https://** from the first list. In the text box next to **https://**, type the hostname you want to use as your external hostname for the Microsoft Entra application proxy. In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Microsoft Entra application proxy. It's recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Microsoft Entra tenant name (-mstephendemo.msappproxy.net).
- 
+ :::image type="content" alt-text="Azure NDES Application Proxy Configuration." source="images/aadjcert/azureconsole-appproxyconfig.png" lightbox="images/aadjcert/azureconsole-appproxyconfig.png":::
8. Select **Passthrough** from the **Pre Authentication** list.
@@ -699,7 +699,7 @@ Sign-in the NDES server with access equivalent to _local administrator_.
2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**.
- 
+ :::image type="content" alt-text="NDES IIS Console" source="images/aadjcert/ndes-iis-console.png" lightbox="images/aadjcert/ndes-iis-console.png":::
3. Select **Bindings...** under **Actions**. Select **Add**.
@@ -771,7 +771,7 @@ Sign-in the NDES server with access equivalent to _local administrator_.
3. In the content pane, double-click **Request Filtering**. Select **Edit Feature Settings...** in the action pane.
- 
+ :::image type="content" alt-text="Intune NDES Request filtering." source="images/aadjcert/NDES-IIS-RequestFiltering.png" lightbox="images/aadjcert/NDES-IIS-RequestFiltering.png":::
4. Select **Allow unlisted file name extensions**.
@@ -793,7 +793,7 @@ Sign-in the NDES server with access equivalent to _local administrator_.
2. Run the following commands:
- ```console
+ ```cmd
reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534
reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534
```
@@ -842,7 +842,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
7. Select **Assigned** from the **Membership type** list.
- 
+ :::image type="content" alt-text="Microsoft Entra new group creation." source="images/aadjcert/azureadcreatewhfbcertgroup.png" lightbox="images/aadjcert/azureadcreatewhfbcertgroup.png":::
8. Select **Members**. Use the **Select members** pane to add members to this group. When finished, select **Select**.
@@ -879,9 +879,10 @@ Sign-in a workstation with access equivalent to a _domain user_.
11. Next to **Subject name format**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate.
- > [!NOTE]
- > If the distinguished name contains special characters like a plus sign ("+"), comma (","), semicolon (";"), or equal sign ("="), the bracketed name must be enclosed in quotation marks: CN=”{{OnPrem_Distinguished_Name}}”.
- > If the length of the distinguished name is more than 64 characters, the name length enforcement on the Certification Authority [must be disabled](/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement).
+ > [!NOTE]
+ > If the distinguished name contains special characters like a plus sign ("+"), comma (","), semicolon (";"), or equal sign ("="), the bracketed name must be enclosed in quotation marks: `CN="{{OnPrem_Distinguished_Name}}"`.
+ >
+ > If the length of the distinguished name is more than 64 characters, the name length enforcement on the Certification Authority [must be disabled](/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement).
12. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** parameter. Set its value as {{UserPrincipalName}}.
@@ -893,7 +894,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
16. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**.
- 
+ :::image type="content" alt-text="WHFB SCEP certificate Profile EKUs." source="images/aadjcert/profile03.png" lightbox="images/aadjcert/profile03.png":::
17. Under **SCEP Server URLs**, type the fully qualified external name of the Microsoft Entra application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, ```https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll```. Select **Add**. Repeat this step for each additional NDES Microsoft Entra application proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile.
@@ -915,7 +916,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
5. In the **Assignments** pane, select **Selected Groups** from the **Assign to** list. Select **Select groups to include**.
- 
+ :::image type="content" alt-text="WHFB SCEP Profile Assignment." source="images/aadjcert/profile04.png" lightbox="images/aadjcert/profile04.png":::
6. Select the **AADJ WHFB Certificate Users** group. Select **Select**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index ea4c5a3119..61dffe9d37 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -3,8 +3,6 @@ ms.date: 10/09/2023
title: Windows Hello for Business Deployment Prerequisite Overview
description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models
ms.topic: overview
-ms.collection:
-- tier1
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
index 999b35f45b..896453d0bf 100644
--- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
@@ -1,9 +1,6 @@
---
title: Manage Windows Hello in your organization
description: Learn how to create a Group Policy or mobile device management (MDM) policy to configure and deploy Windows Hello for Business.
-ms.collection:
- - highpri
- - tier1
ms.date: 9/25/2023
ms.topic: reference
---
diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
index f137de379f..6be7e8008f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
+++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
@@ -1,9 +1,6 @@
---
title: Why a PIN is better than an online password
description: Windows Hello enables users to sign in to their devices using a PIN. Learn how is a PIN different from (and better than) an online password.
-ms.collection:
- - highpri
- - tier1
ms.date: 03/15/2023
ms.topic: conceptual
---
diff --git a/windows/security/identity-protection/hello-for-business/images/rdp/rdc-entra-hybrid-joined.png b/windows/security/identity-protection/hello-for-business/images/rdp/rdc-entra-hybrid-joined.png
new file mode 100644
index 0000000000..4568a5e133
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/rdp/rdc-entra-hybrid-joined.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/rdp/rdc-entra-joined.png b/windows/security/identity-protection/hello-for-business/images/rdp/rdc-entra-joined.png
new file mode 100644
index 0000000000..350e54538c
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/rdp/rdc-entra-joined.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/rdp/rdp-certificate-template.png b/windows/security/identity-protection/hello-for-business/images/rdp/rdp-certificate-template.png
new file mode 100644
index 0000000000..c9f5e34fbd
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/rdp/rdp-certificate-template.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/rdpbio/RDPBioPolicySetting.png b/windows/security/identity-protection/hello-for-business/images/rdpbio/RDPBioPolicySetting.png
deleted file mode 100644
index 06a2ab8543..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/rdpbio/RDPBioPolicySetting.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/index.md b/windows/security/identity-protection/hello-for-business/index.md
index 953074993d..e0be2b5b93 100644
--- a/windows/security/identity-protection/hello-for-business/index.md
+++ b/windows/security/identity-protection/hello-for-business/index.md
@@ -1,9 +1,6 @@
---
title: Windows Hello for Business Overview
description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on Windows devices.
-ms.collection:
- - highpri
- - tier1
ms.topic: overview
ms.date: 04/24/2023
---
diff --git a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
new file mode 100644
index 0000000000..f3b6b984fe
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
@@ -0,0 +1,296 @@
+---
+title: Remote Desktop sign-in with Windows Hello for Business
+description: Learn how to configure Remote Desktop (RDP) sign-in with Windows Hello for Business.
+ms.date: 12/11/2023
+ms.topic: how-to
+---
+
+# Remote Desktop sign-in with Windows Hello for Business
+
+You can use Windows Hello for Business to sign in to a remote desktop session, using the redirected smart card capabilities of the Remote Desktop Protocol (RDP). This is possible by deploying a certificate to the user's device, which is then used as the supplied credential when establishing the RDP connection to another Windows device.
+
+This article describes two certificate deployment approaches, where authentication certificates are deployed to the Windows Hello for Business container:
+
+- Using Microsoft Intune with SCEP or PKCS connectors
+- Using an Active Directory Certificate Services (AD CS) enrollment policy
+
+> [!TIP]
+> Consider using Remote Credential Guard instead of Windows Hello for Business for RDP sign-in. Remote Credential Guard provides single sign-on (SSO) to RDP sessions using Kerberos authentication, and doesn't require the deployment of certificates. For more information, see [Remote Credential Guard](../remote-credential-guard.md).
+
+## How it works
+
+Windows generates and stores cryptographic keys using a software component called a *key storage provider* (KSP):
+
+- Software-based keys are created and stored using the *Microsoft Software Key Storage Provider*
+- Smart card keys are created and stored using the *Microsoft Smart Card Key Storage Provider*
+- Keys created and protected by Windows Hello for Business are created and stored using the *Microsoft Passport Key Storage Provider*
+
+A certificate on a smart card starts with creating an asymmetric key pair using the Microsoft Smart Card KSP. Windows requests a certificate based on the key pair from your enterprises issuing certificate authority, which returns a certificate that is stored in the user's Personal certificate store. The private key remains on the smart card and the public key is stored with the certificate. Metadata on the certificate (and the key) stores the key storage provider used to create the key (remember the certificate contains the public key).
+
+The same concept applies to Windows Hello for Business, except that the keys are created using the Microsoft Passport KSP. The user's private key remains protected by the device's security module (TPM) and the user's gesture (PIN/biometric). The certificate APIs hide the complexity. When an application uses a certificate, the certificate APIs locate the keys using the saved key storage provider. The key storage providers direct the certificate APIs on which provider they use to find the private key associated with the certificate. This is how Windows knows you have a smart card certificate without the smart card inserted, and prompts you to insert the smart card.
+
+Windows Hello for Business emulates a smart card for application compatibility, and the Microsoft Passport KSP prompts the user for their biometric gesture or PIN.
+
+> [!NOTE]
+> Remote Desktop with biometric doesn't work with [Dual Enrollment](hello-feature-dual-enrollment.md) or scenarios where the user provides alternative credentials.
+
+## Requirements
+
+Here's a list of requirements to enable RDP sign-in with Windows Hello for Business:
+
+> [!div class="checklist"]
+> * A PKI infrastructure based on AD CS or third-party
+> * Windows Hello for Business deployed to the clients
+> * If you plan to support Microsoft Entra joined devices, the domain controllers must have a certificate, which serves as a *root of trust* for the clients. The certificate ensures that clients don't communicate with rogue domain controllers
+
+If you plan to deploy certificates using Microsoft Intune, here are more requirements:
+
+> [!div class="checklist"]
+> * Ensure you have the infrastructure to support either [SCEP][MEM-1] or [PKCS][MEM-2] deployment
+> * Deploy the root CA certificate and any other intermediate certificate authority certificates to Microsoft Entra joined Devices using a [Trusted root certificate policy][MEM-5]
+
+## Create a certificate template
+
+The process of creating a certificate template is applicable to scenarios where you use an on-premises Active Directory Certificate Services (AD CS) infrastructure.\
+You must first create a certificate template, and then deploy certificates based on that template to the Windows Hello for Business container.
+
+The certificate template configuration is different depending on whether you deploy certificates using Microsoft Intune or an Active Directory enrollment policy. Select the option that best suits your needs.
+
+# [:::image type="icon" source="../../images/icons/intune.svg" border="false"::: **Microsoft Intune**](#tab/intune)
+
+1. Sign in to your issuing certificate authority (CA) and open *Server Manager*
+1. Select **Tools > Certification Authority**. The Certification Authority Microsoft Management Console (MMC) opens
+1. In the MMC, expand the CA name and right-click **Certificate Templates > Manage**
+1. The Certificate Templates console opens. All of the certificate templates are displayed in the details pane
+1. Right-click the **Smartcard Logon** template and select **Duplicate Template**
+1. Use the following table to configure the template:
+
+ | Tab Name | Configurations |
+ | --- | --- |
+ | *Compatibility* |
|
+ | *General* |
|
+ | *Extensions* | Verify the **Application Policies** extension includes **Smart Card Logon**.|
+ | *Subject Name* | Select **Supply in the request**.|
+ |*Request Handling*|
**Note:** If you deploy certificates with a PKCS profile, select the option **Allow private key to be exported**|
+ |*Cryptography*|
|
+ | *General* |
|
+ | *Extensions* | Verify the **Application Policies** extension includes **Smart Card Logon**|
+ | *Subject Name* |
|
+ |*Request Handling*|
|
+ |*Cryptography*|
**Note:** if there's a mismatch between the user UPN suffix and the Active Directory domain FQDN, use `CN={{OnPrem_Distinguished_Name}}` instead.|
+ |*Subject alternative name* |From the dropdown, select **User principal name (UPN)** with a value of `{{UserPrincipalName}}`|
+ |*Certificate validity period* | Configure a value of your choosing|
+ |*Key storage provider (KSP)* | **Enroll to Windows Hello for Business, otherwise fail**|
+ |*Key usage*| **Digital Signature**|
+ |*Key size (bits)* | **2048**|
+ |*For Hash algorithm*|**SHA-2**|
+ |*Root Certificate*| Select **+Root Certificate** and select the trusted certificate profile created earlier for the Root CA Certificate|
+ |*Extended key usage*|
|
+ |*Renewal threshold (%)*|Configure a value of your choosing|
+ |*SCEP Server URLs*|Provide the public endpoint(s) that you configured during the deployment of your SCEP infrastructure|
+
+1. Select **Next**
+1. In the *Assignments* panel, assign the policy to a security group that contains as members the devices or users that you want to configure and select **Next**
+1. In the *Applicability Rules* panel, configure issuance restrictions, if needed, and select **Next**
+1. In the *Review + create* panel, review the policy configuration and select **Create**
+
+For more information how to configure SCEP policies, see [Configure SCEP certificate profiles in Intune][MEM-3].
+To configure PKCS policies, see [Configure and use PKCS certificate with Intune][MEM-4].
+
+> [!CAUTION]
+>
+> If you deploy certificates via Intune and configure Windows Hello for Business via group policy, the devices will fail to obtain a certificate, logging the error code `0x82ab0011` in the `DeviceManagement-Enterprise-Diagnostic-Provider` log.\
+> To avoid the error, configure Windows Hello for Business via Intune instead of group policy.
+
+# [:::image type="icon" source="../../images/icons/certificate.svg" border="false"::: **AD CS policy**](#tab/adcs)
+
+Here are the steps to manually request a certificate using an Active Directory Certificate Services enrollment policy:
+
+1. Sign in to a client that is Microsoft Entra hybrid joined, ensuring that the client has line of sight to a domain controller and the issuing CA
+1. Open the **Certificates - Current User** Microsoft Management Console (MMC). To do so, you can execute the command `certmgr.msc`
+1. In the left pane of the MMC, right-click **Personal > All Tasks > Request New Certificate…**
+1. On the Certificate Enrollment screen, select **Next**
+1. Under *Select Certificate Enrollment Policy*, select **Active Directory Enrollment Policy > Next**
+1. Under *Request Certificates*, select the check-box for the certificate template you created in the previous section (*WHfB Certificate Authentication*) and then select **Enroll**
+1. After a successful certificate request, select **Finish** on the Certificate Installation Results screen
+
+---
+
+## Use third-party certification authorities
+
+If you're using a non-Microsoft PKI, the certificate templates published to the on-premises Active Directory may not be available. For guidance with integration of Intune/SCEP with non-Microsoft PKI deployments, refer to [Use third-party certification authorities (CA) with SCEP in Microsoft Intune][MEM-6].
+
+As an alternative to using SCEP, or if none of the previously covered solutions work in your environment, you can manually generate Certificate Signing Requests (CSR) for submission to your PKI. To assist with this approach, you can use the [Generate-CertificateRequest][HTTP-1] PowerShell commandlet.
+
+The `Generate-CertificateRequest` commandlet generates an `.inf` file for a pre-existing Windows Hello for Business key. The `.inf` can be used to generate a certificate request manually using `certreq.exe`. The commandlet also generates a `.req` file, which can be submitted to your PKI for a certificate.
+
+## Verify that the certificate is deployed
+
+To verify that the certificate is correctly deployed to the Windows Hello for Business container, use the following command:
+
+```cmd
+certutil -store -user my
+```
+
+The output lists keys and certificates stored in the user store. If a certificate issued from your CA is deployed to the Windows Hello for Business container, the output displays the certificate with a `Provider` value of `Microsoft Passport Key Storage Provider`.
+
+For example:
+
+```cmd
+C:\Users\amanda.brady>certutil -store -user my
+my "Personal"
+================ Certificate 0 ================
+Serial Number: 110000001f4c4eccc46fc8f93a00000000001f
+Issuer: CN=Contoso - Issuing CA, DC=CONTOSO, DC=COM
+ NotBefore: 12/8/2023 6:16 AM
+ NotAfter: 12/7/2024 6:16 AM
+Subject: CN=amanda.brady@contoso.com
+Non-root Certificate
+Template: 1.3.6.1.4.1.311.21.8.2835349.12167323.7094945.1118853.678601.83.11484210.8005739
+Cert Hash(sha1): 63c6ce5fc512933179d3c0a5e94ecba98092f93d
+Key Container = S-1-12-1-../../login.windows.net/../amanda.brady@contoso.com
+Provider = Microsoft Passport Key Storage Provider
+Private key is NOT exportable
+Encryption test passed
+```
+
+## User experience
+
+Once users obtain their certificate, they can RDP to any Windows devices in the same Active Directory forest as the users' Active Directory account by opening Remote Desktop Connection (`mstsc.exe`). When connecting to the remote host, they're prompted to use Windows Hello for Business to unlock the private key of the certificate.
+
+:::row:::
+ :::column span="2":::
+ **Microsoft Entra joined device**
+
+ The user can authenticate using any available Windows Hello unlock gestures, including biometrics.
+ :::column-end:::
+ :::column span="2":::
+ **Microsoft Entra hybrid joined device**
+
+ The credential prompt identifies the Windows Hello credential provider as *Security device credential*. The user must use the PIN credential provider to unlock.
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="2":::
+ :::image type="content" source="images/rdp/rdc-entra-joined.png" alt-text="Screenshot of Remote Desktop Connection authentication prompt using biometrics." border="false":::
+ :::column-end:::
+ :::column span="2":::
+ :::image type="content" source="images/rdp/rdc-entra-hybrid-joined.png" alt-text="Screenshot of Remote Desktop Connection authentication prompt using a PIN." border="false":::
+ :::column-end:::
+:::row-end:::
+
+Here's a brief video showing the user experience from a Microsoft Entra joined device using fingerprint as unlock factor:
+
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=b6e1038d-98b5-48dc-8afb-65523d12cfaf]
+
+> [!NOTE]
+> The user must be authorized to connect to the remote server using the Remote Desktop protocol, for example by being a member of the Remote Desktop Users local group on the remote host.
+
+## Compatibility
+
+While users appreciate the convenience of biometrics, and administrators value the security, you might experience compatibility issues with applications and Windows Hello for Business certificates. In such scenarios, you can deploy a policy setting to revert to the previous behavior for the users needing it.
+
+### Use Windows Hello for Business certificates as smart card certificates
+
+If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates.
+
+If you disable or don't configure this policy setting, applications don't use Windows Hello for Business certificates as smart card certificates. Biometric factors are available when a user is asked to authorize the use of the certificate's private key.
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[UseHelloCertificatesAsSmartCardCertificates][WIN-1]|
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** |
+
+
+
+[MEM-1]: /mem/intune/protect/certificates-scep-configure
+[MEM-2]: /mem/intune/protect/certificates-pfx-configure
+[MEM-3]: /mem/intune/protect/certificates-profile-scep
+[MEM-4]: /mem/intune/protect/certificates-pfx-configure
+[MEM-5]: /mem/intune/protect/certificates-trusted-root
+[MEM-6]: /mem/intune/protect/certificate-authority-add-scep-overview
+
+[HTTP-1]: https://www.powershellgallery.com/packages/Generate-CertificateRequest
+
+[WIN-1]: /windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciesusehellocertificatesassmartcardcertificates
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index ee0f2774a8..5730fe943f 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -96,8 +96,6 @@ items:
href: hello-cert-trust-policy-settings.md
- name: Planning for Domain Controller load
href: hello-adequate-domain-controllers.md
- - name: Deploy certificates for remote desktop (RDP) sign-in
- href: hello-deployment-rdp-certs.md
- name: How-to Guides
items:
- name: Prepare people to use Windows Hello
@@ -119,7 +117,7 @@ items:
- name: Multi-factor Unlock
href: feature-multifactor-unlock.md
- name: Remote desktop (RDP) sign-in
- href: hello-feature-remote-desktop.md
+ href: rdp-sign-in.md
- name: Troubleshooting
items:
- name: Known deployment issues
diff --git a/windows/security/identity-protection/images/remote-credential-guard.gif b/windows/security/identity-protection/images/remote-credential-guard.gif
deleted file mode 100644
index effe8a4bc2..0000000000
Binary files a/windows/security/identity-protection/images/remote-credential-guard.gif and /dev/null differ
diff --git a/windows/security/identity-protection/passkeys/includes/create-passkey.md b/windows/security/identity-protection/passkeys/includes/create-passkey.md
new file mode 100644
index 0000000000..f5ec391065
--- /dev/null
+++ b/windows/security/identity-protection/passkeys/includes/create-passkey.md
@@ -0,0 +1,29 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 11/07/2023
+ms.topic: include
+---
+
+:::row:::
+ :::column span="4":::
+
+ 1. Open a website or app that supports passkeys
+
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="4":::
+
+ 2. Create a passkey from your account settings
+
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="3":::
+ 3. Select the option **Use another device** > **Next**
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="../images/save-passkey.png" alt-text="Screenshot showing a dialog box prompting the user to pick a location to store the passkey." lightbox="../images/save-passkey.png" border="false":::
+ :::column-end:::
+:::row-end:::
diff --git a/windows/security/identity-protection/passkeys/includes/use-passkey.md b/windows/security/identity-protection/passkeys/includes/use-passkey.md
new file mode 100644
index 0000000000..39aa37f431
--- /dev/null
+++ b/windows/security/identity-protection/passkeys/includes/use-passkey.md
@@ -0,0 +1,30 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 11/07/2023
+ms.topic: include
+---
+
+:::row:::
+ :::column span="3":::
+ 1. Open a website or app that supports passkeys
+ :::column-end:::
+ :::column span="1":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="3":::
+ 2. Select **Sign in with a passkey**, or a similar option
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="../images/website.png" alt-text="Screenshot of a website offering the passkey sign in option." lightbox="../images/website.png" border="false":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="3":::
+ 3. Select the option **Use another device** > **Next**
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="../images/use-passkey.png" alt-text="Screenshot of the passkey dialog prompting the user to pick where the passkey is stored." lightbox="../images/use-passkey.png" border="false":::
+ :::column-end:::
+:::row-end:::
\ No newline at end of file
diff --git a/windows/security/identity-protection/passkeys/index.md b/windows/security/identity-protection/passkeys/index.md
index 40d33d3ed3..44f695a852 100644
--- a/windows/security/identity-protection/passkeys/index.md
+++ b/windows/security/identity-protection/passkeys/index.md
@@ -2,10 +2,9 @@
title: Support for passkeys in Windows
description: Learn about passkeys and how to use them on Windows devices.
ms.collection:
-- highpri
- tier1
-ms.topic: article
-ms.date: 09/27/2023
+ms.topic: overview
+ms.date: 11/07/2023
appliesto:
- ✅ Windows 11
- ✅ Windows 10
@@ -40,50 +39,23 @@ Passkeys have several advantages over passwords, including their ease of use and
### Create a passkey
-Follow these steps to create a passkey from a Windows device:
+By default, Windows offers to save the passkey locally on the **Windows device**, in which case the passkey is protected by Windows Hello (biometrics and PIN). You can also choose to save the passkey in one of the following locations:
-:::row:::
- :::column span="4":::
-
- 1. Open a website or app that supports passkeys
-
- :::column-end:::
-:::row-end:::
-:::row:::
- :::column span="4":::
-
- 2. Create a passkey from your account settings
-
- :::column-end:::
-:::row-end:::
-:::row:::
- :::column span="4":::
- 3. Choose where to save the passkey. By default, Windows offers to save the passkey locally if you're using Windows Hello or Windows Hello for Business. If you select the option **Use another device**, you can choose to save the passkey in one of the following locations:
- :::column-end:::
-:::row-end:::
-:::row:::
- :::column span="3":::
-
-- **This Windows device**: the passkey is saved locally on your Windows device, and protected by Windows Hello (biometrics and PIN)
- **iPhone, iPad or Android device**: the passkey is saved on a phone or tablet, protected by the device's biometrics, if offered by the device. This option requires you to scan a QR code with your phone or tablet, which must be in proximity of the Windows device
- **Linked device**: the passkey is saved on a phone or tablet, protected by the device's biometrics, if offered by the device. This option requires the linked device to be in proximity of the Windows device, and it's only supported for Android devices
- **Security key**: the passkey is saved to a FIDO2 security key, protected by the key's unlock mechanism (for example, biometrics or PIN)
- :::column-end:::
- :::column span="1":::
- :::image type="content" source="images/save-passkey.png" alt-text="Screenshot showing a dialog box prompting the user to pick a location to store the passkey." lightbox="images/save-passkey.png" border="false":::
- :::column-end:::
-:::row-end:::
-:::row:::
- :::column span="4":::
- 4. Select **Next**
- :::column-end:::
-:::row-end:::
-
Pick one of the following options to learn how to save a passkey, based on where you want to store it.
#### [:::image type="icon" source="images/laptop.svg" border="false"::: **Windows device**](#tab/windows)
+[!INCLUDE [use-passkey](includes/create-passkey.md)]
+
+:::row:::
+ :::column span="4":::
+ 4. Select **This Windows device** > **Next**
+ :::column-end:::
+:::row-end:::
:::row:::
:::column span="3":::
@@ -107,6 +79,13 @@ Pick one of the following options to learn how to save a passkey, based on where
#### [:::image type="icon" source="images/qr-code.svg" border="false"::: **New phone or tablet**](#tab/mobile)
+[!INCLUDE [use-passkey](includes/create-passkey.md)]
+
+:::row:::
+ :::column span="4":::
+ 4. Select **iPhone, iPad or Android device** > **Next**
+ :::column-end:::
+:::row-end:::
:::row:::
:::column span="3":::
@@ -130,6 +109,13 @@ Pick one of the following options to learn how to save a passkey, based on where
#### [:::image type="icon" source="images/phone.svg" border="false"::: **Linked phone or tablet**](#tab/linked)
+[!INCLUDE [use-passkey](includes/create-passkey.md)]
+
+:::row:::
+ :::column span="4":::
+ 4. Select your linked device name (e.g. **Pixel**) > **Next**
+ :::column-end:::
+:::row-end:::
:::row:::
:::column span="3":::
@@ -153,6 +139,13 @@ Pick one of the following options to learn how to save a passkey, based on where
#### [:::image type="icon" source="images/usb.svg" border="false"::: **Security key**](#tab/key)
+[!INCLUDE [use-passkey](includes/create-passkey.md)]
+
+:::row:::
+ :::column span="4":::
+ 4. Select **Security key** > **Next**
+ :::column-end:::
+:::row-end:::
:::row:::
:::column span="3":::
@@ -178,48 +171,27 @@ Pick one of the following options to learn how to save a passkey, based on where
### Use a passkey
-Follow these steps to use a passkey:
+When you open a website or app that supports passkeys, if a passkey is stored locally, you're automatically prompted to use Windows Hello to sign in. You can also choose to use a passkey from one of the following locations:
-:::row:::
- :::column span="3":::
- 1. Open a website or app that supports passkeys
- :::column-end:::
- :::column span="1":::
- :::column-end:::
-:::row-end:::
-:::row:::
- :::column span="3":::
- 2. Select **Sign in with a passkey**, or a similar option
- :::column-end:::
- :::column span="1":::
- :::image type="content" source="images/website.png" alt-text="Screenshot of a website offering the passkey sign in option." lightbox="images/website.png" border="false":::
- :::column-end:::
-:::row-end:::
-:::row:::
- :::column span="3":::
- 3. If a passkey is stored locally and protected by Windows Hello, you're prompted to use Windows Hello to sign in. If you select the option **Use another device**, you can choose one of the following options:
- :::column-end:::
-:::row-end:::
-:::row:::
- :::column span="3":::
-- **This Windows device**: use this option to use a passkey that is stored locally on your Windows device, and protected by Windows Hello
- **iPhone, iPad or Android device**: use this option if you want to sign in with a passkey stored on a phone or tablet. This option requires you to scan a QR code with your phone or tablet, which must be in proximity of the Windows device
- **Linked device**: use this option if you want to sign in with a passkey stored on a device that is in proximity of the Windows device. This option is only supported for Android devices
- **Security key**: use this option if you want to sign in with a passkey stored on a FIDO2 security key
- :::column-end:::
- :::column span="1":::
- :::image type="content" source="images/use-passkey.png" alt-text="Screenshot of the passkey dialog prompting the user to pick where the passkey is stored." lightbox="images/use-passkey.png" border="false":::
- :::column-end:::
-:::row-end:::
Pick one of the following options to learn how to use a passkey, based on where you saved it.
#### [:::image type="icon" source="images/laptop.svg" border="false"::: **Windows device**](#tab/windows)
+[!INCLUDE [use-passkey](includes/use-passkey.md)]
+
+:::row:::
+ :::column span="4":::
+ 4. Select **This Windows device** > **Next**
+ :::column-end:::
+:::row-end:::
:::row:::
:::column span="3":::
- 4. Select a Windows Hello unlock option
+ 5. Select a Windows Hello unlock option
:::column-end:::
:::column span="1":::
@@ -229,7 +201,7 @@ Pick one of the following options to learn how to use a passkey, based on where
:::row:::
:::column span="3":::
- 5. Select **OK** to continue signing in
+ 6. Select **OK** to continue signing in
:::column-end:::
:::column span="1":::
@@ -238,10 +210,17 @@ Pick one of the following options to learn how to use a passkey, based on where
#### [:::image type="icon" source="images/qr-code.svg" border="false"::: **Phone or tablet**](#tab/mobile)
+[!INCLUDE [use-passkey](includes/use-passkey.md)]
+
+:::row:::
+ :::column span="4":::
+ 4. Select **iPhone, iPad or Android device** > **Next**
+ :::column-end:::
+:::row-end:::
:::row:::
:::column span="3":::
- 4. Scan the QR code with your phone or tablet where you saved the passkey. Once the connection to the device is established, follow the instructions to use the passkey
+ 5. Scan the QR code with your phone or tablet where you saved the passkey. Once the connection to the device is established, follow the instructions to use the passkey
:::column-end:::
:::column span="1":::
@@ -251,17 +230,24 @@ Pick one of the following options to learn how to use a passkey, based on where
:::row:::
:::column span="4":::
- 5. You're signed in to the website or app
+ 6. You're signed in to the website or app
:::column-end:::
:::row-end:::
#### [:::image type="icon" source="images/phone.svg" border="false"::: **Linked phone or tablet**](#tab/linked)
+[!INCLUDE [use-passkey](includes/use-passkey.md)]
+
+:::row:::
+ :::column span="4":::
+ 4. Select your linked device name (e.g. **Pixel**) > **Next**
+ :::column-end:::
+:::row-end:::
:::row:::
:::column span="3":::
- 4. Once the connection to the linked device is established, follow the instructions on the device to use the passkey
+ 5. Once the connection to the linked device is established, follow the instructions on the device to use the passkey
:::column-end:::
:::column span="1":::
@@ -271,7 +257,7 @@ Pick one of the following options to learn how to use a passkey, based on where
:::row:::
:::column span="3":::
- 5. You're signed in to the website or app
+ 6. You're signed in to the website or app
:::column-end:::
:::column span="1":::
@@ -280,10 +266,17 @@ Pick one of the following options to learn how to use a passkey, based on where
#### [:::image type="icon" source="images/usb.svg" border="false"::: **Security key**](#tab/key)
+[!INCLUDE [use-passkey](includes/use-passkey.md)]
+
+:::row:::
+ :::column span="4":::
+ 4. Select **Security key** > **Next**
+ :::column-end:::
+:::row-end:::
:::row:::
:::column span="3":::
- 4. Unlock the security key using the key's unlock mechanism
+ 5. Unlock the security key using the key's unlock mechanism
:::column-end:::
:::column span="1":::
@@ -293,7 +286,7 @@ Pick one of the following options to learn how to use a passkey, based on where
:::row:::
:::column span="3":::
- 5. You're signed in to the website or app
+ 6. You're signed in to the website or app
:::column-end:::
:::column span="1":::
diff --git a/windows/security/identity-protection/passwordless-experience/index.md b/windows/security/identity-protection/passwordless-experience/index.md
index 7ea73c4603..37dc49c775 100644
--- a/windows/security/identity-protection/passwordless-experience/index.md
+++ b/windows/security/identity-protection/passwordless-experience/index.md
@@ -2,7 +2,6 @@
title: Windows passwordless experience
description: Learn how Windows passwordless experience enables your organization to move away from passwords.
ms.collection:
- - highpri
- tier1
ms.date: 09/27/2023
ms.topic: how-to
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index 5c99653fe4..d7ffee21b2 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -1,11 +1,8 @@
---
title: Remote Credential Guard
description: Learn how Remote Credential Guard helps to secure Remote Desktop credentials by never sending them to the target device.
-ms.collection:
-- highpri
-- tier1
ms.topic: how-to
-ms.date: 09/06/2023
+ms.date: 12/08/2023
appliesto:
- ✅ Windows 11
- ✅ Windows 10
@@ -36,7 +33,7 @@ Using a Remote Desktop session without Remote Credential Guard has the following
The security benefits of Remote Credential Guard include:
- Credentials aren't sent to the remote host
-- During the remote session you can connect to other systems using SSO
+- During the remote session, you can connect to other systems using SSO
- An attacker can act on behalf of the user only when the session is ongoing
The security benefits of [Restricted Admin mode][TECH-1] include:
@@ -70,14 +67,14 @@ The remote host:
The client device:
- Must be running the Remote Desktop Windows application. The Remote Desktop Universal Windows Platform (UWP) application doesn't support Remote Credential Guard
-- Must use Kerberos authentication to connect to the remote host. If the client can't connect to a domain controller, then RDP attempts to fall back to NTLM. Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk
+- Must use Kerberos authentication to connect to the remote host. If the client can't connect to a domain controller, then RDP attempts to fall back to NTLM. Remote Credential Guard doesn't allow NTLM fallback because it would expose credentials to risk
[!INCLUDE [remote-credential-guard](../../../includes/licensing/remote-credential-guard.md)]
## Enable delegation of nonexportable credentials on the remote hosts
This policy is required on the remote hosts to support Remote Credential Guard and Restricted Admin mode. It allows the remote host to delegate nonexportable credentials to the client device.\
-If you disable or don't configure this setting, Restricted Admin and Remote Credential Guard mode aren't supported. User will always need to pass their credentials to the host, exposing users to the risk of credential theft from attackers on the remote host.
+If you disable or don't configure this setting, Restricted Admin and Remote Credential Guard mode aren't supported. Users must pass their credentials to the host, exposing them to the risk of credential theft from attackers on the remote host.
To enable delegation of nonexportable credentials on the remote hosts, you can use:
@@ -134,9 +131,12 @@ To enable Remote Credential Guard on the clients, you can configure a policy tha
> [!TIP]
> If you don't want to configure your clients to enforce Remote Credential Guard, you can use the following command to use Remote Credential Guard for a specific RDP session:
+>
> ```cmd
> mstsc.exe /remoteGuard
> ```
+>
+> If the server hosts the RDS Host role, then the command works only if the user is an administrator of the remote host.
The policy can have different values, depending on the level of security you want to enforce:
@@ -145,8 +145,8 @@ The policy can have different values, depending on the level of security you wan
- **Require Remote Credential Guard**: Remote Desktop Client must use Remote Credential Guard to connect to remote hosts
- **Restrict credential delegation**: Remote Desktop Client must use Restricted Admin or Remote Credential Guard to connect to remote hosts. In this configuration, Remote Credential Guard is preferred, but it uses Restricted Admin mode (if supported) when Remote Credential Guard can't be used
-> [!NOTE]
-> When *Restrict Credential Delegation* is enabled, the `/restrictedAdmin` switch will be ignored. Windows enforces the policy configuration instead and uses Remote Credential Guard.
+ > [!NOTE]
+ > When *Restrict Credential Delegation* is enabled, the `/restrictedAdmin` switch will be ignored. Windows enforces the policy configuration instead and uses Remote Credential Guard.
To configure your clients, you can use:
@@ -187,11 +187,11 @@ Not documented.
---
-## Use Remote Credential Guard
+## User experience
Once a client receives the policy, you can connect to the remote host using Remote Credential Guard by opening the Remote Desktop Client (`mstsc.exe`). The user is automatically authenticated to the remote host:
-:::image type="content" source="images/remote-credential-guard.gif" alt-text="Animation showing a client connecting to a remote server using Remote Credential Guard with SSO.":::
+>[!VIDEO https://learn-video.azurefd.net/vod/player?id=39cc96a2-5193-48be-a4f3-d491571fd9a1]
> [!NOTE]
> The user must be authorized to connect to the remote server using the Remote Desktop protocol, for example by being a member of the Remote Desktop Users local group on the remote host.
@@ -206,17 +206,17 @@ To further harden security, we also recommend that you implement Windows Local A
For more information about LAPS, see [What is Windows LAPS][LEARN-1].
-## Additional considerations
+## Considerations
-Here are some additional considerations for Remote Credential Guard:
+Here are some considerations for Remote Credential Guard:
-- Remote Credential Guard doesn't support compound authentication. For example, if you're trying to access a file server from a remote host that requires a device claim, access will be denied
+- Remote Credential Guard doesn't support compound authentication. For example, if you're trying to access a file server from a remote host that requires a device claim, access is denied
- Remote Credential Guard can be used only when connecting to a device that is joined to an Active Directory domain. It can't be used when connecting to remote devices joined to Microsoft Entra ID
- Remote Credential Guard can be used from a Microsoft Entra joined client to connect to an Active Directory joined remote host, as long as the client can authenticate using Kerberos
- Remote Credential Guard only works with the RDP protocol
- No credentials are sent to the target device, but the target device still acquires Kerberos Service Tickets on its own
- The server and client must authenticate using Kerberos
-- Remote Credential Guard is only supported for direct connections to the target machines and not for the ones via Remote Desktop Connection Broker and Remote Desktop Gateway
+- Remote Credential Guard is only supported for direct connections to the target machines. It isn't support for connections via Remote Desktop Connection Broker and Remote Desktop Gateway
diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
index 35ace33d60..cb77691205 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
@@ -1,21 +1,20 @@
---
-ms.date: 09/24/2021
-title: Smart Card and Remote Desktop Services
+ms.date: 11/22/2023
+title: Smart Card and Remote Desktop Services
description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
-ms.topic: conceptual
-ms.reviewer: ardenw
+ms.topic: concept-article
---
+
# Smart Card and Remote Desktop Services
This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
-Smart card redirection logic and **WinSCard** API are combined to support multiple redirected sessions into a single process.
+Smart card redirection logic and *WinSCard API* are combined to support multiple redirected sessions into a single process.
Smart card support is required to enable many Remote Desktop Services scenarios. These include:
-- Using Fast User Switching or Remote Desktop Services. A user is not able to establish a redirected smart card-based remote desktop connection. That is, the connect attempt is not successful in Fast User Switching or from a Remote Desktop Services session.
-
-- Enabling Encrypting File System (EFS) to locate the user's smart card reader from the Local Security Authority (LSA) process in Fast User Switching or in a Remote Desktop Services session. If EFS is not able to locate the smart card reader or certificate, EFS cannot decrypt user files.
+- Using Fast User Switching or Remote Desktop Services. A user isn't able to establish a redirected smart card-based remote desktop connection. That is, the connect attempt isn't successful in Fast User Switching or from a Remote Desktop Services session
+- Enabling *Encrypting File System* (EFS) to locate the user's smart card reader from the *Local Security Authority* (LSA) process in Fast User Switching or in a Remote Desktop Services session. If EFS isn't able to locate the smart card reader or certificate, EFS can't decrypt user files
## Remote Desktop Services redirection
@@ -23,47 +22,44 @@ In a Remote Desktop scenario, a user is using a remote server for running servic
-**Remote Desktop redirection**
+### Remote Desktop redirection
Notes about the redirection model:
-1. This scenario is a remote sign-in session on a computer with Remote Desktop Services. In the remote session (labeled as "Client session"), the user runs **net use /smartcard**.
-
-2. Arrows represent the flow of the PIN after the user types the PIN at the command prompt until it reaches the user's smart card in a smart card reader that is connected to the Remote Desktop Connection (RDC) client computer.
-
-3. The authentication is performed by the LSA in session 0.
-
-4. The CryptoAPI processing is performed in the LSA (Lsass.exe). This is possible because RDP redirector (rdpdr.sys) allows per-session, rather than per-process, context.
-
-5. The WinScard and SCRedir components, which were separate modules in operating systems earlier than Windows Vista, are now included in one module. The ScHelper library is a CryptoAPI wrapper that is specific to the Kerberos protocol.
-
-6. The redirection decision is made on a per smart card context basis, based on the session of the thread that performs the SCardEstablishContext call.
-
-7. Changes to WinSCard.dll implementation were made in Windows Vista to improve smart card redirection.
+1. This scenario is a remote sign-in session on a computer with Remote Desktop Services. In the remote session (labeled as *Client session*), the user runs `net use /smartcard`
+1. Arrows represent the flow of the PIN after the user types the PIN at the command prompt until it reaches the user's smart card in a smart card reader that is connected to the Remote Desktop Connection (RDC) client computer
+1. The authentication is performed by the LSA in session 0
+1. The CryptoAPI processing is performed in the LSA (`lsass.exe`). This is possible because RDP redirector (`rdpdr.sys`) allows per-session, rather than per-process, context
+1. The ScHelper library is a CryptoAPI wrapper that is specific to the Kerberos protocol
+1. The redirection decision is made on a per smart card context basis, based on the session of the thread that performs the `SCardEstablishContext` call
## RD Session Host server single sign-in experience
As a part of the Common Criteria compliance, the RDC client must be configurable to use Credential Manager to acquire and save the user's password or smart card PIN. Common Criteria compliance requires that applications not have direct access to the user's password or PIN.
-Common Criteria compliance requires specifically that the password or PIN never leave the LSA unencrypted. A distributed scenario should allow the password or PIN to travel between one trusted LSA and another, and it cannot be unencrypted during transit.
+Common Criteria compliance requires specifically that the password or PIN never leave the LSA unencrypted. A distributed scenario should allow the password or PIN to travel between one trusted LSA and another, and it can't be unencrypted during transit.
-When smart card-enabled single sign-in (SSO) is used for Remote Desktop Services sessions, users still need to sign in for every new Remote Desktop Services session. However, the user is not prompted for a PIN more than once to establish a Remote Desktop Services session. For example, after the user double-clicks a Microsoft Word document icon that resides on a remote computer, the user is prompted to enter a PIN. This PIN is sent by using a secure channel that the credential SSP has established. The PIN is routed back to the RDC client over the secure channel and sent to Winlogon. The user does not receive any additional prompts for the PIN, unless the PIN is incorrect or there are smart card-related failures.
+When smart card-enabled single sign-in (SSO) is used for Remote Desktop Services sessions, users still need to sign in for every new Remote Desktop Services session. However, the user isn't prompted for a PIN more than once to establish a Remote Desktop Services session. For example, after the user double-clicks a Microsoft Word document icon that resides on a remote computer, the user is prompted to enter a PIN. This PIN is sent by using a secure channel that the credential SSP has established. The PIN is routed back to the RDC client over the secure channel and sent to Winlogon. The user doesn't receive any additional prompts for the PIN, unless the PIN is incorrect or there are smart card-related failures.
### Remote Desktop Services and smart card sign-in
Remote Desktop Services enables users to sign in with a smart card by entering a PIN on the RDC client computer and sending it to the RD Session Host server in a manner similar to authentication that is based on user name and password.
-In addition, Group Policy settings that are specific to Remote Desktop Services need to be enabled for smart card-based sign-in.
+In addition, group policy settings that are specific to Remote Desktop Services need to be enabled for smart card-based sign-in.
-To enable smart card sign-in to a Remote Desktop Session Host (RD Session Host) server, the Key Distribution Center (KDC) certificate must be present on the RDC client computer. If the computer is not in the same domain or workgroup, the following command can be used to deploy the certificate:
+To enable smart card sign-in to a Remote Desktop Session Host (RD Session Host) server, the Key Distribution Center (KDC) certificate must be present on the RDC client computer. If the computer isn't in the same domain or workgroup, the following command can be used to deploy the certificate:
-**certutil -dspublish NTAuthCA** "*DSCDPContainer*"
+```cmd
+certutil.exe -dspublish NTAuthCA "DSCDPContainer"
+```
-The *DSCDPContainer* Common Name (CN) is usually the name of the certification authority.
+The `DSCDPContainer` Common Name (CN) is usually the name of the certification authority.
Example:
-**certutil -dspublish NTAuthCA** <*CertFile*> **"CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=engineering,DC=contoso,DC=com"**
+```cmd
+certutil -dspublish NTAuthCA
Only the password credential provider is available in safe mode.
The smart card credential provider is available in safe mode during networking.
+> [!NOTE]
+> The Credential Provider API does not render the UI. It describes what needs to be rendered.\
+> Only the password credential provider is available in safe mode.\
+> The smart card credential provider is available in safe mode during networking.
## Smart card subsystem architecture
@@ -74,19 +68,16 @@ Vendors provide smart cards and smart card readers, and in many cases the vendor
### Base CSP and smart card minidriver architecture
-Figure 2 illustrates the relationship between the CryptoAPI, CSPs, the Smart Card Base Cryptographic Service Provider (Base CSP), and smart card minidrivers.
+The following graphic shows the relationship between the CryptoAPI, CSPs, the Smart Card Base Cryptographic Service Provider (Base CSP), and smart card minidrivers.
-**Figure 2** **Base CSP and smart card minidriver architecture**
-
### Caching with Base CSP and smart card KSP
-Smart card architecture uses caching mechanisms to assist in streamlining operations and to improve a user's access to a PIN.
+Smart card architecture uses caching mechanisms to help streamlining operations and to improve a user's access to a PIN.
-- [Data caching](#data-caching): The data cache provides for a single process to minimize smart card I/O operations.
-
-- [PIN caching](#pin-caching): The PIN cache helps the user from having to reenter a PIN each time the smart card is unauthenticated.
+- [Data caching](#data-caching): The data cache provides for a single process to minimize smart card I/O operations
+- [PIN caching](#pin-caching): The PIN cache helps the user from having to reenter a PIN each time the smart card is unauthenticated
#### Data caching
@@ -94,13 +85,10 @@ Each CSP implements the current smart card data cache separately. The Base CSP i
The existing global cache works as follows:
-1. The application requests a cryptographic operation. For example, a user certificate is to be read from the smart card.
-
-2. The CSP checks its cache for the item.
-
-3. If the item is not found in the cache, or if the item is cached but is not up-to-date, the item is read from the smart card.
-
-4. After any item has been read from the smart card, it is added to the cache. Any existing out-of-date copy of that item is replaced.
+1. The application requests a cryptographic operation. For example, a user certificate is to be read from the smart card
+1. The CSP checks its cache for the item
+1. If the item isn't found in the cache, or if the item is cached but isn't up-to-date, the item is read from the smart card
+1. After any item has been read from the smart card, it's added to the cache. Any existing out-of-date copy of that item is replaced
Three types of objects or data are cached by the CSP: pins (for more information, see [PIN caching](#pin-caching)), certificates, and files. If any of the cached data changes, the corresponding object is read from the smart card in successive operations. For example, if a file is written to the smart card, the CSP cache becomes out-of-date for the files, and other processes read the smart card at least once to refresh their CSP cache.
@@ -110,51 +98,35 @@ The global data cache is hosted in the Smart Cards for Windows service. Windows
The PIN cache protects the user from entering a PIN every time the smart card is unauthenticated. After a smart card is authenticated, it will not differentiate among host-side applications—any application can access private data on the smart card.
-To mitigate this, the smart card enters an exclusive state when an application authenticates to the smart card. However, this means that other applications cannot communicate with the smart card and will be blocked. Therefore, such exclusive connections are minimized. The issue is that a protocol (such as the Kerberos protocol) requires multiple signing operations. Therefore, the protocol requires exclusive access to the smart card over an extended period, or it requires multiple authentication operations. This is where the PIN cache is used to minimize exclusive use of the smart card without forcing the user to enter a PIN multiple times.
+To mitigate this, the smart card enters an exclusive state when an application authenticates to the smart card. However, this means that other applications can't communicate with the smart card and will be blocked. Therefore, such exclusive connections are minimized. The issue is that a protocol (such as the Kerberos protocol) requires multiple signing operations. Therefore, the protocol requires exclusive access to the smart card over an extended period, or it requires multiple authentication operations. This is where the PIN cache is used to minimize exclusive use of the smart card without forcing the user to enter a PIN multiple times.
The following example illustrates how this works. In this scenario, there are two applications: Outlook and Internet Explorer. The applications use smart cards for different purposes.
-1. The user starts Outlook and tries to send a signed e-mail. The private key is on the smart card.
-
-2. Outlook prompts the user for the smart card PIN. The user enters the correct PIN.
-
-3. E-mail data is sent to the smart card for the signature operation. The Outlook client formats the response and sends the e-mail.
-
-4. The user opens Internet Explorer and tries to access a protected site that requires Transport Layer Security (TLS) authentication for the client.
-
-5. Internet Explorer prompts the user for the smart card PIN. The user enters the correct PIN.
-
-6. The TLS-related private key operation occurs on the smart card, and the user is authenticated and signed in.
-
-7. The user returns to Outlook to send another signed e-mail. This time, the user is not prompted for a PIN because the PIN is cached from the previous operation. Similarly, if the user uses Internet Explorer again for another operation, Internet Explorer will not prompt the user for a PIN.
+1. The user starts Outlook and tries to send a signed e-mail. The private key is on the smart card
+1. Outlook prompts the user for the smart card PIN. The user enters the correct PIN
+1. E-mail data is sent to the smart card for the signature operation. The Outlook client formats the response and sends the e-mail
+1. The user opens Internet Explorer and tries to access a protected site that requires Transport Layer Security (TLS) authentication for the client
+1. Internet Explorer prompts the user for the smart card PIN. The user enters the correct PIN
+1. The TLS-related private key operation occurs on the smart card, and the user is authenticated and signed in
+1. The user returns to Outlook to send another signed e-mail. This time, the user isn't prompted for a PIN because the PIN is cached from the previous operation. Similarly, if the user uses Internet Explorer again for another operation, Internet Explorer won't prompt the user for a PIN
The Base CSP internally maintains a per-process cache of the PIN. The PIN is encrypted and stored in memory. The functions that are used to secure the PIN are RtlEncryptMemory, RtlDecryptMemory, and RtlSecureZeroMemory, which will empty buffers that contained the PIN.
### Smart card selection
-The following sections in this topic describe how Windows leverages the smart card architecture to select the correct smart card reader software, provider, and credentials for a successful smart card sign-in:
+The following sections in this article describe how Windows uses the smart card architecture to select the correct smart card reader software, provider, and credentials for a successful smart card sign-in:
-- [Container specification levels](#container-specification-levels)
-
-- [Container operations](#container-operations)
-
-- [Context flags](#context-flags)
-
-- [Create a new container in silent context](#create-a-new-container-in-silent-context)
-
-- [Smart card selection behavior](#smart-card-selection-behavior)
-
-- [Make a smart card reader match](#make-a-smart-card-reader-match)
-
-- [Make a smart card match](#make-a-smart-card-match)
-
-- [Open an existing default container (no reader specified)](#open-an-existing-default-container-no-reader-specified)
-
-- [Open an existing GUID-named container (no reader specified)](#open-an-existing-guid-named-container-no-reader-specified)
-
-- [Create a new container (no reader specified)](#create-a-new-container-no-reader-specified)
-
-- [Delete a container](#delete-a-container)
+- [Container specification levels](#container-specification-levels)
+- [Container operations](#container-operations)
+- [Context flags](#context-flags)
+- [Create a new container in silent context](#create-a-new-container-in-silent-context)
+- [Smart card selection behavior](#smart-card-selection-behavior)
+- [Make a smart card reader match](#make-a-smart-card-reader-match)
+- [Make a smart card match](#make-a-smart-card-match)
+- [Open an existing default container (no reader specified)](#open-an-existing-default-container-no-reader-specified)
+- [Open an existing GUID-named container (no reader specified)](#open-an-existing-guid-named-container-no-reader-specified)
+- [Create a new container (no reader specified)](#create-a-new-container-no-reader-specified)
+- [Delete a container](#delete-a-container)
#### Container specification levels
@@ -162,13 +134,14 @@ In response to a CryptAcquireContext call in CryptoAPI, the Base CSP tries to ma
Similarly, in response to a NCryptOpenKey call in CNG, the smart card KSP tries to match the container the same way, and it takes the same container format, as shown in the following table.
-> **Note** Before opening a key by using the smart card KSP, a call to NCryptOpenStorageProvider (MS\_SMART\_CARD\_KEY\_STORAGE\_PROVIDER) must be made.
+> [!NOTE]
+> Before opening a key by using the smart card KSP, a call to NCryptOpenStorageProvider (`MS_SMART_CARD_KEY_STORAGE_PROVIDER`) must be made.
| **Type** | **Name** | **Format** |
|----------|----------|------------|
-| I | Reader Name and Container Name | \\\\.\\<Reader Name>\\<Container Name> |
-| II | Reader Name and Container Name (NULL) | \\\\.\\<Reader Name> |
-| III | Container Name Only | <Container Name> |
+| I | Reader Name and Container Name | `\.
- Read-only (used only by CryptGetProvParam)
- Caller responsible for closing the certificate store
- Certificate encoded using PKCS\_7\_ASN\_ENCODING or X509\_ASN\_ENCODING
- CSP should set KEY\_PROV\_INFO on certificates
- Certificate store should be assumed to be an in-memory store
- Certificates should have a valid CRYPT\_KEY\_PROV\_INFO as a property |
-| PP\_ROOT\_CERTSTORE | - Read and Write (used by CryptGetProvParam and CryptSetProvParam)
- Used to write a collection of root certificates to the smart card or return HCERTSTORE, which contains root certificates from the smart card
- Used primarily for joining a domain by using a smart card
- Caller responsible for closing the certificate store |
-| PP\_SMARTCARD\_READER | - Read-only (used only by CryptGetProvParam)
- Returns the smart card reader name as an ANSI string that is used to construct a fully qualified container name (that is, a smart card reader plus a container) |
-| PP\_SMARTCARD\_GUID | - Return smart card GUID (also known as a serial number), which should be unique for each smart card
- Used by the certificate propagation service to track the source of a root certificate|
-| PP\_UI\_PROMPT | - Used to set the search string for the SCardUIDlgSelectCard card insertion dialog box
- Persistent for the entire process when it is set
- Write-only (used only by CryptSetProvParam) |
+| Property | Description |
+|--|--|
+| `PP_USER_CERTSTORE` | - Used to return an `HCERTSTORE` that contains all user certificates on the smart card
- Read-only (used only by `CryptGetProvParam`)
- Caller responsible for closing the certificate store
- Certificate encoded using `PKCS_7_ASN_ENCODING` or `X509_ASN_ENCODING`
- CSP should set `KEY_PROV_INFO` on certificates
- Certificate store should be assumed to be an in-memory store
- Certificates should have a valid `CRYPT_KEY_PROV_INFO` as a property |
+| `PP_ROOT_CERTSTORE` | - Read and Write (used by `CryptGetProvParam` and `CryptSetProvParam`)
- Used to write a collection of root certificates to the smart card or return `HCERTSTORE`, which contains root certificates from the smart card
- Used primarily for joining a domain by using a smart card
- Caller responsible for closing the certificate store |
+| `PP_SMARTCARD_READER` | - Read-only (used only by `CryptGetProvParam`)
- Returns the smart card reader name as an ANSI string that is used to construct a fully qualified container name (that is, a smart card reader plus a container) |
+| `PP_SMARTCARD_GUID` | - Return smart card GUID (also known as a serial number), which should be unique for each smart card
- Used by the certificate propagation service to track the source of a root certificate |
+| `PP_UI_PROMPT` | - Used to set the search string for the `SCardUIDlgSelectCard` card insertion dialog box
- Persistent for the entire process when it's set
- Write-only (used only by `CryptSetProvParam`) |
### Implications for CSPs in Windows
-Cryptographic Service Providers (CSPs), including custom smart card CSPs, continue to be supported but this approach is not recommended. Using the existing Base CSP and smart card KSP with the smart card minidriver model for smart cards provides significant benefits in terms of performance, and PIN and data caching. One minidriver can be configured to work under CryptoAPI and CNG layers. This provides benefits from enhanced cryptographic support, including elliptic curve cryptography and AES.
+Cryptographic Service Providers (CSPs), including custom smart card CSPs, continue to be supported but this approach isn't recommended. Using the existing Base CSP and smart card KSP with the smart card minidriver model for smart cards provides significant benefits in terms of performance, and PIN and data caching. One minidriver can be configured to work under CryptoAPI and CNG layers. This provides benefits from enhanced cryptographic support, including elliptic curve cryptography and AES.
If a smart card is registered by a CSP and a smart card minidriver, the one that was installed most recently will be used to communicate with the smart card.
### Write a smart card minidriver, CSP, or KSP
-CSPs and KSPs are meant to be written only if specific functionality is not available in the current smart card minidriver architecture. For example, the smart card minidriver architecture supports hardware security modules, so a minidriver could be written for a hardware security module, and a CSP or KSP may not be required unless it is needed to support algorithms that are not implemented in the Base CSP or smart card KSP.
+CSPs and KSPs are meant to be written only if specific functionality isn't available in the current smart card minidriver architecture. For example, the smart card minidriver architecture supports hardware security modules, so a minidriver could be written for a hardware security module, and a CSP or KSP may not be required unless it's needed to support algorithms that aren't implemented in the Base CSP or smart card KSP.
-For more information about how to write a smart card minidriver, CSP, or KSP, see [Smart Card Minidrivers](/windows-hardware/drivers/smartcard/smart-card-minidrivers).
\ No newline at end of file
+For more information about how to write a smart card minidriver, CSP, or KSP, see [Smart Card Minidrivers](/windows-hardware/drivers/smartcard/smart-card-minidrivers).
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
index 62737034ae..fe6f0b5c39 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
@@ -1,68 +1,53 @@
---
-title: Certificate Propagation Service
-description: This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
-ms.reviewer: ardenw
+title: Certificate propagation service
+description: Learn about the certificate propagation service (CertPropSvc), which is used in smart card implementation.
ms.topic: concept-article
-ms.date: 08/24/2021
+ms.date: 11/22/2023
---
-# Certificate Propagation Service
+# Certificate propagation service
-This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
+The certificate propagation service (CertPropSvc) is a Windows service that activates when a user inserts a smart card in a reader that is attached to the device. The action causes the certificates to be read from the smart card. The certificates are then added to the user's Personal store. Certificate propagation service actions are controlled by using Group Policy. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
-The certificate propagation service activates when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store. Certificate propagation service actions are controlled by using Group Policy. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
-
-> **Note** The certificate propagation service must be running for smart card Plug and Play to work.
+> [!NOTE]
+> The certificate propagation service must be running for smart card Plug and Play to work.
The following figure shows the flow of the certificate propagation service. The action begins when a signed-in user inserts a smart card.
-1. The arrow labeled **1** indicates that the Service Control Manager (SCM) notifies the certificate propagation service (CertPropSvc) when a user signs in, and CertPropSvc begins to monitor the smart cards in the user session.
-
-2. The arrow labeled **R** represents the possibility of a remote session and the use of smart card redirection.
-
-3. The arrow labeled **2** indicates the certification to the reader.
-
-4. The arrow labeled **3** indicates the access to the certificate store during the client session.
-
-**Certificate propagation service**
+1. The arrow labeled **1** indicates that the Service Control Manager (SCM) notifies the certificate propagation service (CertPropSvc) when a user signs in, and CertPropSvc begins to monitor the smart cards in the user session
+1. The arrow labeled **R** represents the possibility of a remote session and the use of smart card redirection
+1. The arrow labeled **2** indicates the certification to the reader
+1. The arrow labeled **3** indicates the access to the certificate store during the client session
-1. A signed-in user inserts a smart card.
+1. A signed-in user inserts a smart card
+1. CertPropSvc is notified that a smart card was inserted
+1. CertPropSvc reads all certificates from all inserted smart cards. The certificates are written to the user's personal certificate store
-2. CertPropSvc is notified that a smart card was inserted.
-
-3. CertPropSvc reads all certificates from all inserted smart cards. The certificates are written to the user's personal certificate store.
-
-> **Note** The certificate propagation service is started as a Remote Desktop Services dependency.
+> [!NOTE]
+> The certificate propagation service is started as a Remote Desktop Services dependency.
Properties of the certificate propagation service include:
-- CERT\_STORE\_ADD\_REPLACE\_EXISTING\_INHERIT\_PROPERTIES adds certificates to a user's Personal store.
-
-- If the certificate has the CERT\_ENROLLMENT\_PROP\_ID property (as defined by wincrypt.h), it filters empty requests and places them in the current user's request store, but it does not propagate them to the user's Personal store.
-
-- The service does not propagate any computer certificates to a user's Personal store or propagate user certificates to a computer store.
-
-- The service propagates certificates according to Group Policy options that are set, which may include:
-
- - **Turn on certificate propagation from the smart card** specifies whether a user's certificate should be propagated.
-
- - **Turn on root certificate propagation from smart card** specifies whether root certificates should be propagated.
-
- - **Configure root certificate cleanup** specifies how root certificates are removed.
+- `CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES` adds certificates to a user's Personal store
+- If the certificate has the `CERT_ENROLLMENT_PROP_ID` property (as defined by `wincrypt.h`), it filters empty requests and places them in the current user's request store, but it doesn't propagate them to the user's Personal store
+- The service doesn't propagate any computer certificates to a user's Personal store or propagate user certificates to a computer store
+- The service propagates certificates according to Group Policy options that are set, which might include:
+ - **Turn on certificate propagation from the smart card** specifies whether a user's certificate should be propagated
+ - **Turn on root certificate propagation from smart card** specifies whether root certificates should be propagated
+ - **Configure root certificate cleanup** specifies how root certificates are removed
## Root certificate propagation service
-Root certificate propagation is responsible for the following smart card deployment scenarios when public key infrastructure (PKI) trust has not yet been established:
+Root certificate propagation is responsible for the following smart card deployment scenarios when public key infrastructure (PKI) trust hasn't yet been established:
-- Joining the domain
+- Joining the domain
+- Accessing a network remotely
-- Accessing a network remotely
+In both cases, the computer isn't joined to a domain, and therefore, trust isn't being managed by group policy. However, the objective is to authenticate to a remote server, such as the domain controller. Root certificate propagation provides the ability to use the smart card to include the missing trust chain.
-In both cases, the computer is not joined to a domain, and therefore, trust is not being managed by Group Policy. However, the objective is to authenticate to a remote server, such as the domain controller. Root certificate propagation provides the ability to use the smart card to include the missing trust chain.
-
-When the smart card is inserted, the certificate propagation service propagates any root certificates on the card to the trusted smart card root computer certificate stores. This process establishes a trust relationship with the enterprise resources. You may also use a subsequent cleanup action when the user's smart card is removed from the reader, or when the user signs out. This is configurable with Group Policy. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
+When the smart card is inserted, the certificate propagation service propagates any root certificates on the card to the trusted smart card root computer certificate stores. This process establishes a trust relationship with the enterprise resources. You might also use a subsequent cleanup action when the user's smart card is removed from the reader, or when the user signs out. This is configurable with group policy. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
For more information about root certificate requirements, see [Smart card root certificate requirements for use with domain sign-in](smart-card-certificate-requirements-and-enumeration.md#smart-card-root-certificate-requirements-for-use-with-domain-sign-in).
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
index 9931e52d1f..9f8291d4a6 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
@@ -1,9 +1,8 @@
---
title: Certificate Requirements and Enumeration
description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
-ms.reviewer: ardenw
ms.topic: concept-article
-ms.date: 09/24/2021
+ms.date: 11/22/2023
---
# Certificate Requirements and Enumeration
@@ -12,157 +11,110 @@ This topic for the IT professional and smart card developers describes how certi
When a smart card is inserted, the following steps are performed.
-> **Note** Unless otherwise mentioned, all operations are performed silently (CRYPT\_SILENT is passed to CryptAcquireContext).
+> [!NOTE]
+> Unless otherwise mentioned, all operations are performed silently (CRYPT_SILENT is passed to CryptAcquireContext).
-1. The smart card resource manager database searches for the smart card's cryptographic service provider (CSP).
+1. The smart card resource manager database searches for the smart card's cryptographic service provider (CSP).
+1. A qualified container name is constructed by using the smart card reader name, and it's passed to the CSP. The format is `\\.
ECDH\_P256
ECDH
Curve P-256 from FIPS 186-2
ECDSA\_P256
ECDSA
Curve P-256 from FIPS 186-2
ECDH\_P384
ECDH
Curve P-384 from FIPS 186-2
ECDH\_P521
ECDH
Curve P-521 from FIPS 186-2
ECDSA\_P256
ECDH
Curve P-256 from FIPS 186-2
ECDSA\_P384
ECDSA
Curve P-384 from FIPS 186-2
ECDSA\_P521
ECDSA
Curve P-384 from FIPS 186-2 |
-| Windows Server 2008 and Windows Vista | Valid certificates are enumerated and displayed from all smart cards and presented to the user.
Keys are no longer restricted to the default container, and certificates in different containers can be chosen.
Elliptic curve cryptography (ECC)-based certificates are not supported for smart card sign-in |
+1. The process then chooses a certificate, and the PIN is entered
+1. LogonUI.exe packages the information and sends it to Lsass.exe to process the sign-in attempt
+1. If successful, `LogonUI.exe` closes. This causes the context acquired in Step 3 to be released
## Smart card sign-in flow in Windows
-Most issues during authentication occur because of session behavior changes. When changes occur, the Local Security Authority (LSA) does not reacquire the session context; it relies instead on the Cryptographic Service Provider to handle the session change.
+Most issues during authentication occur because of session behavior changes. When changes occur, the Local Security Authority (LSA) doesn't reacquire the session context; it relies instead on the Cryptographic Service Provider to handle the session change.
-Client certificates that do not contain a UPN in the **subjectAltName** (SAN) field of the certificate can be enabled for sign-in, which supports a wider variety of certificates and supports multiple sign-in certificates on the same card.
+Client certificates that don't contain a UPN in the `subjectAltName` (SAN) field of the certificate can be enabled for sign-in, which supports a wider variety of certificates and supports multiple sign-in certificates on the same card.
Support for multiple certificates on the same card is enabled by default. New certificate types must be enabled through Group Policy.
-If you enable the **Allow signature keys valid for Logon** credential provider policy, any certificates that are available on the smart card with a signature-only key are listed on the sign-in screen. This allows users to select their sign-in experience. If the policy is disabled or not configured, smart card signature-key-based certificates are not listed on the sign-in screen.
+If you enable the **Allow signature keys valid for Logon** credential provider policy, any certificates that are available on the smart card with a signature-only key are listed on the sign-in screen. This allows users to select their sign-in experience. If the policy is disabled or not configured, smart card signature-key-based certificates aren't listed on the sign-in screen.
The following diagram illustrates how smart card sign-in works in the supported versions of Windows.
-**Smart card sign-in flow**
+### Smart card sign-in flow
Following are the steps that are performed during a smart card sign-in:
-1. Winlogon requests the sign-in UI credential information.
+1. Winlogon requests the sign-in UI credential information
+1. Asynchronously, smart card resource manager starts, and the smart card credential provider does the following:
+ 1. Gets credential information (a list of known credentials, or if no credentials exist, the smart card reader information that Windows detected)
+ 1. Gets a list of smart card readers (by using the WinSCard API) and the list of smart cards inserted in each of them
+ 1. Enumerates each card to verify that a sign-in certificate that is controlled by Group Policy is present. If the certificate is present, the smart card credential provider copies it into a temporary, secure cache on the computer or terminal
-2. Asynchronously, smart card resource manager starts, and the smart card credential provider does the following:
+ > [!NOTE]
+ > Smartcard cache entries are created for certificates with a subject name or with a subject key identifier. If the certificate has a subject name, it is stored with an index that is based on the subject name and certificate issuer. If another certificate with the same subject name and certificate issuer is used, it will replace the existing cached entry. A change in this behavior, allows for the condition when the certificate does not have a subject name, the cache is created with an index that is based on the subject key identifier and certificate issuer. If another certificate has the same the subject key identifier and certificate issuer, the cache entry is replaced. When certificates have neither a subject name nor subject key identifier, a cached entry is not created.
- 1. Gets credential information (a list of known credentials, or if no credentials exist, the smart card reader information that Windows detected).
+ 1. Notifies the sign-in UI that it has new credentials
- 2. Gets a list of smart card readers (by using the WinSCard API) and the list of smart cards inserted in each of them.
+1. The sign-in UI requests the new credentials from the smart card credential provider. As a response, the smart card credential provider provides each sign-in certificate to the sign-in UI, and corresponding sign-in tiles are displayed. The user selects a smart card-based sign-in certificate tile, and Windows displays a PIN dialog box
+1. The user enters the PIN, and then presses ENTER. The smart card credential provider encrypts the PIN
+1. The credential provider that resides in the LogonUI system collects the PIN. As part of packaging credentials in the smart card credential provider, the data is packaged in a KERB_CERTIFICATE_LOGON structure. The main contents of the KERB_CERTIFICATE_LOGON structure are the smart card PIN, CSP data (such as reader name and container name), user name, and domain name. User name is required if the sign-in domain isn't in the same forest because it enables a certificate to be mapped to multiple user accounts
+1. The credential provider wraps the data (such as the encrypted PIN, container name, reader name, and card key specification) and sends it back to LogonUI
+1. Winlogon presents the data from LogonUI to the LSA with the user information in LSALogonUser
+1. LSA calls the Kerberos authentication package (Kerberos SSP) to create a Kerberos authentication service request (KRB_AS_REQ), which containing a preauthenticator (as specified in RFC 4556: [Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)](http://www.ietf.org/rfc/rfc4556.txt)).
- 3. Enumerates each card to verify that a sign-in certificate that is controlled by Group Policy is present. If the certificate is present, the smart card credential provider copies it into a temporary, secure cache on the computer or terminal.
+ If the authentication is performed by using a certificate that uses a digital signature, the preauthentication data consists of the user's public certificate and the certificate that is digitally signed with the corresponding private key.\
+ If the authentication is performed by using a certificate that uses key encipherment, the preauthentication data consists of the user's public certificate and the certificate that is encrypted with the corresponding private key.
- > **Note** Smartcard cache entries are created for certificates with a subject name or with a subject key identifier. If the certificate has a subject name, it is stored with an index that is based on the subject name and certificate issuer. If another certificate with the same subject name and certificate issuer is used, it will replace the existing cached entry. A change in this behavior after Windows Vista, allows for the condition when the certificate does not have a subject name, the cache is created with an index that is based on the subject key identifier and certificate issuer. If another certificate has the same the subject key identifier and certificate issuer, the cache entry is replaced. When certificates have neither a subject name nor subject key identifier, a cached entry is not created.
+1. To sign the request digitally (as per RFC 4556), a call is made to the corresponding CSP for a private key operation. Because the private key in this case is stored in a smart card, the smart card subsystem is called, and the necessary operation is completed. The result is sent back to the Kerberos security support provider (SSP).
+1. The Kerberos SSP sends an authentication request for a ticket-granting-ticket (TGT) (per RFC 4556) to the Key Distribution Center (KDC) service that runs on a domain controller.
+1. The KDC finds the user's account object in Active Directory Domain Services (AD DS), as detailed in [Client certificate requirements and mappings](#client-certificate-requirements-and-mappings), and uses the user's certificate to verify the signature.
+1. The KDC validates the user's certificate (time, path, and revocation status) to ensure that the certificate is from a trusted source. The KDC uses CryptoAPI to build a certification path from the user's certificate to a root certification authority (CA) certificate that resides in the root store on the domain controller. The KDC then uses CryptoAPI to verify the digital signature on the signed authenticator that was included in the preauthentication data fields. The domain controller verifies the signature and uses the public key from the user's certificate to prove that the request originated from the owner of the private key that corresponds to the public key. The KDC also verifies that the issuer is trusted and appears in the NTAUTH certificate store.
+1. The KDC service retrieves user account information from AD DS. The KDC constructs a TGT, which is based on the user account information that it retrieves from AD DS. The TGT's authorization data fields include the user's security identifier (SID), the SIDs for universal and global domain groups to which the user belongs, and (in a multidomain environment) the SIDs for any universal groups of which the user is a member.
+1. The domain controller returns the TGT to the client as part of the KRB_AS_REP response.
- 4. Notifies the sign-in UI that it has new credentials.
-
-3. The sign-in UI requests the new credentials from the smart card credential provider. As a response, the smart card credential provider provides each sign-in certificate to the sign-in UI, and corresponding sign-in tiles are displayed. The user selects a smart card-based sign-in certificate tile, and Windows displays a PIN dialog box.
-
-4. The user enters the PIN, and then presses ENTER. The smart card credential provider encrypts the PIN.
-
-5. The credential provider that resides in the LogonUI system collects the PIN. As part of packaging credentials in the smart card credential provider, the data is packaged in a KERB\_CERTIFICATE\_LOGON structure. The main contents of the KERB\_CERTIFICATE\_LOGON structure are the smart card PIN, CSP data (such as reader name and container name), user name, and domain name. User name is required if the sign-in domain is not in the same forest because it enables a certificate to be mapped to multiple user accounts.
-
-6. The credential provider wraps the data (such as the encrypted PIN, container name, reader name, and card key specification) and sends it back to LogonUI.
-
-7. Winlogon presents the data from LogonUI to the LSA with the user information in LSALogonUser.
-
-8. LSA calls the Kerberos authentication package (Kerberos SSP) to create a Kerberos authentication service request (KRB\_AS\_REQ), which containing a preauthenticator (as specified in RFC 4556: [Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)](http://www.ietf.org/rfc/rfc4556.txt)).
-
- If the authentication is performed by using a certificate that uses a digital signature, the preauthentication data consists of the user's public certificate and the certificate that is digitally signed with the corresponding private key.
If the authentication is performed by using a certificate that uses key encipherment, the preauthentication data consists of the user's public certificate and the certificate that is encrypted with the corresponding private key.
-
-9. To sign the request digitally (as per RFC 4556), a call is made to the corresponding CSP for a private key operation. Because the private key in this case is stored in a smart card, the smart card subsystem is called, and the necessary operation is completed. The result is sent back to the Kerberos security support provider (SSP).
-
-10. The Kerberos SSP sends an authentication request for a ticket-granting-ticket (TGT) (per RFC 4556) to the Key Distribution Center (KDC) service that runs on a domain controller.
-
-11. The KDC finds the user's account object in Active Directory Domain Services (AD DS), as detailed in [Client certificate requirements and mappings](#client-certificate-requirements-and-mappings), and uses the user's certificate to verify the signature.
-
-12. The KDC validates the user's certificate (time, path, and revocation status) to ensure that the certificate is from a trusted source. The KDC uses CryptoAPI to build a certification path from the user's certificate to a root certification authority (CA) certificate that resides in the root store on the domain controller. The KDC then uses CryptoAPI to verify the digital signature on the signed authenticator that was included in the preauthentication data fields. The domain controller verifies the signature and uses the public key from the user's certificate to prove that the request originated from the owner of the private key that corresponds to the public key. The KDC also verifies that the issuer is trusted and appears in the NTAUTH certificate store.
-
-13. The KDC service retrieves user account information from AD DS. The KDC constructs a TGT, which is based on the user account information that it retrieves from AD DS. The TGT's authorization data fields include the user's security identifier (SID), the SIDs for universal and global domain groups to which the user belongs, and (in a multidomain environment) the SIDs for any universal groups of which the user is a member.
-
-14. The domain controller returns the TGT to the client as part of the KRB\_AS\_REP response.
-
- > **Note** The KRB\_AS\_REP packet consists of:
- >- Privilege attribute certificate (PAC)
- >- User's SID
- >- SIDs of any groups of which the user is a member
- >- A request for ticket-granting service (TGS)
- >- Preauthentication data
+ > [!NOTE]
+ > The KRB_AS_REP packet consists of:
+ > - Privilege attribute certificate (PAC)
+ > - User's SID
+ > - SIDs of any groups of which the user is a member
+ > - A request for ticket-granting service (TGS)
+ > - Preauthentication data
TGT is encrypted with the master key of the KDC, and the session key is encrypted with a temporary key. This temporary key is derived based on RFC 4556. Using CryptoAPI, the temporary key is decrypted. As part of the decryption process, if the private key is on a smart card, a call is made to the smart card subsystem by using the specified CSP to extract the certificate corresponding to the user's public key. (Programmatic calls for the certificate include CryptAcquireContext, CryptSetProvParam with the PIN, CryptgetUserKey, and CryptGetKeyParam.) After the temporary key is obtained, the Kerberos SSP decrypts the session key.
-15. The client validates the reply from the KDC (time, path, and revocation status). It first verifies the KDC's signature by the construction of a certification path from the KDC's certificate to a trusted root CA, and then it uses the KDC's public key to verify the reply signature.
+1. The client validates the reply from the KDC (time, path, and revocation status). It first verifies the KDC's signature by the construction of a certification path from the KDC's certificate to a trusted root CA, and then it uses the KDC's public key to verify the reply signature.
+1. Now that a TGT has been obtained, the client obtains a service ticket, which is used to sign in to the local computer.
+1. With success, LSA stores the tickets and returns a success message to LSALogonUser. After this success message is issued, user profile for the device is selected and set, Group Policy refresh is instantiated, and other actions are performed.
+1. After the user profile is loaded, the Certification Propagation Service (CertPropSvc) detects this event, reads the certificates from the smart card (including the root certificates), and then populates them into the user's certificate store (MYSTORE)
+1. CSP to smart card resource manager communication happens on the LRPC Channel.
+1. On successful authentication, certificates are propagated to the user's store asynchronously by the Certificate Propagation Service (CertPropSvc).
+1. When the card is removed, certificates in the temporary secure cache store are removed. The Certificates are no longer available for sign-in, but they remain in the user's certificate store.
-16. Now that a TGT has been obtained, the client obtains a service ticket, which is used to sign in to the local computer.
-
-17. With success, LSA stores the tickets and returns a success message to LSALogonUser. After this success message is issued, user profile for the device is selected and set, Group Policy refresh is instantiated, and other actions are performed.
-
-18. After the user profile is loaded, the Certification Propagation Service (CertPropSvc) detects this event, reads the certificates from the smart card (including the root certificates), and then populates them into the user's certificate store (MYSTORE).
-
-19. CSP to smart card resource manager communication happens on the LRPC Channel.
-
-20. On successful authentication, certificates are propagated to the user's store asynchronously by the Certificate Propagation Service (CertPropSvc).
-
-21. When the card is removed, certificates in the temporary secure cache store are removed. The Certificates are no longer available for sign-in, but they remain in the user's certificate store.
-
-> **Note** A SID is created for each user or group at the time a user account or a group account is created within the local security accounts database or within AD DS. The SID never changes, even if the user or group account is renamed.
+> [!NOTE]
+> A SID is created for each user or group at the time a user account or a group account is created within the local security accounts database or within AD DS. The SID never changes, even if the user or group account is renamed.
For more information about the Kerberos protocol, see [Microsoft Kerberos](/windows/win32/secauthn/microsoft-kerberos).
-By default, the KDC verifies that the client's certificate contains the smart card client authentication EKU szOID\_KP\_SMARTCARD\_LOGON. However, if enabled, the **Allow certificates with no extended key usage certificate attribute** Group Policy setting allows the KDC to not require the SC-LOGON EKU. SC-LOGON EKU is not required for account mappings that are based on the public key.
+By default, the KDC verifies that the client's certificate contains the smart card client authentication EKU szOID_KP_SMARTCARD_LOGON. However, if enabled, the **Allow certificates with no extended key usage certificate attribute** Group Policy setting allows the KDC to not require the SC-LOGON EKU. SC-LOGON EKU isn't required for account mappings that are based on the public key.
## KDC certificate
Active Directory Certificate Services provides three kinds of certificate templates:
-- Domain controller
+- Domain controller
+- Domain controller authentication
+- Kerberos authentication
-- Domain controller authentication
-
-- Kerberos authentication
-
-Depending on the configuration of the domain controller, one of these types of certificates is sent as a part of the AS\_REP packet.
+Depending on the configuration of the domain controller, one of these types of certificates is sent as a part of the AS_REP packet.
## Client certificate requirements and mappings
@@ -170,144 +122,125 @@ Certificate requirements are listed by versions of the Windows operating system.
### Certificate requirements
-The smart card certificate has specific format requirements when it is used with Windows XP and earlier operating systems. You can enable any certificate to be visible for the smart card credential provider.
-
-
-| **Component** | **Requirements for Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows 10, and Windows 11** | **Requirements for Windows XP** |
-|--------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| CRL distribution point location | Not required | The location must be specified, online, and available, for example:
\[1\]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=`
**Note** If an EKU is present, it must contain the smart card sign-in EKU. Certificates with no EKU can be used for sign-in. | - Client Authentication (1.3.6.1.5.5.7.3.2)
The client authentication object identifier is required only if a certificate is used for SSL authentication.
- Smart Card Sign-in (1.3.6.1.4.1.311.20.2.2) |
-| Subject alternative name | E-mail ID is not required for smart card sign-in. | Other Name: Principal Name=(UPN), for example:
UPN=user1@contoso.com
The UPN OtherName object identifier is 1.3.6.1.4.1.311.20.2.3.
The UPN OtherName value must be an ASN1-encoded UTF8 string. |
-| Subject | Not required | Distinguished name of user. This field is a mandatory extension, but the population of this field is optional. |
-| Key exchange (AT\_KEYEXCHANGE field) | Not required for smart card sign-in certificates if a Group Policy setting is enabled. (By default, Group Policy settings are not enabled.) | Not required |
-| CRL | Not required | Not required |
-| UPN | Not required | Not required |
-| Notes | You can enable any certificate to be visible for the smart card credential provider. | There are two predefined types of private keys. These keys are Signature Only (AT\_SIGNATURE) and Key Exchange (AT\_KEYEXCHANGE). Smart card sign-in certificates must have a Key Exchange (AT\_KEYEXCHANGE) private key type. |
+| Component | Requirements |
+|--|--|
+| CRL distribution point location | Not required |
+| Key usage | Digital signature |
+| Basic constraints | Not required |
+| extended key usage (EKU) | The smart card sign-in object identifier isn't required.
**Note** If an EKU is present, it must contain the smart card sign-in EKU. Certificates with no EKU can be used for sign-in. |
+| Subject alternative name | E-mail ID isn't required for smart card sign-in. |
+| Subject | Not required |
+| Key exchange (AT_KEYEXCHANGE field) | Not required for smart card sign-in certificates if a Group Policy setting is enabled. (By default, Group Policy settings aren't enabled.) |
+| CRL | Not required |
+| UPN | Not required |
+| Notes | You can enable any certificate to be visible for the smart card credential provider. |
### Client certificate mappings
-Certificate mapping is based on the UPN that is contained in the subjectAltName (SAN) field of the certificate. Client certificates that do not contain information in the SAN field are also supported.
+Certificate mapping is based on the UPN that is contained in the subjectAltName (SAN) field of the certificate. Client certificates that don't contain information in the SAN field are also supported.
-SSL/TLS can map certificates that do not have SAN, and the mapping is done by using the AltSecID attributes on client accounts. The X509 AltSecID, which is used by SSL/TLS client authentication is of the form "X509: <I>"*<Issuer Name>*"<S>"*<Subject Name>*. The *<Issuer Name>* and *<Subject Name>* are taken from the client certificate, with '\\r' and '\\n' replaced with ','.
+SSL/TLS can map certificates that don't have SAN, and the mapping is done by using the AltSecID attributes on client accounts. The X509 AltSecID, which is used by SSL/TLS client authentication is of the form "X509: `
Value name: NtLmInfoLevel
Value type: DWORD
Value data: c0015003 |
-| Kerberos | HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos
Value name: LogToFile
Value type: DWORD
Value data: 00000001
HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters
Value name: KerbDebugLevel
Value type: DWORD
Value data: c0000043
HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters
Value name: LogToFile
Value type: DWORD
Value data: 00000001 |
-| KDC | HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Kdc
Value name: KdcDebugLevel
Value type: DWORD
Value data: c0000803 |
+| Element | Registry Key Setting |
+|--|--|
+| NTLM | HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
Value name: NtLmInfoLevel
Value type: DWORD
Value data: c0015003 |
+| Kerberos | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
Value name: LogToFile
Value type: DWORD
Value data: 00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value name: KerbDebugLevel
Value type: DWORD
Value data: c0000043
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value name: LogToFile
Value type: DWORD
Value data: 00000001 |
+| KDC | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc
Value name: KdcDebugLevel
Value type: DWORD
Value data: c0000803 |
-If you used `Tracelog`, look for the following log file in your current directory: kerb.etl/kdc.etl/ntlm.etl.
+If you used `Tracelog`, look for the following log file in your current directory: `kerb.etl/kdc.etl/ntlm.etl`.
If you used the registry key settings shown in the previous table, look for the trace log files in the following locations:
-- NTLM: %systemroot%\\tracing\\msv1\_0
+- NTLM: `%systemroot%\tracing\msv1_0`
+- Kerberos: `%systemroot%\tracing\kerberos`
+- KDC: `%systemroot%\tracing\kdcsvc`
-- Kerberos: %systemroot%\\tracing\\kerberos
-
-- KDC: %systemroot%\\tracing\\kdcsvc
-
-To decode event trace files, you can use `Tracefmt` (tracefmt.exe). `Tracefmt` is a command-line tool that formats and displays trace messages from an event trace log file (.etl) or a real-time trace session. `Tracefmt` can display the messages in the Command Prompt window or save them in a text file. It is located in the \\tools\\tracing subdirectory of the Windows Driver Kit (WDK). For more information, see [`Tracefmt`](/windows-hardware/drivers/devtest/tracefmt).
+To decode event trace files, you can use `Tracefmt` (tracefmt.exe). `Tracefmt` is a command-line tool that formats and displays trace messages from an event trace log file (.etl) or a real-time trace session. `Tracefmt` can display the messages in the Command Prompt window or save them in a text file. It is located in the \tools\tracing subdirectory of the Windows Driver Kit (WDK). For more information, see [`Tracefmt`](/windows-hardware/drivers/devtest/tracefmt).
## Smart Card service
The smart card resource manager service runs in the context of a local service. It's implemented as a shared service of the services host (svchost) process.
-**To check if Smart Card service is running**
+To check if Smart Card service is running:
-1. Press CTRL+ALT+DEL, and then select **Start Task Manager**.
+1. Press CTRL+ALT+DEL, and then select **Start Task Manager**
+1. In the **Windows Task Manager** dialog box, select the **Services** tab
+1. Select the **Name** column to sort the list alphabetically, and then type **s**
+1. In the **Name** column, look for **SCardSvr**, and then look under the **Status** column to see if the service is running or stopped
-2. In the **Windows Task Manager** dialog box, select the **Services** tab.
+To restart Smart Card service:
-3. Select the **Name** column to sort the list alphabetically, and then type **s**.
-
-4. In the **Name** column, look for **SCardSvr**, and then look under the **Status** column to see if the service is running or stopped.
-
-**To restart Smart Card service**
-
-1. Run as administrator at the command prompt.
-
-2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
-
-3. At the command prompt, type `net stop SCardSvr`.
-
-4. At the command prompt, type `net start SCardSvr`.
+1. Run as administrator at the command prompt
+1. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**
+1. At the command prompt, type `net stop SCardSvr`
+1. At the command prompt, type `net start SCardSvr`
You can use the following command at the command prompt to check whether the service is running: `sc queryex scardsvr`.
@@ -215,15 +215,12 @@ C:\>
As with any device connected to a computer, Device Manager can be used to view properties and begin the debug process.
-**To check if smart card reader is working**
+To check if smart card reader is working:
-1. Navigate to **Computer**.
-
-2. Right-click **Computer**, and then select **Properties**.
-
-3. Under **Tasks**, select **Device Manager**.
-
-4. In Device Manager, expand **Smart card readers**, select the name of the smart card reader you want to check, and then select **Properties**.
+1. Navigate to **Computer**
+1. Right-click **Computer**, and then select **Properties**
+1. Under **Tasks**, select **Device Manager**
+1. In Device Manager, expand **Smart card readers**, select the name of the smart card reader you want to check, and then select **Properties**
> [!NOTE]
> If the smart card reader is not listed in Device Manager, in the **Action** menu, select **Scan for hardware changes**.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-events.md b/windows/security/identity-protection/smart-cards/smart-card-events.md
index 87a6861bb1..96a66ee27a 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-events.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-events.md
@@ -2,7 +2,7 @@
title: Smart card events
description: Learn about smart card deployment and development events.
ms.topic: troubleshooting
-ms.date: 06/02/2023
+ms.date: 11/22/2023
---
# Smart card events
diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
index 81d22a9785..d218b20bc5 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
@@ -1,9 +1,8 @@
---
title: Smart Card Group Policy and Registry Settings
description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards.
-ms.reviewer: ardenw
ms.topic: reference
-ms.date: 11/02/2021
+ms.date: 11/22/2023
---
# Smart Card Group Policy and Registry Settings
@@ -12,72 +11,51 @@ This article for IT professionals and smart card developers describes the Group
The following sections and tables list the smart card-related Group Policy settings and registry keys that can be set on a per-computer basis. If you use domain Group Policy Objects (GPOs), you can edit and apply Group Policy settings to local or domain computers.
-- [Primary Group Policy settings for smart cards](#primary-group-policy-settings-for-smart-cards)
-
- - [Allow certificates with no extended key usage certificate attribute](#allow-certificates-with-no-extended-key-usage-certificate-attribute)
-
- - [Allow ECC certificates to be used for logon and authentication](#allow-ecc-certificates-to-be-used-for-logon-and-authentication)
-
- - [Allow Integrated Unblock screen to be displayed at the time of logon](#allow-integrated-unblock-screen-to-be-displayed-at-the-time-of-logon)
-
- - [Allow signature keys valid for Logon](#allow-signature-keys-valid-for-logon)
-
- - [Allow time invalid certificates](#allow-time-invalid-certificates)
-
- - [Allow user name hint](#allow-user-name-hint)
-
- - [Configure root certificate clean up](#configure-root-certificate-clean-up)
-
- - [Display string when smart card is blocked](#display-string-when-smart-card-is-blocked)
-
- - [Filter duplicate logon certificates](#filter-duplicate-logon-certificates)
-
- - [Force the reading of all certificates from the smart card](#force-the-reading-of-all-certificates-from-the-smart-card)
-
- - [Notify user of successful smart card driver installation](#notify-user-of-successful-smart-card-driver-installation)
-
- - [Prevent plaintext PINs from being returned by Credential Manager](#prevent-plaintext-pins-from-being-returned-by-credential-manager)
-
- - [Reverse the subject name stored in a certificate when displaying](#reverse-the-subject-name-stored-in-a-certificate-when-displaying)
-
- - [Turn on certificate propagation from smart card](#turn-on-certificate-propagation-from-smart-card)
-
- - [Turn on root certificate propagation from smart card](#turn-on-root-certificate-propagation-from-smart-card)
-
- - [Turn on Smart Card Plug and Play service](#turn-on-smart-card-plug-and-play-service)
-
-- [Base CSP and Smart Card KSP registry keys](#base-csp-and-smart-card-ksp-registry-keys)
-
-- [CRL checking registry keys](#crl-checking-registry-keys)
-
-- [Additional smart card Group Policy settings and registry keys](#additional-smart-card-group-policy-settings-and-registry-keys)
+- [Primary Group Policy settings for smart cards](#primary-group-policy-settings-for-smart-cards)
+ - [Allow certificates with no extended key usage certificate attribute](#allow-certificates-with-no-extended-key-usage-certificate-attribute)
+ - [Allow ECC certificates to be used for logon and authentication](#allow-ecc-certificates-to-be-used-for-logon-and-authentication)
+ - [Allow Integrated Unblock screen to be displayed at the time of logon](#allow-integrated-unblock-screen-to-be-displayed-at-the-time-of-logon)
+ - [Allow signature keys valid for Logon](#allow-signature-keys-valid-for-logon)
+ - [Allow time invalid certificates](#allow-time-invalid-certificates)
+ - [Allow user name hint](#allow-user-name-hint)
+ - [Configure root certificate clean up](#configure-root-certificate-clean-up)
+ - [Display string when smart card is blocked](#display-string-when-smart-card-is-blocked)
+ - [Filter duplicate logon certificates](#filter-duplicate-logon-certificates)
+ - [Force the reading of all certificates from the smart card](#force-the-reading-of-all-certificates-from-the-smart-card)
+ - [Notify user of successful smart card driver installation](#notify-user-of-successful-smart-card-driver-installation)
+ - [Prevent plaintext PINs from being returned by Credential Manager](#prevent-plaintext-pins-from-being-returned-by-credential-manager)
+ - [Reverse the subject name stored in a certificate when displaying](#reverse-the-subject-name-stored-in-a-certificate-when-displaying)
+ - [Turn on certificate propagation from smart card](#turn-on-certificate-propagation-from-smart-card)
+ - [Turn on root certificate propagation from smart card](#turn-on-root-certificate-propagation-from-smart-card)
+ - [Turn on Smart Card Plug and Play service](#turn-on-smart-card-plug-and-play-service)
+- [Base CSP and Smart Card KSP registry keys](#base-csp-and-smart-card-ksp-registry-keys)
+- [CRL checking registry keys](#crl-checking-registry-keys)
+- [Additional smart card Group Policy settings and registry keys](#additional-smart-card-group-policy-settings-and-registry-keys)
## Primary Group Policy settings for smart cards
-The following smart card Group Policy settings are in Computer Configuration\\Administrative Templates\\Windows Components\\Smart Card.
+The following smart card Group Policy settings are in Computer Configuration\Administrative Templates\Windows Components\Smart Card.
The registry keys are in the following locations:
-- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\Policies\\Microsoft\\Windows\\ScPnP\\EnableScPnP**
-
-- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\SmartCardCredentialProvider**
-
-- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CertProp**
+- **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScPnP\EnableScPnP**
+- **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider**
+- **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CertProp**
> [!NOTE]
-> Smart card reader registry information is in **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Cryptography\\Calais\\Readers**.
-Smart card registry information is in **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Cryptography\\Calais\\SmartCards**.
+> Smart card reader registry information is in **HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Calais\Readers**.\
+> Smart card registry information is in **HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Calais\SmartCards**.
The following table lists the default values for these GPO settings. Variations are documented under the policy descriptions in this article.
-| **Server type or GPO** | **Default value** |
-|----------------------------------------------|-------------------|
-| Default Domain Policy | Not configured |
-| Default Domain Controller Policy | Not configured |
-| Stand-Alone Server Default Settings | Not configured |
-| Domain Controller Effective Default Settings | Disabled |
-| Member Server Effective Default Settings | Disabled |
-| Client Computer Effective Default Settings | Disabled |
+| Server type or GPO | Default value |
+|--|--|
+| Default Domain Policy | Not configured |
+| Default Domain Controller Policy | Not configured |
+| Stand-Alone Server Default Settings | Not configured |
+| Domain Controller Effective Default Settings | Disabled |
+| Member Server Effective Default Settings | Disabled |
+| Client Computer Effective Default Settings | Disabled |
### Allow certificates with no extended key usage certificate attribute
@@ -85,70 +63,66 @@ You can use this policy setting to allow certificates without an extended key us
> [!NOTE]
> extended key usage certificate attribute is also known as extended key usage.
->
+>
> In versions of Windows before Windows Vista, smart card certificates that are used to sign in require an EKU extension with a smart card logon object identifier. This policy setting can be used to modify that restriction.
When this policy setting is turned on, certificates with the following attributes can also be used to sign in with a smart card:
-- Certificates with no EKU
-
-- Certificates with an All Purpose EKU
-
-- Certificates with a Client Authentication EKU
+- Certificates with no EKU
+- Certificates with an All Purpose EKU
+- Certificates with a Client Authentication EKU
When this policy setting isn't turned on, only certificates that contain the smart card logon object identifier can be used to sign in with a smart card.
-| **Item** | **Description** |
-|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
-| Registry key | AllowCertificatesWithNoEKU |
-| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
-| Notes and resources | |
+| Item | Description |
+|--|--|
+| Registry key | AllowCertificatesWithNoEKU |
+| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
### Allow ECC certificates to be used for logon and authentication
-You can use this policy setting to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to sign in to a domain.
+You can use this policy setting to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to sign in to a domain.
-When this setting is turned on, ECC certificates on a smart card can be used to sign in to a domain.
+When this setting is turned on, ECC certificates on a smart card can be used to sign in to a domain.
When this setting isn't turned on, ECC certificates on a smart card can't be used to sign in to a domain.
-| **Item** | **Description** |
-|--------------------------------------|-------------------------------|
-| Registry key | **EnumerateECCCerts** |
-| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
-| Notes and resources | This policy setting only affects a user's ability to sign in to a domain. ECC certificates on a smart card that are used for other applications, such as document signing, aren't affected by this policy setting.
If you use an ECDSA key to sign in, you must also have an associated ECDH key to permit sign in when you're not connected to the network. |
+| Item | Description |
+|--|--|
+| Registry key | `EnumerateECCCerts` |
+| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
+| Notes and resources | This policy setting only affects a user's ability to sign in to a domain. ECC certificates on a smart card that are used for other applications, such as document signing, aren't affected by this policy setting.
If you use an ECDSA key to sign in, you must also have an associated ECDH key to permit sign in when you're not connected to the network. |
### Allow Integrated Unblock screen to be displayed at the time of logon
You can use this policy setting to determine whether the integrated unblock feature is available in the sign-in user interface (UI). The feature was introduced as a standard feature in the Credential Security Support Provider in Windows Vista.
-When this setting is turned on, the integrated unblock feature is available.
+When this setting is turned on, the integrated unblock feature is available.
When this setting isn't turned on, the feature is not available.
-| **Item** | **Description** |
-|--------------------------------------|---------------------------------------------------------------------------------------------------------------|
-| Registry key | **AllowIntegratedUnblock** |
-| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
-| Notes and resources | To use the integrated unblock feature, the smart card must support it. Check with the hardware manufacturer to verify that the smart card supports this feature.
You can create a custom message that the user sees when the smart card is blocked by configuring the policy setting [Display string when smart card is blocked](#display-string-when-smart-card-is-blocked). |
+| Item | Description |
+|--|--|
+| Registry key | `AllowIntegratedUnblock` |
+| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
+| Notes and resources | To use the integrated unblock feature, the smart card must support it. Check with the hardware manufacturer to verify that the smart card supports this feature.
You can create a custom message that the user sees when the smart card is blocked by configuring the policy setting [Display string when smart card is blocked](#display-string-when-smart-card-is-blocked). |
### Allow signature keys valid for Logon
-You can use this policy setting to allow signature key–based certificates to be enumerated and available for sign-in.
+You can use this policy setting to allow signature key-based certificates to be enumerated and available for sign-in.
When this setting is turned on, any certificates that are available on the smart card with a signature-only key are listed on the sign-in screen.
When this setting isn't turned on, certificates available on the smart card with a signature-only key aren't listed on the sign-in screen.
-| **Item** | **Description** |
-|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
-| Registry key | **AllowSignatureOnlyKeys**|
-| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
-| Notes and resources | |
+| Item | Description |
+|--|--|
+| Registry key | **AllowSignatureOnlyKeys** |
+| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
### Allow time invalid certificates
@@ -161,85 +135,79 @@ When this setting is turned on, certificates are listed on the sign-in screen wh
When this policy setting isn't turned on, certificates that are expired or not yet valid aren't listed on the sign-in screen.
-| **Item** | **Description** |
-|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
-| Registry key | **AllowTimeInvalidCertificates** |
-| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
-| Notes and resources | |
+| Item | Description |
+|--|--|
+| Registry key | `AllowTimeInvalidCertificates` |
+| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
### Allow user name hint
-You can use this policy setting to determine whether an optional field appears during sign-in and provides a subsequent elevation process where users can enter their username or username and domain, which associates a certificate with the user.
+You can use this policy setting to determine whether an optional field appears during sign-in and provides a subsequent elevation process where users can enter their username or username and domain, which associates a certificate with the user.
-When this policy setting is turned on, users see an optional field where they can enter their username or username and domain.
+When this policy setting is turned on, users see an optional field where they can enter their username or username and domain.
When this policy setting isn't turned on, users don't see this optional field.
-| **Item** | **Description** |
-|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
-| Registry key | **X509HintsNeeded**|
-| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
-| Notes and resources | |
+| Item | Description |
+|--|--|
+| Registry key | `X509HintsNeeded` |
+| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
### Configure root certificate clean-up
-You can use this policy setting to manage the cleanup behavior of root certificates. Certificates are verified by using a trust chain, and the trust anchor for the digital certificate is the Root Certification Authority (CA). A CA can issue multiple certificates with the root certificate as the top certificate of the tree structure. A private key is used to sign other certificates. This creates an inherited trustworthiness for all certificates immediately under the root certificate.
+You can use this policy setting to manage the cleanup behavior of root certificates. Certificates are verified by using a trust chain, and the trust anchor for the digital certificate is the Root Certification Authority (CA). A CA can issue multiple certificates with the root certificate as the top certificate of the tree structure. A private key is used to sign other certificates. This creates an inherited trustworthiness for all certificates immediately under the root certificate.
When this policy setting is turned on, you can set the following cleanup options:
-- **No cleanup**. When the user signs out or removes the smart card, the root certificates used during their session persist on the computer.
-
-- **Clean up certificates on smart card removal**. When the smart card is removed, the root certificates are removed.
-
-- **Clean up certificates on log off**. When the user signs out of Windows, the root certificates are removed.
+- **No cleanup**. When the user signs out or removes the smart card, the root certificates used during their session persist on the computer.
+- **Clean up certificates on smart card removal**. When the smart card is removed, the root certificates are removed.
+- **Clean up certificates on log off**. When the user signs out of Windows, the root certificates are removed.
When this policy setting isn't turned on, root certificates are automatically removed when the user signs out of Windows.
-| **Item** | **Description** |
-|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
-| Registry key | **RootCertificateCleanupOption**|
-| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
-| Notes and resources | |
+| Item | Description |
+|--|--|
+| Registry key | `RootCertificateCleanupOption` |
+| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
### Display string when smart card is blocked
You can use this policy setting to change the default message that a user sees if their smart card is blocked.
-When this policy setting is turned on, you can create and manage the displayed message that the user sees when a smart card is blocked.
+When this policy setting is turned on, you can create and manage the displayed message that the user sees when a smart card is blocked.
When this policy setting isn't turned on (and the integrated unblock feature is also enabled), the user sees the system's default message when the smart card is blocked.
-| **Item** | **Description** |
-|--------------------------------------|-------------------------|
-| Registry key | **IntegratedUnblockPromptString** |
-| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
+| Item | Description |
+|--|--|
+| Registry key | `IntegratedUnblockPromptString` |
+| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: This policy setting is only effective when the [Allow Integrated Unblock screen to be displayed at the time of logon](#allow-integrated-unblock-screen-to-be-displayed-at-the-time-of-logon) policy is enabled. |
-| Notes and resources | |
### Filter duplicate logon certificates
-You can use this policy setting to configure which valid sign-in certificates are displayed.
+You can use this policy setting to configure which valid sign-in certificates are displayed.
> [!NOTE]
> During the certificate renewal period, a user's smart card can have multiple valid sign-in certificates issued from the same certificate template, which can cause confusion about which certificate to select. This behavior can occur when a certificate is renewed and the old certificate has not expired yet.
->
+>
> If two certificates are issued from the same template with the same major version and they are for the same user (this is determined by their UPN), they are determined to be the same.
-When this policy setting is turned on, filtering occurs so that the user can select from only the most current valid certificates.
+When this policy setting is turned on, filtering occurs so that the user can select from only the most current valid certificates.
If this policy setting isn't turned on, all the certificates are displayed to the user.
This policy setting is applied to the computer after the [Allow time invalid certificates](#allow-time-invalid-certificates) policy setting is applied.
-| **Item** | **Description** |
-|--------------------------------------|--------------------------------------------------------------------------------------------------|
-| Registry key | **FilterDuplicateCerts**|
-| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
-| Notes and resources | If there are two or more of the same certificates on a smart card and this policy setting is enabled, the certificate that is used to sign in to computers running Windows 2000, Windows XP, or Windows Server 2003 will be displayed. Otherwise, the certificate with the most distant expiration time will be displayed. |
+| Item | Description |
+|--|--|
+| Registry key | `FilterDuplicateCerts` |
+| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
+| Notes and resources | If there are two or more of the same certificates on a smart card and this policy setting is enabled, the certificate with the most distant expiration time is displayed. |
### Force the reading of all certificates from the smart card
@@ -249,197 +217,190 @@ When this policy setting is turned on, Windows attempts to read all certificates
When this policy isn't turned on, Windows attempts to read only the default certificate from smart cards that don't support retrieval of all certificates in a single call. Certificates other than the default aren't available for sign-in.
-| **Item** | **Description** |
-|--------------------------------------|----------------------------------------------------------------------------|
-| Registry key | **ForceReadingAllCertificates** |
-| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None
**Important**: Enabling this policy setting can adversely impact performance during the sign-in process in certain situations. |
-| Notes and resources | Contact the smart card vendor to determine if your smart card and associated CSP support the required behavior. |
+| Item | Description |
+|--|--|
+| Registry key | `ForceReadingAllCertificates` |
+| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None
**Important**: Enabling this policy setting can adversely impact performance during the sign-in process in certain situations. |
+| Notes and resources | Contact the smart card vendor to determine if your smart card and associated CSP support the required behavior. |
### Notify user of successful smart card driver installation
-You can use this policy setting to control whether the user sees a confirmation message when a smart card device driver is installed.
+You can use this policy setting to control whether the user sees a confirmation message when a smart card device driver is installed.
-When this policy setting is turned on, the user sees a confirmation message when a smart card device driver is installed.
+When this policy setting is turned on, the user sees a confirmation message when a smart card device driver is installed.
When this setting isn't turned on, the user doesn't see a smart card device driver installation message.
-| **Item** | **Description** |
-|--------------------------------------|------------------------------------------------|
-| Registry key | **ScPnPNotification** |
-| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
-| Notes and resources | This policy setting applies only to smart card drivers that have passed the Windows Hardware Quality Labs (WHQL) testing process. |
+|--|--|
+| -------------------------------------- | ------------------------------------------------ |
+| Registry key | `ScPnPNotification` |
+| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
+| Notes and resources | This policy setting applies only to smart card drivers that have passed the Windows Hardware Quality Labs (WHQL) testing process. |
### Prevent plaintext PINs from being returned by Credential Manager
-You can use this policy setting to prevent Credential Manager from returning plaintext PINs.
+You can use this policy setting to prevent Credential Manager from returning plaintext PINs.
> [!NOTE]
-> Credential Manager is controlled by the user on the local computer, and it stores credentials from supported browsers and Windows applications. Credentials are saved in special encrypted folders on the computer under the user's profile.
+> Credential Manager is controlled by the user on the local computer, and it stores credentials from supported browsers and Windows applications. Credentials are saved in special encrypted folders on the computer under the user's profile.
-When this policy setting is turned on, Credential Manager doesn't return a plaintext PIN.
+When this policy setting is turned on, Credential Manager doesn't return a plaintext PIN.
When this setting isn't turned on, Credential Manager can return plaintext PINs.
-| **Item** | **Description** |
-|--------------------------------------|-----------------------------------------------------------------------------------|
-| Registry key | **DisallowPlaintextPin**|
-| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
-| Notes and resources | If this policy setting is enabled, some smart cards might not work in computers running Windows. Consult the smart card manufacturer to determine whether this policy setting should be enabled. |
+| Item | Description |
+|--|--|
+| Registry key | `DisallowPlaintextPin` |
+| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
+| Notes and resources | If this policy setting is enabled, some smart cards might not work in computers running Windows. Consult the smart card manufacturer to determine whether this policy setting should be enabled. |
### Reverse the subject name stored in a certificate when displaying
You can use this policy setting to control the way the subject name appears during sign-in.
> [!NOTE]
-> To help users distinguish one certificate from another, the user principal name (UPN) and the common name are displayed by default. For example, when this setting is enabled, if the certificate subject is CN=User1, OU=Users, DN=example, DN=com and the UPN is user1@example.com, "User1" is displayed with "user1@example.com." If the UPN is not present, the entire subject name is displayed. This setting controls the appearance of that subject name, and it might need to be adjusted for your organization.
+> To help users distinguish one certificate from another, the user principal name (UPN) and the common name are displayed by default. For example, when this setting is enabled, if the certificate subject is *CN=User1, OU=Users, DN=example, DN=com* and the UPN is *user1@example.com*, *User1* is displayed with *user1@example.com*. If the UPN is not present, the entire subject name is displayed. This setting controls the appearance of that subject name, and it might need to be adjusted for your organization.
When this policy setting is turned on, the subject name during sign-in appears reversed from the way that it's stored in the certificate.
When this policy setting isn't turned on, the subject name appears the same as it's stored in the certificate.
-
-| **Item** | **Description** |
-|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
-| Registry key | **ReverseSubject** |
-| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
-| Notes and resources | |
+| Item | Description |
+|--|--|
+| Registry key | `ReverseSubject` |
+| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
### Turn on certificate propagation from smart card
-You can use this policy setting to manage the certificate propagation that occurs when a smart card is inserted.
+You can use this policy setting to manage the certificate propagation that occurs when a smart card is inserted.
> [!NOTE]
> The certificate propagation service applies when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store.
-When this policy setting is turned on, certificate propagation occurs when the user inserts the smart card.
+When this policy setting is turned on, certificate propagation occurs when the user inserts the smart card.
When this policy setting is turned off, certificate propagation doesn't occur, and the certificates aren't available to applications, like Outlook.
-| **Item** | **Description** |
-|--------------------------------------|----------------|
-| Registry key | **CertPropEnabled**|
-| Default values | No changes per operating system versions
Enabled and not configured are equivalent |
+| Item | Description |
+|--|--|
+| Registry key | `CertPropEnabled` |
+| Default values | No changes per operating system versions
Enabled and not configured are equivalent |
| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: This policy setting must be enabled to allow the [Turn on root certificate propagation from smart card](#turn-on-root-certificate-propagation-from-smart-card) setting to work when it is enabled. |
-| Notes and resources | |
### Turn on root certificate propagation from smart card
-You can use this policy setting to manage the root certificate propagation that occurs when a smart card is inserted.
+You can use this policy setting to manage the root certificate propagation that occurs when a smart card is inserted.
> [!NOTE]
-> The certificate propagation service applies when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store.
+> The certificate propagation service applies when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store.
When this policy setting is turned on, root certificate propagation occurs when the user inserts the smart card.
When this policy setting isn't turned on, root certificate propagation doesn't occur when the user inserts the smart card.
-| **Item** | **Description** |
-|--------------------------------------|---------------------------------------------------------------------------------------------------------|
-| Registry key | **EnableRootCertificate Propagation** |
-| Default values | No changes per operating system versions
Enabled and not configured are equivalent |
+| Item | Description |
+|--|--|
+| Registry key | `EnableRootCertificate Propagation` |
+| Default values | No changes per operating system versions
Enabled and not configured are equivalent |
| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: For this policy setting to work, the [Turn on certificate propagation from smart card](#turn-on-certificate-propagation-from-smart-card) policy setting must also be enabled. |
-| Notes and resources | |
+| Notes and resources | |
### Turn on Smart Card Plug and Play service
-You can use this policy setting to control whether Smart Card Plug and Play is enabled.
+You can use this policy setting to control whether Smart Card Plug and Play is enabled.
> [!NOTE]
> Your users can use smart cards from vendors who have published their drivers through Windows Update without needing special middleware. These drivers will be downloaded in the same way as drivers for other devices in Windows. If an appropriate driver isn't available from Windows Update, a PIV-compliant mini driver that's included with any of the supported versions of Windows is used for these cards.
-When this policy setting is turned on, the system attempts to install a smart card device driver the first time a smart card is inserted in a smart card reader.
+When this policy setting is turned on, the system attempts to install a smart card device driver the first time a smart card is inserted in a smart card reader.
When this policy setting isn't turned on, a device driver isn't installed when a smart card is inserted in a smart card reader.
-| **Item** | **Description** |
-|--------------------------------------|------------------------------------------------|
-| Registry key | **EnableScPnP** |
-| Default values | No changes per operating system versions
Enabled and not configured are equivalent |
-| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
-| Notes and resources | This policy setting applies only to smart card drivers that have passed the Windows Hardware Quality Labs (WHQL) testing process. |
+| Item | Description |
+|--|--|
+| Registry key | `EnableScPnP` |
+| Default values | No changes per operating system versions
Enabled and not configured are equivalent |
+| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
+| Notes and resources | This policy setting applies only to smart card drivers that have passed the Windows Hardware Quality Labs (WHQL) testing process. |
## Base CSP and Smart Card KSP registry keys
The following registry keys can be configured for the base cryptography service provider (CSP) and the smart card key storage provider (KSP). The following tables list the keys. All keys use the DWORD type.
-The registry keys for the Base CSP are in the registry in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Smart Card Crypto Provider**.
+The registry keys for the Base CSP are in the registry in `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider`.
-The registry keys for the smart card KSP are in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Cryptography\\Providers\\Microsoft Smart Card Key Storage Provider**.
+The registry keys for the smart card KSP are in `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cryptography\Providers\Microsoft Smart Card Key Storage Provider`.
-**Registry keys for the base CSP and smart card KSP**
+### Registry keys for the base CSP and smart card KSP
-| **Registry Key** | **Description** |
-|------------------------------------|---------------------------------------------------------------------------------|
-| **AllowPrivateExchangeKeyImport** | A non-zero value allows RSA exchange (for example, encryption) private keys to be imported for use in key archival scenarios.
Default value: 00000000 |
-| **AllowPrivateSignatureKeyImport** | A non-zero value allows RSA signature private keys to be imported for use in key archival scenarios.
Default value: 00000000 |
-| **DefaultPrivateKeyLenBits** | Defines the default length for private keys, if desired.
Default value: 00000400
Default key generation parameter: 1024-bit keys |
-| **RequireOnCardPrivateKeyGen** | This key sets the flag that requires on-card private key generation (default). If this value is set, a key generated on a host can be imported into the smart card. This is used for smart cards that don't support on-card key generation or where key escrow is required.
Default value: 00000000 |
-| **TransactionTimeoutMilliseconds** | Default timeout values allow you to specify whether transactions that take an excessive amount of time will fail.
Default value: 000005dc
The default timeout for holding transactions to the smart card is 1.5 seconds. |
+| Registry Key | Description |
+|--|--|
+| **AllowPrivateExchangeKeyImport** | A non-zero value allows RSA exchange (for example, encryption) private keys to be imported for use in key archival scenarios.
Default value: 00000000 |
+| **AllowPrivateSignatureKeyImport** | A non-zero value allows RSA signature private keys to be imported for use in key archival scenarios.
Default value: 00000000 |
+| **DefaultPrivateKeyLenBits** | Defines the default length for private keys, if desired.
Default value: 00000400
Default key generation parameter: 1024-bit keys |
+| **RequireOnCardPrivateKeyGen** | This key sets the flag that requires on-card private key generation (default). If this value is set, a key generated on a host can be imported into the smart card. This is used for smart cards that don't support on-card key generation or where key escrow is required.
Default value: 00000000 |
+| **TransactionTimeoutMilliseconds** | Default timeout values allow you to specify whether transactions that take an excessive amount of time will fail.
Default value: 000005dc
The default timeout for holding transactions to the smart card is 1.5 seconds. |
-**Additional registry keys for the smart card KSP**
+Additional registry keys for the smart card KSP:
-| **Registry Key** | **Description** |
-|--------------------------------|-----------------------------------------------------|
-| **AllowPrivateECDHEKeyImport** | This value allows Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) private keys to be imported for use in key archival scenarios.
Default value: 00000000 |
+| Registry Key | Description |
+|--|--|
+| **AllowPrivateECDHEKeyImport** | This value allows Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) private keys to be imported for use in key archival scenarios.
Default value: 00000000 |
| **AllowPrivateECDSAKeyImport** | This value allows Elliptic Curve Digital Signature Algorithm (ECDSA) private keys to be imported for use in key archival scenarios.
Default value: 00000000 |
## CRL checking registry keys
The following table lists the keys and the corresponding values to turn off certificate revocation list (CRL) checking at the Key Distribution Center (KDC) or client. To manage CRL checking, you must configure settings for both the KDC and the client.
-**CRL checking registry keys**
-
-| **Registry Key** | **Details** |
-|------------|-----------------------------|
-| **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CCS\\Services\\Kdc\\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors**| Type = DWORD
Value = 1 |
-| **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CCS\\Control\\LSA\\Kerberos\\Parameters\\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors**| Type = DWORD
Value = 1 |
+| Registry Key | Details |
+|--|--|
+| `HKEY_LOCAL_MACHINE\SYSTEM\CCS\Services\Kdc\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors` | Type = DWORD
Value = 1 |
+| `HKEY_LOCAL_MACHINE\SYSTEM\CCS\Control\LSA\Kerberos\Parameters\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors` | Type = DWORD
Value = 1 |
## Additional smart card Group Policy settings and registry keys
In a smart card deployment, additional Group Policy settings can be used to enhance ease-of-use or security. Two of these policy settings that can complement a smart card deployment are:
-- Turning off delegation for computers
+- Turning off delegation for computers
+- Interactive logon: Do not require CTRL+ALT+DEL (not recommended)
-- Interactive logon: Do not require CTRL+ALT+DEL (not recommended)
+The following smart card-related Group Policy settings are in **Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options**.
-The following smart card-related Group Policy settings are in Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options.
+### Local security policy settings
-**Local security policy settings**
-
-| Group Policy setting and registry key | Default | Description |
-|------------------------------------------|------------|---------------|
-| Interactive logon: Require smart card
**scforceoption** | Disabled | This security policy setting requires users to sign in to a computer by using a smart card.
**Enabled** Users can sign in to the computer only by using a smart card.
**Disabled** Users can sign in to the computer by using any method.
NOTE: the Windows LAPS-managed local account is exempted from this policy when Enabled. For more information see [Windows LAPS integration with smart card policy](/windows-server/identity/laps/laps-concepts#windows-laps-integration-with-smart-card-policy).
|
-| Interactive logon: Smart card removal behavior
**scremoveoption** | This policy setting isn't defined, which means that the system treats it as **No Action**. | This setting determines what happens when the smart card for a signed-in user is removed from the smart card reader. The options are:
**No Action**
**Lock Workstation**: The workstation is locked when the smart card is removed, so users can leave the area, take their smart card with them, and still maintain a protected session.
**Force Logoff**: The user is automatically signed out when the smart card is removed.
**Disconnect if a Remote Desktop Services session**: Removal of the smart card disconnects the session without signing out the user. The user can reinsert the smart card and resume the session later, or at another computer that's equipped with a smart card reader, without having to sign in again. If the session is local, this policy setting functions identically to the **Lock Workstation** option.
**Note**: In earlier versions of Windows Server, Remote Desktop Services was called Terminal Services. |
+| Group Policy setting and registry key | Default | Description |
+|--|--|--|
+| Interactive logon: Require smart card
**scforceoption** | Disabled | This security policy setting requires users to sign in to a computer by using a smart card.
**Enabled** Users can sign in to the computer only by using a smart card.
**Disabled** Users can sign in to the computer by using any method.
NOTE: the Windows LAPS-managed local account is exempted from this policy when Enabled. For more information see [Windows LAPS integration with smart card policy](/windows-server/identity/laps/laps-concepts#windows-laps-integration-with-smart-card-policy).
|
+| Interactive logon: Smart card removal behavior
**scremoveoption** | This policy setting isn't defined, which means that the system treats it as **No Action**. | This setting determines what happens when the smart card for a signed-in user is removed from the smart card reader. The options are:
**No Action**
**Lock Workstation**: The workstation is locked when the smart card is removed, so users can leave the area, take their smart card with them, and still maintain a protected session.
**Force Logoff**: The user is automatically signed out when the smart card is removed.
**Disconnect if a Remote Desktop Services session**: Removal of the smart card disconnects the session without signing out the user. The user can reinsert the smart card and resume the session later, or at another computer that's equipped with a smart card reader, without having to sign in again. If the session is local, this policy setting functions identically to the **Lock Workstation** option. |
From the Local Security Policy Editor (secpol.msc), you can edit and apply system policies to manage credential delegation for local or domain computers.
-The following smart card-related Group Policy settings are in Computer Configuration\\Administrative Templates\\System\\Credentials Delegation.
+The following smart card-related Group Policy settings are in **Computer Configuration\Administrative Templates\System\Credentials Delegation**.
-Registry keys are in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\Credssp\\PolicyDefaults**.
+Registry keys are in `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\Credssp\PolicyDefaults`.
> [!NOTE]
> In the following table, fresh credentials are those that you are prompted for when running an application.
-**Credential delegation policy settings**
+### Credential delegation policy settings
+| Group Policy setting and registry key | Default | Description |
+|--|--|--|
+| Allow Delegating Fresh Credentials
**AllowFreshCredentials** | Not configured | This policy setting applies:
When server authentication was achieved through a trusted X509 certificate or Kerberos protocol.
To applications that use the CredSSP component (for example, Remote Desktop Services).
**Enabled**: You can specify the servers where the user's fresh credentials can be delegated.
**Not configured**: After proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Services running on any computer.
**Disabled**: Delegation of fresh credentials to any computer isn't permitted.
**Note**: This policy setting can be set to one or more service principal names (SPNs). The SPN represents the target server where the user credentials can be delegated. A single wildcard character is permitted when specifying the SPN, for example:
Use \*TERMSRV/\*\* for Remote Desktop Session Host (RD Session Host) running on any computer.
Use *TERMSRV/host.humanresources.fabrikam.com* for RD Session Host running on the host.humanresources.fabrikam.com computer.
Use *TERMSRV/\*.humanresources.fabrikam.com* for RD Session Host running on all computers in .humanresources.fabrikam.com |
+| Allow Delegating Fresh Credentials with NTLM-only Server Authentication
**AllowFreshCredentialsWhenNTLMOnly** | Not configured | This policy setting applies:
When server authentication was achieved by using NTLM.
To applications that use the CredSSP component (for example, Remote Desktop).
**Enabled**: You can specify the servers where the user's fresh credentials can be delegated.
**Not configured**: After proper mutual authentication, delegation of fresh credentials is permitted to RD Session Host running on any computer (TERMSRV/\*).
**Disabled**: Delegation of fresh credentials isn't permitted to any computer.
**Note**: This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials can be delegated. A single wildcard character (\*) is permitted when specifying the SPN.
See the **Allow Delegating Fresh Credentials** policy setting description for examples. |
+| Deny Delegating Fresh Credentials
**DenyFreshCredentials** | Not configured | This policy setting applies to applications that use the CredSSP component (for example, Remote Desktop).
**Enabled**: You can specify the servers where the user's fresh credentials can't be delegated.
**Disabled** or **Not configured**: A server is not specified.
**Note**: This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials can't be delegated. A single wildcard character (\*) is permitted when specifying the SPN.
For examples, see the "Allow delegating fresh credentials" policy setting. |
-| Group Policy setting and registry key | Default | Description |
-|----------------------------------------------------------------------------------------------------------------------|----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Allow Delegating Fresh Credentials
**AllowFreshCredentials** | Not configured | This policy setting applies:
When server authentication was achieved through a trusted X509 certificate or Kerberos protocol.
To applications that use the CredSSP component (for example, Remote Desktop Services).
**Enabled**: You can specify the servers where the user's fresh credentials can be delegated.
**Not configured**: After proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Services running on any computer.
**Disabled**: Delegation of fresh credentials to any computer isn't permitted.
**Note**: This policy setting can be set to one or more service principal names (SPNs). The SPN represents the target server where the user credentials can be delegated. A single wildcard character is permitted when specifying the SPN, for example:
Use \*TERMSRV/\*\* for Remote Desktop Session Host (RD Session Host) running on any computer.
Use *TERMSRV/host.humanresources.fabrikam.com* for RD Session Host running on the host.humanresources.fabrikam.com computer.
Use *TERMSRV/\*.humanresources.fabrikam.com* for RD Session Host running on all computers in .humanresources.fabrikam.com |
-| Allow Delegating Fresh Credentials with NTLM-only Server Authentication
**AllowFreshCredentialsWhenNTLMOnly** | Not configured | This policy setting applies:
When server authentication was achieved by using NTLM.
To applications that use the CredSSP component (for example, Remote Desktop).
**Enabled**: You can specify the servers where the user's fresh credentials can be delegated.
**Not configured**: After proper mutual authentication, delegation of fresh credentials is permitted to RD Session Host running on any computer (TERMSRV/\*).
**Disabled**: Delegation of fresh credentials isn't permitted to any computer.
**Note**: This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials can be delegated. A single wildcard character (\*) is permitted when specifying the SPN.
See the **Allow Delegating Fresh Credentials** policy setting description for examples. |
-| Deny Delegating Fresh Credentials
**DenyFreshCredentials** | Not configured | This policy setting applies to applications that use the CredSSP component (for example, Remote Desktop).
**Enabled**: You can specify the servers where the user's fresh credentials can't be delegated.
**Disabled** or **Not configured**: A server is not specified.
**Note**: This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials can't be delegated. A single wildcard character (\*) is permitted when specifying the SPN.
For examples, see the "Allow delegating fresh credentials" policy setting. |
+If you're using Remote Desktop Services with smart card logon, you can't delegate default and saved credentials. The registry keys in the following table, which are at `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\Credssp\PolicyDefaults`, and the corresponding Group Policy settings are ignored.
-If you're using Remote Desktop Services with smart card logon, you can't delegate default and saved credentials. The registry keys in the following table, which are at **HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\Credssp\\PolicyDefaults**, and the corresponding Group Policy settings are ignored.
-
-| **Registry key** | **Corresponding Group Policy setting** |
-|-------------------------------------|---------------------------------------------------------------------------|
-| **AllowDefaultCredentials** | Allow Delegating Default Credentials |
+| Registry Key| **Corresponding Group Policy setting** |
+|--|--|
+| **AllowDefaultCredentials** | Allow Delegating Default Credentials |
| **AllowDefaultCredentialsWhenNTLMOnly** | Allow Delegating Default Credentials with NTLM-only Server Authentication |
-| **AllowSavedCredentials** | Allow Delegating Saved Credentials |
-| **AllowSavedCredentialsWhenNTLMOnly** | Allow Delegating Saved Credentials with NTLM-only Server Authentication |
+| **AllowSavedCredentials** | Allow Delegating Saved Credentials |
+| **AllowSavedCredentialsWhenNTLMOnly** | Allow Delegating Saved Credentials with NTLM-only Server Authentication |
## See also
diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
index 5ad7eb1205..6727a73a66 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
@@ -1,25 +1,19 @@
---
title: How Smart Card Sign-in Works in Windows
description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system.
-ms.reviewer: ardenw
ms.topic: overview
-ms.date: 09/24/2021
+ms.date: 11/22/2023
---
# How Smart Card Sign-in Works in Windows
This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system. It includes the following resources about the architecture, certificate management, and services that are related to smart card use:
-- [Smart Card Architecture](smart-card-architecture.md): Learn about enabling communications with smart cards and smart card readers, which can be different according to the vendor that supplies them.
+- [Smart Card Architecture](smart-card-architecture.md): Learn about enabling communications with smart cards and smart card readers, which can be different according to the vendor that supplies them
+- [Certificate Requirements and Enumeration](smart-card-certificate-requirements-and-enumeration.md): Learn about requirements for smart card certificates based on the operating system, and about the operations that are performed by the operating system when a smart card is inserted into the computer
+- [Smart Card and Remote Desktop Services](smart-card-and-remote-desktop-services.md): Learn about using smart cards for remote desktop connections
+- [Smart Cards for Windows Service](smart-card-smart-cards-for-windows-service.md): Learn about how the Smart Cards for Windows service is implemented
+- [Certificate Propagation Service](smart-card-certificate-propagation-service.md): Learn about how the certificate propagation service works when a smart card is inserted into a computer
+- [Smart Card Removal Policy Service](smart-card-removal-policy-service.md): Learn about using Group Policy to control what happens when a user removes a smart card
-- [Certificate Requirements and Enumeration](smart-card-certificate-requirements-and-enumeration.md): Learn about requirements for smart card certificates based on the operating system, and about the operations that are performed by the operating system when a smart card is inserted into the computer.
-
-- [Smart Card and Remote Desktop Services](smart-card-and-remote-desktop-services.md): Learn about using smart cards for remote desktop connections.
-
-- [Smart Cards for Windows Service](smart-card-smart-cards-for-windows-service.md): Learn about how the Smart Cards for Windows service is implemented.
-
-- [Certificate Propagation Service](smart-card-certificate-propagation-service.md): Learn about how the certificate propagation service works when a smart card is inserted into a computer.
-
-- [Smart Card Removal Policy Service](smart-card-removal-policy-service.md): Learn about using Group Policy to control what happens when a user removes a smart card.
-
-[!INCLUDE [smart-cards-for-windows-service](../../../../includes/licensing/smart-cards-for-windows-service.md)]
\ No newline at end of file
+[!INCLUDE [smart-cards-for-windows-service](../../../../includes/licensing/smart-cards-for-windows-service.md)]
diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
index 4b9fd9a3fd..7709e7524f 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
@@ -1,30 +1,24 @@
---
title: Smart Card Removal Policy Service
description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
-ms.reviewer: ardenw
ms.topic: concept-article
-ms.date: 09/24/2021
+ms.date: 11/22/2023
---
# Smart Card Removal Policy Service
-This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
+This article describes the role of the removal policy service (`ScPolicySvc`) in smart card implementations.
-The smart card removal policy service is applicable when a user has signed in with a smart card and then removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by Group Policy settings. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
+The smart card removal policy service is applicable when a user signs in with a smart card and then removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by group policy settings. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
-**Smart card removal policy service**
+
-
+The numbers in the diagram represent the following actions:
-The numbers in the previous figure represent the following actions:
-
-1. Winlogon is not directly involved in monitoring for smart card removal events. The sequence of steps that are involved when a smart card is removed begins with the smart card credential provider in the sign-in UI process. When a user successfully signs in with a smart card, the smart card credential provider captures the reader name. This information is then stored in the registry with the session identifier where the sign-in was initiated.
-
-2. The smart card resource manager service notifies the smart card removal policy service that a sign-in has occurred.
-
-3. ScPolicySvc retrieves the smart card information that the smart card credential provider stored in the registry. This call is redirected if the user is in a remote session. If the smart card is removed, ScPolicySvc is notified.
-
-4. ScPolicySvc calls Remote Desktop Services to take the appropriate action if the request is to sign out the user or to disconnect the user's session, which might result in data loss. If the setting is configured to lock the computer when the smart card is removed, ScPolicySvc sends a message to Winlogon to lock the computer.
+1. `Winlogon` isn't directly involved in monitoring for smart card removal events. The sequence of steps that are involved when a smart card is removed begins with the smart card credential provider in the sign-in UI process. When a user successfully signs in with a smart card, the smart card credential provider captures the reader name. This information is then stored in the registry with the session identifier where the sign-in was initiated
+1. The smart card resource manager service notifies the smart card removal policy service that a sign-in occurred
+1. `ScPolicySvc` retrieves the smart card information that the smart card credential provider stored in the registry. This call is redirected if the user is in a remote session. If the smart card is removed, `ScPolicySvc` is notified
+1. `ScPolicySvc` calls Remote Desktop Services to take the appropriate action if the request is to sign out the user or to disconnect the user's session, which might result in data loss. If the setting is configured to lock the computer when the smart card is removed, `ScPolicySvc` sends a message to Winlogon to lock the computer.
## See also
diff --git a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
index 2604d84270..cf988e8549 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
@@ -1,9 +1,8 @@
---
title: Smart Cards for Windows Service
description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions.
-ms.reviewer: ardenw
ms.topic: concept-article
-ms.date: 09/24/2021
+ms.date: 11/22/2023
---
# Smart Cards for Windows Service
@@ -69,34 +68,31 @@ The Smart Cards for Windows service runs in the context of a local service, and
```
-> **Note** For winscard.dll to be invoked as the proper class installer, the INF file for a smart card reader must specify the following for **Class** and **ClassGUID**:
-`Class=SmartCardReader`
`ClassGuid={50DD5230-BA8A-11D1-BF5D-0000F805F530}`
+> [!NOTE]
+> For winscard.dll to be invoked as the proper class installer, the INF file for a smart card reader must specify the following for **Class** and **ClassGUID**:
+>
+> `Class=SmartCardReader`
+> `ClassGuid={50DD5230-BA8A-11D1-BF5D-0000F805F530}`
By default, the service is configured for manual mode. Creators of smart card reader drivers must configure their INFs so that they start the service automatically and winscard.dll files call a predefined entry point to start the service during installation. The entry point is defined as part of the **SmartCardReader** class, and it is not called directly. If a device advertises itself as part of this class, the entry point is automatically invoked to start the service when the device is inserted. Using this method ensures that the service is enabled when it is needed, but it is also disabled for users who do not use smart cards.
When the service is started, it performs several functions:
-1. It registers itself for service notifications.
+1. It registers itself for service notifications
+1. It registers itself for Plug and Play (PnP) notifications related to device removal and additions
+1. It initializes its data cache and a global event that signals that the service has started
-2. It registers itself for Plug and Play (PnP) notifications related to device removal and additions.
-
-3. It initializes its data cache and a global event that signals that the service has started.
-
-> **Note** For smart card implementations, consider sending all communications in Windows operating systems with smart card readers through the Smart Cards for Windows service. This provides an interface to track, select, and communicate with all drivers that declare themselves members of the smart card reader device group.
+> [!NOTE]
+> For smart card implementations, consider sending all communications in Windows operating systems with smart card readers through the Smart Cards for Windows service. This provides an interface to track, select, and communicate with all drivers that declare themselves members of the smart card reader device group.
The Smart Cards for Windows service categorizes each smart card reader slot as a unique reader, and each slot is also managed separately, regardless of the device's physical characteristics. The Smart Cards for Windows service handles the following high-level actions:
-- Device introduction
-
-- Reader initialization
-
-- Notifying clients of new readers
-
-- Serializing access to readers
-
-- Smart card access
-
-- Tunneling of reader-specific commands
+- Device introduction
+- Reader initialization
+- Notifying clients of new readers
+- Serializing access to readers
+- Smart card access
+- Tunneling of reader-specific commands
## See also
diff --git a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
index f18465fff3..63cb9feca0 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
@@ -1,9 +1,8 @@
---
title: Smart Card Tools and Settings
description: This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events.
-ms.reviewer: ardenw
ms.topic: conceptual
-ms.date: 09/24/2021
+ms.date: 11/22/2023
---
# Smart Card Tools and Settings
@@ -12,11 +11,9 @@ This topic for the IT professional and smart card developer links to information
This section of the Smart Card Technical Reference contains information about the following:
-- [Smart Cards Debugging Information](smart-card-debugging-information.md): Learn about tools and services in supported versions of Windows to help identify certificate issues.
-
-- [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md): Learn about smart card-related Group Policy settings and registry keys that can be set on a per-computer basis, including how to edit and apply Group Policy settings to local or domain computers.
-
-- [Smart Card Events](smart-card-events.md): Learn about events that can be used to manage smart cards in an organization, including how to monitor installation, use, and errors.
+- [Smart Cards Debugging Information](smart-card-debugging-information.md): Learn about tools and services in supported versions of Windows to help identify certificate issues
+- [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md): Learn about smart card-related Group Policy settings and registry keys that can be set on a per-computer basis, including how to edit and apply Group Policy settings to local or domain computers
+- [Smart Card Events](smart-card-events.md): Learn about events that can be used to manage smart cards in an organization, including how to monitor installation, use, and errors
## See also
diff --git a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
index a7e5247fcc..da1a559648 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
@@ -1,9 +1,8 @@
---
title: Smart Card Technical Reference
description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows.
-ms.reviewer: ardenw
-ms.topic: reference
-ms.date: 09/24/2021
+ms.topic: overview
+ms.date: 11/22/2023
---
# Smart Card Technical Reference
@@ -14,9 +13,8 @@ The Smart Card Technical Reference describes the Windows smart card infrastructu
This document explains how the Windows smart card infrastructure works. To understand this information, you should have basic knowledge of public key infrastructure (PKI) and smart card concepts. This document is intended for:
-- Enterprise IT developers, managers, and staff who are planning to deploy or are using smart cards in their organization.
-
-- Smart card vendors who write smart card minidrivers or credential providers.
+- Enterprise IT developers, managers, and staff who are planning to deploy or are using smart cards in their organization.
+- Smart card vendors who write smart card minidrivers or credential providers.
## What are smart cards?
@@ -24,40 +22,28 @@ Smart cards are tamper-resistant portable storage devices that can enhance the s
Smart cards provide:
-- Tamper-resistant storage for protecting private keys and other forms of personal information.
-
-- Isolation of security-critical computations that involve authentication, digital signatures, and key exchange from other parts of the computer. These computations are performed on the smart card.
-
-- Portability of credentials and other private information between computers at work, home, or on the road.
+- Tamper-resistant storage for protecting private keys and other forms of personal information
+- Isolation of security-critical computations that involve authentication, digital signatures, and key exchange from other parts of the computer. These computations are performed on the smart card
+- Portability of credentials and other private information between computers at work, home, or on the road
Smart cards can be used to sign in to domain accounts only, not local accounts. When you use a password to sign in interactively to a domain account, Windows uses the Kerberos version 5 (v5) protocol for authentication. If you use a smart card, the operating system uses Kerberos v5 authentication with X.509 v3 certificates.
-**Virtual smart cards** were introduced in Windows Server 2012 and Windows 8 to alleviate the need for a physical smart card, the smart card reader, and the associated administration of that hardware.
+Virtual smart cards were introduced to alleviate the need for a physical smart card, the smart card reader, and the associated administration of that hardware.
[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)]
## In this technical reference
-This reference contains the following topics.
+This reference contains the following topics:
-- [How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
-
- - [Smart Card Architecture](smart-card-architecture.md)
-
- - [Certificate Requirements and Enumeration](smart-card-certificate-requirements-and-enumeration.md)
-
- - [Smart Card and Remote Desktop Services](smart-card-and-remote-desktop-services.md)
-
- - [Smart Cards for Windows Service](smart-card-smart-cards-for-windows-service.md)
-
- - [Certificate Propagation Service](smart-card-certificate-propagation-service.md)
-
- - [Smart Card Removal Policy Service](smart-card-removal-policy-service.md)
-
-- [Smart Card Tools and Settings](smart-card-tools-and-settings.md)
-
- - [Smart Cards Debugging Information](smart-card-debugging-information.md)
-
- - [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md)
-
- - [Smart Card Events](smart-card-events.md)
+- [How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
+ - [Smart Card Architecture](smart-card-architecture.md)
+ - [Certificate Requirements and Enumeration](smart-card-certificate-requirements-and-enumeration.md)
+ - [Smart Card and Remote Desktop Services](smart-card-and-remote-desktop-services.md)
+ - [Smart Cards for Windows Service](smart-card-smart-cards-for-windows-service.md)
+ - [Certificate Propagation Service](smart-card-certificate-propagation-service.md)
+ - [Smart Card Removal Policy Service](smart-card-removal-policy-service.md)
+- [Smart Card Tools and Settings](smart-card-tools-and-settings.md)
+ - [Smart Cards Debugging Information](smart-card-debugging-information.md)
+ - [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md)
+ - [Smart Card Events](smart-card-events.md)
diff --git a/windows/security/identity-protection/smart-cards/toc.yml b/windows/security/identity-protection/smart-cards/toc.yml
index 0d82f8c3a7..bca4cb0bbd 100644
--- a/windows/security/identity-protection/smart-cards/toc.yml
+++ b/windows/security/identity-protection/smart-cards/toc.yml
@@ -1,28 +1,27 @@
items:
-- name: Smart Card Technical Reference
+- name: Smart card technical reference
href: smart-card-windows-smart-card-technical-reference.md
+- name: How smart card sign-in works
+ href: smart-card-how-smart-card-sign-in-works-in-windows.md
items:
- - name: How Smart Card Sign-in Works in Windows
- href: smart-card-how-smart-card-sign-in-works-in-windows.md
- items:
- - name: Smart Card Architecture
- href: smart-card-architecture.md
- - name: Certificate Requirements and Enumeration
- href: smart-card-certificate-requirements-and-enumeration.md
- - name: Smart Card and Remote Desktop Services
- href: smart-card-and-remote-desktop-services.md
- - name: Smart Cards for Windows Service
- href: smart-card-smart-cards-for-windows-service.md
- - name: Certificate Propagation Service
- href: smart-card-certificate-propagation-service.md
- - name: Smart Card Removal Policy Service
- href: smart-card-removal-policy-service.md
- - name: Smart Card Tools and Settings
- href: smart-card-tools-and-settings.md
- items:
- - name: Smart Cards Debugging Information
- href: smart-card-debugging-information.md
- - name: Smart Card Group Policy and Registry Settings
- href: smart-card-group-policy-and-registry-settings.md
- - name: Smart Card Events
- href: smart-card-events.md
\ No newline at end of file
+ - name: Smart card architecture
+ href: smart-card-architecture.md
+ - name: Certificate requirements and enumeration
+ href: smart-card-certificate-requirements-and-enumeration.md
+ - name: Smart card and Remote Desktop Services
+ href: smart-card-and-remote-desktop-services.md
+ - name: Smart cards for Windows Service
+ href: smart-card-smart-cards-for-windows-service.md
+ - name: Certificate Propagation Service
+ href: smart-card-certificate-propagation-service.md
+ - name: Smart card Removal Policy Service
+ href: smart-card-removal-policy-service.md
+- name: Smart Card tools and settings
+ href: smart-card-tools-and-settings.md
+ items:
+ - name: Smart cards debugging information
+ href: smart-card-debugging-information.md
+ - name: Smart card group policy and registry settings
+ href: smart-card-group-policy-and-registry-settings.md
+ - name: Smart card events
+ href: smart-card-events.md
\ No newline at end of file
diff --git a/windows/security/identity-protection/toc.yml b/windows/security/identity-protection/toc.yml
index 5762bfaf81..26eafa1368 100644
--- a/windows/security/identity-protection/toc.yml
+++ b/windows/security/identity-protection/toc.yml
@@ -24,7 +24,7 @@ items:
href: enterprise-certificate-pinning.md
- name: Web sign-in
href: web-sign-in/index.md
- - name: Federated sign-in 🔗
+ - name: Federated sign-in (EDU) 🔗
href: /education/windows/federated-sign-in
- name: Advanced credential protection
items:
diff --git a/windows/security/identity-protection/virtual-smart-cards/images/virtual-smart-card-icon.svg b/windows/security/identity-protection/virtual-smart-cards/images/virtual-smart-card-icon.svg
new file mode 100644
index 0000000000..02fb8d7434
--- /dev/null
+++ b/windows/security/identity-protection/virtual-smart-cards/images/virtual-smart-card-icon.svg
@@ -0,0 +1,4 @@
+
diff --git a/windows/security/identity-protection/virtual-smart-cards/images/vsc-02-mmc-add-snap-in.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-02-mmc-add-snap-in.png
deleted file mode 100644
index 2d626ecf94..0000000000
Binary files a/windows/security/identity-protection/virtual-smart-cards/images/vsc-02-mmc-add-snap-in.png and /dev/null differ
diff --git a/windows/security/identity-protection/virtual-smart-cards/images/vsc-03-add-certificate-templates-snap-in.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-03-add-certificate-templates-snap-in.png
deleted file mode 100644
index e5c40ce136..0000000000
Binary files a/windows/security/identity-protection/virtual-smart-cards/images/vsc-03-add-certificate-templates-snap-in.png and /dev/null differ
diff --git a/windows/security/identity-protection/virtual-smart-cards/images/vsc-04-right-click-smartcard-logon-template.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-04-right-click-smartcard-logon-template.png
deleted file mode 100644
index b6fa6b75ba..0000000000
Binary files a/windows/security/identity-protection/virtual-smart-cards/images/vsc-04-right-click-smartcard-logon-template.png and /dev/null differ
diff --git a/windows/security/identity-protection/virtual-smart-cards/images/vsc-05-certificate-template-compatibility.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-05-certificate-template-compatibility.png
deleted file mode 100644
index 110fb05099..0000000000
Binary files a/windows/security/identity-protection/virtual-smart-cards/images/vsc-05-certificate-template-compatibility.png and /dev/null differ
diff --git a/windows/security/identity-protection/virtual-smart-cards/images/vsc-06-add-certification-authority-snap-in.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-06-add-certification-authority-snap-in.png
deleted file mode 100644
index f770d2f259..0000000000
Binary files a/windows/security/identity-protection/virtual-smart-cards/images/vsc-06-add-certification-authority-snap-in.png and /dev/null differ
diff --git a/windows/security/identity-protection/virtual-smart-cards/images/vsc-07-right-click-certificate-templates.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-07-right-click-certificate-templates.png
deleted file mode 100644
index 893abc8f34..0000000000
Binary files a/windows/security/identity-protection/virtual-smart-cards/images/vsc-07-right-click-certificate-templates.png and /dev/null differ
diff --git a/windows/security/identity-protection/virtual-smart-cards/images/vsc-08-enable-certificate-template.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-08-enable-certificate-template.png
deleted file mode 100644
index f060ca7e3e..0000000000
Binary files a/windows/security/identity-protection/virtual-smart-cards/images/vsc-08-enable-certificate-template.png and /dev/null differ
diff --git a/windows/security/identity-protection/virtual-smart-cards/images/vsc-09-stop-service-start-service.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-09-stop-service-start-service.png
deleted file mode 100644
index 4f3a65766f..0000000000
Binary files a/windows/security/identity-protection/virtual-smart-cards/images/vsc-09-stop-service-start-service.png and /dev/null differ
diff --git a/windows/security/identity-protection/virtual-smart-cards/images/vsc-10-cmd-run-as-administrator.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-10-cmd-run-as-administrator.png
deleted file mode 100644
index b9a6538540..0000000000
Binary files a/windows/security/identity-protection/virtual-smart-cards/images/vsc-10-cmd-run-as-administrator.png and /dev/null differ
diff --git a/windows/security/identity-protection/virtual-smart-cards/images/vsc-11-certificates-request-new-certificate.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-11-certificates-request-new-certificate.png
deleted file mode 100644
index 4eeba26de7..0000000000
Binary files a/windows/security/identity-protection/virtual-smart-cards/images/vsc-11-certificates-request-new-certificate.png and /dev/null differ
diff --git a/windows/security/identity-protection/virtual-smart-cards/images/vsc-12-certificate-enrollment-select-certificate.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-12-certificate-enrollment-select-certificate.png
deleted file mode 100644
index b8fb5e9635..0000000000
Binary files a/windows/security/identity-protection/virtual-smart-cards/images/vsc-12-certificate-enrollment-select-certificate.png and /dev/null differ
diff --git a/windows/security/identity-protection/virtual-smart-cards/images/vsc-virtual-smart-card-icon.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-virtual-smart-card-icon.png
deleted file mode 100644
index 4614d7684b..0000000000
Binary files a/windows/security/identity-protection/virtual-smart-cards/images/vsc-virtual-smart-card-icon.png and /dev/null differ
diff --git a/windows/security/identity-protection/virtual-smart-cards/toc.yml b/windows/security/identity-protection/virtual-smart-cards/toc.yml
index 68842b6001..0eec1122c0 100644
--- a/windows/security/identity-protection/virtual-smart-cards/toc.yml
+++ b/windows/security/identity-protection/virtual-smart-cards/toc.yml
@@ -1,17 +1,15 @@
items:
- name: Virtual Smart Card overview
href: virtual-smart-card-overview.md
- items:
- - name: Understand and evaluate virtual smart cards
- href: virtual-smart-card-understanding-and-evaluating.md
- items:
- - name: Get started with virtual smart cards
- href: virtual-smart-card-get-started.md
- - name: Use virtual smart cards
- href: virtual-smart-card-use-virtual-smart-cards.md
- - name: Deploy virtual smart cards
- href: virtual-smart-card-deploy-virtual-smart-cards.md
- - name: Evaluate virtual smart card security
- href: virtual-smart-card-evaluate-security.md
- - name: Tpmvscmgr
- href: virtual-smart-card-tpmvscmgr.md
\ No newline at end of file
+- name: Understand and evaluate virtual smart cards
+ href: virtual-smart-card-understanding-and-evaluating.md
+- name: Get started with virtual smart cards
+ href: virtual-smart-card-get-started.md
+- name: Use virtual smart cards
+ href: virtual-smart-card-use-virtual-smart-cards.md
+- name: Deploy virtual smart cards
+ href: virtual-smart-card-deploy-virtual-smart-cards.md
+- name: Evaluate virtual smart card security
+ href: virtual-smart-card-evaluate-security.md
+- name: Tpmvscmgr
+ href: virtual-smart-card-tpmvscmgr.md
\ No newline at end of file
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
index b20f03522b..9b7ee29239 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
@@ -2,7 +2,7 @@
title: Deploy Virtual Smart Cards
description: Learn about what to consider when deploying a virtual smart card authentication solution
ms.topic: conceptual
-ms.date: 02/22/2023
+ms.date: 11/06/2023
---
# Deploy Virtual Smart Cards
@@ -19,11 +19,9 @@ A device manufacturer creates physical devices, and then an organization purchas
This topic contains information about the following phases in a virtual smart card lifecycle:
-- [Create and personalize virtual smart cards](#create-and-personalize-virtual-smart-cards)
-
-- [Provision virtual smart cards](#provision-virtual-smart-cards)
-
-- [Maintain virtual smart cards](#maintain-virtual-smart-cards)
+- [Create and personalize virtual smart cards](#create-and-personalize-virtual-smart-cards)
+- [Provision virtual smart cards](#provision-virtual-smart-cards)
+- [Maintain virtual smart cards](#maintain-virtual-smart-cards)
## Create and personalize virtual smart cards
@@ -54,9 +52,7 @@ A virtual smart card appears within the operating system as a physical smart car
- **Non-exportability**: Because all private information on the virtual smart card is encrypted by using the TPM on the host computer, it can't be used on a different computer with a different TPM. Additionally, TPMs are designed to be tamper-resistant and non-exportable, so a malicious user can't reverse engineer an identical TPM or install the same TPM on a different computer.
For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
-
- **Isolated cryptography**: TPMs provide the same properties of isolated cryptography that is offered by physical smart cards, which is utilized by virtual smart cards. Unencrypted copies of private keys are loaded only within the TPM and never into memory that is accessible by the operating system. All cryptographic operations with these private keys occur inside the TPM.
-
- **Anti-hammering**: If a user enters a PIN incorrectly, the virtual smart card responds by using the anti-hammering logic of the TPM, which rejects further attempts for some time instead of blocking the card. This is also known as lockout.
For more information, see [Blocked virtual smart card](#blocked-virtual-smart-card) and [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
@@ -70,12 +66,9 @@ During virtual smart card personalization, the values for the administrator key,
Because the administrator key is critical to the security of the card, it's important to consider the deployment environment and decide on the proper administrator key setting strategy. Options for these strategies include:
-- **Uniform**: Administrator keys for all the virtual smart cards deployed in the organization are the same. Although using the same key makes the maintenance infrastructure easy (only one key needs to be stored), it's highly insecure. This strategy might be sufficient for small organizations, but if the administrator key is compromised, all virtual smart cards that use the key must be reissued.
-
-- **Random, not stored**: Administrator keys are assigned randomly for all virtual smart cards, and they aren't recorded. This is a valid option if the deployment administrators don't require the ability to reset PINs, and instead prefer to delete and reissue virtual smart cards. This is a viable strategy if the administrator prefers to set PUK values for the virtual smart cards and then use this value to reset PINs, if necessary.
-
-- **Random, stored**: you assign the administrator keys randomly, storing them in a central location. Each card's security is independent of the others. This is a secure strategy on a large scale, unless the administrator key database is compromised.
-
+- **Uniform**: Administrator keys for all the virtual smart cards deployed in the organization are the same. Although using the same key makes the maintenance infrastructure easy (only one key needs to be stored), it's highly insecure. This strategy might be sufficient for small organizations, but if the administrator key is compromised, all virtual smart cards that use the key must be reissued
+- **Random, not stored**: Administrator keys are assigned randomly for all virtual smart cards, and they aren't recorded. This is a valid option if the deployment administrators don't require the ability to reset PINs, and instead prefer to delete and reissue virtual smart cards. This is a viable strategy if the administrator prefers to set PUK values for the virtual smart cards and then use this value to reset PINs, if necessary
+- **Random, stored**: you assign the administrator keys randomly, storing them in a central location. Each card's security is independent of the others. This is a secure strategy on a large scale, unless the administrator key database is compromised
- **Deterministic**: Administrator keys are the result of some function or known information. For example, the user ID could be used to randomly generate data that can be further processed through a symmetric encryption algorithm by using a secret. This administrator key can be similarly regenerated when needed, and it doesn't need to be stored. The security of this method relies on the security of the secret used.
Although the PUK and the administrator key methodologies provide unlocking and resetting functionality, they do so in different ways. The PUK is a PIN that is entered on the computer to enable a user PIN reset.
@@ -112,9 +105,8 @@ You can use APIs to build Microsoft Store apps that you can use to manage the fu
When a device or computer isn't joined to a domain, the TPM ownerAuth is stored in the registry under HKEY\_LOCAL\_MACHINE. This exposes some threats. Most of the threat vectors are protected by BitLocker, but threats that aren't protected include:
-- A malicious user possesses a device that has an active local sign-in session before the device locks. The malicious user could attempt a brute-force attack on the virtual smart card PIN, and then access the corporate secrets.
-
-- A malicious user possesses a device that has an active virtual private network (VPN) session. The device is then compromised.
+- A malicious user possesses a device that has an active local sign-in session before the device locks. The malicious user could attempt a brute-force attack on the virtual smart card PIN, and then access the corporate secrets
+- A malicious user possesses a device that has an active virtual private network (VPN) session. The device is then compromised
The proposed mitigation for the previous scenarios is to use Exchange ActiveSync (EAS) policies to reduce the automatic lockout time from five minutes to 30 seconds of inactivity. You can set policies for automatic lockout while provisioning virtual smart cards. If an organization wants more security, they can also configure a setting to remove the ownerAuth from the local device.
@@ -165,7 +157,7 @@ Similar to physical smart cards, virtual smart cards require certificate enrollm
#### Certificate issuance
-Users can enroll for certificates from within a remote desktop session that is established to provision the card. This process can also be managed by the smart card management tool that the user runs through the remote desktop connection. This model works for deployments that require the user to sign a request for enrollment by using a physical smart card. The driver for the physical smart card doesn't need to be installed on the client computer if it's installed on the remote computer. This is made possible by smart card redirection functionality that was introduced in Windows Server 2003, which ensures that smart cards that are connected to the client computer are available for use during a remote session.
+Users can enroll for certificates from within a remote desktop session that is established to provision the card. This process can also be managed by the smart card management tool that the user runs through the remote desktop connection. This model works for deployments that require the user to sign a request for enrollment by using a physical smart card. The driver for the physical smart card doesn't need to be installed on the client computer if it's installed on the remote computer. This is made possible by smart card redirection functionality, which ensures that smart cards that are connected to the client computer are available for use during a remote session.
Alternatively, without establishing a remote desktop connection, users can enroll for certificates from the Certificate Management console (certmgr.msc) on a client computer. Users can also create a request and submit it to a server from within a custom certificate enrollment application (for example, a registration authority) that has controlled access to the certification authority (CA). This requires specific enterprise configuration and deployments for Certificate Enrollment Policies (CEP) and Certificate Enrollment Services (CES).
@@ -189,11 +181,11 @@ This command creates a card with a randomized administrator key. The key is auto
`tpmvscmgr.exe destroy /instance
Windows Server 2012 R2
Windows Server 2012
Windows 10
Windows 8.1
Windows 8 |
-| Supported Trusted Platform Module (TPM) | Any TPM that adheres to the TPM main specifications for version 1.2 or version 2.0 (as set by the Trusted Computing Group) is supported for use as a virtual smart card. For more information, see the [TPM Main Specification](http://www.trustedcomputinggroup.org/resources/tpm_main_specification). |
-| Supported virtual smart cards per computer | Ten smart cards can be connected to a computer or device at one time. This includes physical and virtual smart cards combined.
**Note**
You can create more than one virtual smart card; however, after creating more than four virtual smart cards, you may start to notice performance degradation. Because all smart cards appear as if they're always inserted, if more than one person shares a computer or device, each person can see all the virtual smart cards that are created on that computer or device. If the user knows the PIN values for all the virtual smart cards, the user will also be able to use them.
|
-| Supported number of certificates on a virtual smart card | A single TPM virtual smart card can contain 30 distinct certificates with the corresponding private keys. Users can continue to renew certificates on the card until the total number of certificates on a card exceeds 90. The reason that the total number of certificates is different from the total number of private keys is that sometimes the renewal can be done with the same private key—in which case a new private key isn't generated. |
-| PIN, PIN Unlock Key (PUK), and Administrative key requirements | The PIN and the PUK must be a minimum of eight characters that can include numerals, alphabetic characters, and special characters.
The Administrative key must be entered as 48 hexadecimal characters. It's a 3-key triple DES with ISO/IEC 9797 padding method 2 in CBC chaining mode. |
+| Area | Requirements and details |
+|--|--|
+| Supported Trusted Platform Module (TPM) | Any TPM that adheres to the TPM main specifications for version 1.2 or version 2.0 (as set by the Trusted Computing Group) is supported for use as a virtual smart card. For more information, see the [TPM Main Specification](http://www.trustedcomputinggroup.org/resources/tpm_main_specification). |
+| Supported virtual smart cards per computer | Ten smart cards can be connected to a computer or device at one time. This includes physical and virtual smart cards combined.
**Note**
You can create more than one virtual smart card; however, after creating more than four virtual smart cards, you may start to notice performance degradation. Because all smart cards appear as if they're always inserted, if more than one person shares a computer or device, each person can see all the virtual smart cards that are created on that computer or device. If the user knows the PIN values for all the virtual smart cards, the user will also be able to use them.
|
+| Supported number of certificates on a virtual smart card | A single TPM virtual smart card can contain 30 distinct certificates with the corresponding private keys. Users can continue to renew certificates on the card until the total number of certificates on a card exceeds 90. The reason that the total number of certificates is different from the total number of private keys is that sometimes the renewal can be done with the same private key—in which case a new private key isn't generated. |
+| PIN, PIN Unlock Key (PUK), and Administrative key requirements | The PIN and the PUK must be a minimum of eight characters that can include numerals, alphabetic characters, and special characters.
The Administrative key must be entered as 48 hexadecimal characters. It's a 3-key triple DES with ISO/IEC 9797 padding method 2 in CBC chaining mode. |
## Using Tpmvscmgr.exe
@@ -29,63 +28,58 @@ To create and delete TPM virtual smart cards for end users, the Tpmvscmgr comman
Virtual smart cards can also be created and deleted by using APIs. For more information, see the following classes and interfaces:
-- [TpmVirtualSmartCardManager](/previous-versions/windows/desktop/legacy/hh707171(v=vs.85))
+- [TpmVirtualSmartCardManager](/previous-versions/windows/desktop/legacy/hh707171(v=vs.85))
+- [RemoteTpmVirtualSmartCardManager](/previous-versions/windows/desktop/legacy/hh707166(v=vs.85))
+- [ITpmVirtualSmartCardManager](/windows/win32/api/tpmvscmgr/nn-tpmvscmgr-itpmvirtualsmartcardmanager)
+- [ITPMVirtualSmartCardManagerStatusCallBack](/windows/win32/api/tpmvscmgr/nn-tpmvscmgr-itpmvirtualsmartcardmanagerstatuscallback)
-- [RemoteTpmVirtualSmartCardManager](/previous-versions/windows/desktop/legacy/hh707166(v=vs.85))
-
-- [ITpmVirtualSmartCardManager](/windows/win32/api/tpmvscmgr/nn-tpmvscmgr-itpmvirtualsmartcardmanager)
-
-- [ITPMVirtualSmartCardManagerStatusCallBack](/windows/win32/api/tpmvscmgr/nn-tpmvscmgr-itpmvirtualsmartcardmanagerstatuscallback)
-
-You can use APIs that were introduced in the Windows.Device.SmartCards namespace in Windows Server 2012 R2 and Windows 8.1 to build Microsoft Store apps to manage the full lifecycle of virtual smart cards. For information about how to build an app to do this, see [Strong Authentication: Building Apps That Leverage Virtual Smart Cards in Enterprise, BYOD, and Consumer Environments | Build 2013 | Channel 9](https://channel9.msdn.com/events/build/2013/2-041).
+You can use APIs in the `Windows.Device.SmartCards` namespace to build Microsoft Store apps to manage the full lifecycle of virtual smart cards. For information about how to build an app to do this, see [Strong Authentication: Building Apps That Leverage Virtual Smart Cards in Enterprise, BYOD, and Consumer Environments](https://channel9.msdn.com/events/build/2013/2-041).
The following table describes the features that can be developed in a Microsoft Store app:
-| Feature | Physical Smart Card | Virtual Smart Card |
-|----------------------------------------------|---------------------|--------------------|
-| Query and monitor smart card readers | Yes | Yes |
-| List available smart cards in a reader, and retrieve the card name and card ID | Yes | Yes |
-| Verify if the administrative key of a card is correct | Yes | Yes |
-| Provision (or reformat) a card with a given card ID | Yes | Yes |
-| Change the PIN by entering the old PIN and specifying a new PIN | Yes | Yes |
-| Change the administrative key, reset the PIN, or unblock the smart card by using a challenge/response method | Yes | Yes |
-| Create a virtual smart card | Not applicable | Yes |
-| Delete a virtual smart card | Not applicable | Yes |
-| Set PIN policies | No | Yes |
+| Feature | Physical Smart Card | Virtual Smart Card |
+|--|--|--|
+| Query and monitor smart card readers | Yes | Yes |
+| List available smart cards in a reader, and retrieve the card name and card ID | Yes | Yes |
+| Verify if the administrative key of a card is correct | Yes | Yes |
+| Provision (or reformat) a card with a given card ID | Yes | Yes |
+| Change the PIN by entering the old PIN and specifying a new PIN | Yes | Yes |
+| Change the administrative key, reset the PIN, or unblock the smart card by using a challenge/response method | Yes | Yes |
+| Create a virtual smart card | Not applicable | Yes |
+| Delete a virtual smart card | Not applicable | Yes |
+| Set PIN policies | No | Yes |
For more information about these Windows APIs, see:
-- [Windows.Devices.SmartCards namespace (Windows)](/uwp/api/Windows.Devices.SmartCards)
-
-- [Windows.Security.Cryptography.Certificates namespace (Windows)](/uwp/api/Windows.Security.Cryptography.Certificates)
+- [Windows.Devices.SmartCards namespace (Windows)](/uwp/api/Windows.Devices.SmartCards)
+- [Windows.Security.Cryptography.Certificates namespace (Windows)](/uwp/api/Windows.Security.Cryptography.Certificates)
## Distinguishing TPM-based virtual smart cards from physical smart cards
-To help users visually distinguish a Trusted Platform Module (TPM)-based virtual smart card from physical smart cards, the virtual smart card has a different icon. The following icon is displayed during sign-in, and on other screens that require the user to enter the PIN for a virtual smart card.
+To help users visually distinguish a Trusted Platform Module (TPM)-based virtual smart card from physical smart cards, the virtual smart card has a different icon. The virtual smart card icon :::image type="icon" source="images/virtual-smart-card-icon.svg" border="false"::: is displayed during sign-in, and on other screens that require the user to enter the PIN for a virtual smart card.
-
-
-A TPM-based virtual smart card is labeled **Security Device** in the user interface.
+A TPM-based virtual smart card is labeled *Security Device* in the user interface.
## Changing the PIN
The PIN for a virtual smart card can be changed by following these steps:
-- Sign in with the old PIN or password.
-- Press Ctrl+Alt+Del and choose **Change a password**.
-- Select **Sign-in Options**.
-- Select the virtual smart card icon.
-- Enter and confirm the new PIN.
+
+- Sign in with the old PIN or password
+- Press Ctrl+Alt+Del and select **Change a password**
+- Select **Sign-in Options**
+- Select the virtual smart card icon
+- Enter and confirm the new PIN
+
## Resolving issues
### TPM not provisioned
-For a TPM-based virtual smart card to function properly, a provisioned TPM must be available on the computer. If the TPM is disabled in the BIOS, or it isn't provisioned with full ownership and the storage root key, the TPM virtual smart card creation will fail.
+For a TPM-based virtual smart card to function properly, a provisioned TPM must be available on the computer:
-If the TPM is initialized after creating a virtual smart card, the card will no longer function, and it will need to be re-created.
-
-If the TPM ownership was established on a Windows Vista installation, the TPM won't be ready to use virtual smart cards. The system administrator needs to clear and initialize the TPM for it to be suitable for creating TPM virtual smart cards.
-
-If the operating system is reinstalled, prior TPM virtual smart cards are no longer available and need to be re-created. If the operating system is upgraded, prior TPM virtual smart cards will be available to use in the upgraded operating system.
+- If the TPM is disabled in the BIOS, or it isn't provisioned with full ownership and the storage root key, the TPM virtual smart card creation fails
+- If the TPM is initialized after creating a virtual smart card, the card will no longer function, and it must be re-created
+- If the operating system is reinstalled, prior TPM virtual smart cards are no longer available and need to be re-created
+- If the operating system is upgraded, prior TPM virtual smart cards are available to use in the upgraded operating system
### TPM in lockout state
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-authenticator.gif b/windows/security/identity-protection/web-sign-in/images/web-sign-in-authenticator.gif
deleted file mode 100644
index 499f39dbb5..0000000000
Binary files a/windows/security/identity-protection/web-sign-in/images/web-sign-in-authenticator.gif and /dev/null differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-authenticator.png b/windows/security/identity-protection/web-sign-in/images/web-sign-in-authenticator.png
deleted file mode 100644
index be213d4500..0000000000
Binary files a/windows/security/identity-protection/web-sign-in/images/web-sign-in-authenticator.png and /dev/null differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-federated-auth.gif b/windows/security/identity-protection/web-sign-in/images/web-sign-in-federated-auth.gif
deleted file mode 100644
index 403c7fb609..0000000000
Binary files a/windows/security/identity-protection/web-sign-in/images/web-sign-in-federated-auth.gif and /dev/null differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-federated-auth.png b/windows/security/identity-protection/web-sign-in/images/web-sign-in-federated-auth.png
deleted file mode 100644
index f22395fbd7..0000000000
Binary files a/windows/security/identity-protection/web-sign-in/images/web-sign-in-federated-auth.png and /dev/null differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-pin-reset.gif b/windows/security/identity-protection/web-sign-in/images/web-sign-in-pin-reset.gif
deleted file mode 100644
index 9ae9f3c92f..0000000000
Binary files a/windows/security/identity-protection/web-sign-in/images/web-sign-in-pin-reset.gif and /dev/null differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-pin-reset.png b/windows/security/identity-protection/web-sign-in/images/web-sign-in-pin-reset.png
deleted file mode 100644
index e3b341d814..0000000000
Binary files a/windows/security/identity-protection/web-sign-in/images/web-sign-in-pin-reset.png and /dev/null differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-tap.gif b/windows/security/identity-protection/web-sign-in/images/web-sign-in-tap.gif
deleted file mode 100644
index b677b87480..0000000000
Binary files a/windows/security/identity-protection/web-sign-in/images/web-sign-in-tap.gif and /dev/null differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-tap.png b/windows/security/identity-protection/web-sign-in/images/web-sign-in-tap.png
deleted file mode 100644
index 18c20dd4fd..0000000000
Binary files a/windows/security/identity-protection/web-sign-in/images/web-sign-in-tap.png and /dev/null differ
diff --git a/windows/security/identity-protection/web-sign-in/index.md b/windows/security/identity-protection/web-sign-in/index.md
index f13acff6dd..f4d5ddb8ce 100644
--- a/windows/security/identity-protection/web-sign-in/index.md
+++ b/windows/security/identity-protection/web-sign-in/index.md
@@ -1,12 +1,11 @@
---
title: Web sign-in for Windows
description: Learn how Web sign-in in Windows works, key scenarios, and how to configure it.
-ms.date: 09/27/2023
+ms.date: 12/11/2023
ms.topic: how-to
appliesto:
- ✅ Windows 11
ms.collection:
- - highpri
- tier1
---
@@ -28,12 +27,18 @@ To use web sign-in, the clients must meet the following prerequisites:
- Must be [Microsoft Entra joined](/entra/identity/devices/concept-directory-join)
- Must have Internet connectivity, as the authentication is done over the Internet
+> [!IMPORTANT]
+> Web sign-in is not supported for Microsoft Entra hybrid joined or domain joined devices.
+
[!INCLUDE [federated-sign-in](../../../../includes/licensing/web-sign-in.md)]
## Configure web sign-in
To use web sign-in, your devices must be configured with different policies. Review the following instructions to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
+> [!NOTE]
+> Web sign-in uses a system-managed local account called *WsiAccount*. The account is created automatically when you enable Web sign-in, and it's not displayed in the user selection list. Every time a user uses the Web sign-in credential provider, the *WsiAccount* account is enabled. After the user signs in, the account is disabled.
+
#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune)
[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)]
@@ -72,17 +77,18 @@ Alternatively, you can configure devices using a [custom policy][INT-1] with the
Once the devices are configured, a new sign-in experience becomes available, as indicated by the presence of the Web sign-in credential provider :::image type="icon" source="images/web-sign-in-credential-provider.svg" border="false"::: in the Windows lock screen.
-:::image type="content" source="images/lock-screen.png" border="false" lightbox="images/lock-screen.png" alt-text="Screenshot of the Windows lock screen showing the Web sign-in credential provider.":::
+:::image type="content" source="images/lock-screen.png" border="false" alt-text="Screenshot of the Windows lock screen showing the Web sign-in credential provider.":::
Here's a list of key scenarios supported by Web sign-in, and a brief animation showing the user experience. Select the thumbnail to start the animation.
### Passwordless sign-in
+
:::row:::
- :::column span="3":::
+ :::column span="2":::
Users can sign in to Windows passwordless, even before enrolling in Windows Hello for Business. For example, by using the Microsoft Authenticator app as a sign-in method.
:::column-end:::
- :::column span="1":::
- :::image type="content" source="images/web-sign-in-authenticator.png" border="false" lightbox="images/web-sign-in-authenticator.gif" alt-text="Animation of the Web sign-in experience with Microsoft Authenticator.":::
+ :::column span="2":::
+ > [!VIDEO https://learn-video.azurefd.net/vod/player?id=974e445a-b78a-4555-86db-919473907535]
:::column-end:::
:::row-end:::
@@ -97,11 +103,11 @@ To learn more:
### Windows Hello for Business PIN reset
:::row:::
- :::column span="3":::
+ :::column span="2":::
The Windows Hello PIN reset flow is seamless and more robust than in previous versions.
:::column-end:::
- :::column span="1":::
- :::image type="content" source="images/web-sign-in-pin-reset.png" border="false" lightbox="images/web-sign-in-pin-reset.gif" alt-text="Animation of the PIN reset in experience.":::
+ :::column span="2":::
+ > [!VIDEO https://learn-video.azurefd.net/vod/player?id=310f7665-6276-4ad8-b76e-429073c10972]
:::column-end:::
:::row-end:::
@@ -110,36 +116,37 @@ For more information, see [PIN reset](../hello-for-business/hello-feature-pin-re
### Temporary Access Pass (TAP)
:::row:::
- :::column span="3":::
+ :::column span="2":::
A Temporary Access Pass (TAP) is a time-limited passcode granted by an administrator to a user. Users can sign in with a TAP using the Web sign-in credential provider. For example:
- to onboard Windows Hello for Business or a FIDO2 security key
- if lost or forgotten FIDO2 security key and unknown password
:::column-end:::
- :::column span="1":::
- :::image type="content" source="images/web-sign-in-tap.png" border="false" lightbox="images/web-sign-in-tap.gif" alt-text="Animation of the TAP sign in experience.":::
+ :::column span="2":::
+ > [!VIDEO https://learn-video.azurefd.net/vod/player?id=8d80bef4-96a8-4467-8e67-e0637bdabcd8]
:::column-end:::
:::row-end:::
For more information, see [Use a Temporary Access Pass][AAD-3].
-### Sign in with a federated identity
+### Federated authentication
:::row:::
- :::column span="3":::
+ :::column span="2":::
If the Microsoft Entra tenant is federated with a third-party SAML-P identity provider (IdP), federated users can sign using the Web sign-in credential provider.
:::column-end:::
- :::column span="1":::
- :::image type="content" source="images/web-sign-in-federated-auth.png" border="false" lightbox="images/web-sign-in-federated-auth.gif" alt-text="Animation of the sign in experience with a federated user.":::
+ :::column span="2":::
+ > [!VIDEO https://learn-video.azurefd.net/vod/player?id=88ad0efb-9031-428c-a3cf-612c47810ecf]
:::column-end:::
:::row-end:::
> [!TIP]
> To improve the user experience for federated identities:
>
-> - Configure the *preferred Microsoft Entra tenant name* feature, which allows users to select the domain name during the sign-in process. The users are then automatically redirected to the identity provider sign-in page.
> - Enable Windows Hello for Business. Once the user signs in, the user can enroll in Windows Hello for Business and then use it to sign in to the device
+> - Configure the *preferred Microsoft Entra tenant name* feature, which allows users to select the domain name during the sign-in process. The users are then automatically redirected to the identity provider sign-in page
+> :::image type="content" source="images/web-sign-in-preferred-tenant.png" alt-text="Screenshot of the Windows lock screen with preferred tenant configured.":::
For more information about preferred tenant name, see [Authentication CSP - PreferredAadTenantDomainName][WIN-1].
@@ -154,7 +161,7 @@ Here's a list of important considerations to keep in mind when configuring or us
### Known issues
-- If you attempt to sign in while the device is offline, you get the following message: *It doesn't look that you're connected to the Internet. Check your connection and try again*. Selecting the *Back to sign-in* option doesn't bring you back to the lock screen. As a workaround, you can press Ctrl+Alt+Delete to get back to the lock screen.
+- If you attempt to sign in while the device is offline, you get the following message: *It doesn't look like you're connected to the Internet. Check your connection and try again*. Selecting the *Back to sign-in* option doesn't bring you back to the lock screen. As a workaround, you can press Ctrl+Alt+Delete to get back to the lock screen.
### :::image type="icon" source="../../images/icons/feedback.svg" border="false"::: Provide feedback
diff --git a/windows/security/includes/sections/operating-system-security.md b/windows/security/includes/sections/operating-system-security.md
index 4a4ee4acf2..ea66bca2df 100644
--- a/windows/security/includes/sections/operating-system-security.md
+++ b/windows/security/includes/sections/operating-system-security.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 09/18/2023
+ms.date: 11/21/2023
ms.topic: include
---
@@ -10,8 +10,8 @@ ms.topic: include
| Feature name | Description |
|:---|:---|
| **[Secure Boot and Trusted Boot](/windows/security/operating-system-security/system-security/trusted-boot)** | Secure Boot and Trusted Boot help to prevent malware and corrupted components from loading when a device starts.
Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure the system boots up safely and securely. |
-| **[Measured boot](/windows/compatibility/measured-boot)** | Measured Boot measures all important code and configuration settings during the boot of Windows. This includes: the firmware, boot manager, hypervisor, kernel, secure kernel and operating system. Measured Boot stores the measurements in the TPM on the machine, and makes them available in a log that can be tested remotely to verify the boot state of the client.
The Measured Boot feature provides antimalware software with a trusted (resistant to spoofing and tampering) log of all boot components that started before it. The antimalware software can use the log to determine whether components that ran before it are trustworthy, or if they are infected with malware. The antimalware software on the local machine can send the log to a remote server for evaluation. The remote server may initiate remediation actions, either by interacting with software on the client, or through out-of-band mechanisms, as appropriate. |
-| **[Device health attestation service](/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)** | The Windows device health attestation process supports a zero-trust paradigm that shifts the focus from static, network-based perimeters, to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and have not been tampered with before they can access corporate resources. The determinations are made with data stored in the TPM, which provides a secure root of trust. The information is sent to an attestation service, such as Azure Attestation, to verify the device is in a trusted state. Then, an MDM tool like Microsoft Intune reviews device health and connects this information with Microsoft Entra ID for conditional access. |
+| **[Measured boot](/windows/compatibility/measured-boot)** | Measured Boot measures all important code and configuration settings during the boot of Windows. This includes: the firmware, boot manager, hypervisor, kernel, secure kernel and operating system. Measured Boot stores the measurements in the TPM on the machine, and makes them available in a log that can be tested remotely to verify the boot state of the client.
The Measured Boot feature provides anti-malware software with a trusted (resistant to spoofing and tampering) log of all boot components that started before it. The anti-malware software can use the log to determine whether components that ran before it are trustworthy, or if they're infected with malware. The anti-malware software on the local machine can send the log to a remote server for evaluation. The remote server may initiate remediation actions, either by interacting with software on the client, or through out-of-band mechanisms, as appropriate. |
+| **[Device health attestation service](/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)** | The Windows device health attestation process supports a zero-trust paradigm that shifts the focus from static, network-based perimeters, to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and haven't been tampered with before they can access corporate resources. The determinations are made with data stored in the TPM, which provides a secure root of trust. The information is sent to an attestation service, such as Azure Attestation, to verify the device is in a trusted state. Then, an MDM tool like Microsoft Intune reviews device health and connects this information with Microsoft Entra ID for conditional access. |
| **[Windows security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)** | Microsoft provides a robust set of security settings policies that IT administrators can use to protect Windows devices and other resources in their organization. |
| **[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)** | Some desktop devices in an enterprise serve a special purpose. For example, a PC in the lobby that customers use to see your product catalog. Or, a PC displaying visual content as a digital sign. Windows client offers two different locked-down experiences for public or specialized use: A single-app kiosk that runs a single Universal Windows Platform (UWP) app in full screen above the lock screen, or A multi-app kiosk that runs one or more apps from the desktop.
Kiosk configurations are based on Assigned Access, a feature in Windows that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. |
@@ -19,13 +19,13 @@ ms.topic: include
| Feature name | Description |
|:---|:---|
-| **[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)** | Microsoft Defender Antivirus is a protection solution included in all versions of Windows. From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help keep your device safe and protect it from threats. Microsoft Defender Antivirus includes real-time, behavior-based, and heuristic antivirus protection.
The combination of always-on content scanning, file and process behavior monitoring, and other heuristics effectively prevents security threats. Microsoft Defender Antivirus continually scans for malware and threats and also detects and blocks potentially unwanted applications (PUA) which are applications that are deemed to negatively impact your device but are not considered malware. |
+| **[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)** | Microsoft Defender Antivirus is a protection solution included in all versions of Windows. From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help keep your device safe and protect it from threats. Microsoft Defender Antivirus includes real-time, behavior-based, and heuristic antivirus protection.
The combination of always-on content scanning, file and process behavior monitoring, and other heuristics effectively prevents security threats. Microsoft Defender Antivirus continually scans for malware and threats and also detects and blocks potentially unwanted applications (PUA) which are applications that are deemed to negatively impact your device but aren't considered malware. |
| **[Local Security Authority (LSA) Protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)** | Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users and verifying Windows logins. LSA handles tokens and credentials such as passwords that are used for single sign-on to a Microsoft account and Azure services. To help protect these credentials, additional LSA protection only allows loading of trusted, signed code and provides significant protection against Credential theft.
LSA protection is enabled by default on new, enterprise joined Windows 11 devices with added support for non-UEFI lock and policy management controls via MDM and group policy. |
| **[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)** | Attack surface reduction (ASR) rules help to prevent software behaviors that are often abused to compromise your device or network. By reducing the number of attack surfaces, you can reduce the overall vulnerability of your organization.
Administrators can configure specific ASR rules to help block certain behaviors, such as launching executable files and scripts that attempt to download or run files, running obfuscated or otherwise suspicious scripts, performing behaviors that apps don't usually initiate during normal day-to-day work. |
| **[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)** | Tamper protection is a capability in Microsoft Defender for Endpoint that helps protect certain security settings, such as virus and threat protection, from being disabled or changed. During some kinds of cyber attacks, bad actors try to disable security features on devices. Disabling security features provides bad actors with easier access to your data, the ability to install malware, and the ability to exploit your data, identity, and devices. Tamper protection helps guard against these types of activities. |
-| **[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)** | You can protect your valuable information in specific folders by managing app access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Commonly used folders, such as those used for documents, pictures, downloads, are typically included in the list of controlled folders. Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the trusted list are prevented from making any changes to files inside protected folders.
Controlled folder access helps to protect user's valuable data from malicious apps and threats, such as ransomware. |
+| **[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)** | You can protect your valuable information in specific folders by managing app access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Commonly used folders, such as those used for documents, pictures, downloads, are typically included in the list of controlled folders. Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that aren't included in the trusted list are prevented from making any changes to files inside protected folders.
Controlled folder access helps to protect user's valuable data from malicious apps and threats, such as ransomware. |
| **[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)** | Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. You can enable exploit protection on an individual device, and then use MDM or group policy to distribute the configuration file to multiple devices. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors. |
-| **[Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/)** | Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files. For enhanced phishing protection, SmartScreen also alerts people when they are entering their credentials into a potentially risky location. IT can customize which notifications appear via MDM or group policy. The protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement. |
+| **[Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/)** | Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files. For enhanced phishing protection, SmartScreen also alerts people when they're entering their credentials into a potentially risky location. IT can customize which notifications appear via MDM or group policy. The protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement. |
| **[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)** | Microsoft Defender for Endpoint is an enterprise endpoint detection and response solution that helps security teams to detect, investigate, and respond to advanced threats. Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents. Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents: endpoint behavioral sensors, cloud security analytics, threat intelligence and rich response capabilities. |
## Network security
@@ -33,11 +33,11 @@ ms.topic: include
| Feature name | Description |
|:---|:---|
| **[Transport Layer Security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)** | Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a network. TLS 1.3 is the latest version of the protocol and is enabled by default in Windows 11. This version eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the TLS handshake as possible. The handshake is more performant with one fewer round trip per connection on average, and supports only five strong cipher suites which provide perfect forward secrecy and less operational risk. |
-| **[Domain Name System (DNS) security](/windows-server/networking/dns/doh-client-support)** | Starting in Windows 11, the Windows DNS client supports DNS over HTTPS (DoH), an encrypted DNS protocol. This allows administrators to ensure their devices protect DNS queries from on-path attackers, whether they are passive observers logging browsing behavior or active attackers trying to redirect clients to malicious sites.
In a zero-trust model where there is no trust placed in a network boundary, having a secure connection to a trusted name resolver is required. |
-| **Bluetooth pairing and connection protection** | The number of Bluetooth devices connected to Windows continues to increase. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implements host based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG), Standard Vulnerability Reports, as well as issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that users ensure their firmware and/ or software of their Bluetooth accessories are kept up to date. |
-| **[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)** | Wi-Fi Protected Access (WPA) is a security certification programs designed to secure wireless networks. WPA3 is the latest version of the certification and provides a more secure and reliable connection method as compared to WPA2 and older security protocols. Windows supports three WPA3 modes: WPA3 personal with the Hash-to-Element (H2E) protocol, WPA3 Enterprise, and WPA3 Enterprise 192-bit Suite B.
Windows 11 also supports WFA defined WPA3 Enterprise that includes enhanced Server Cert validation and TLS 1.3 for authentication using EAP-TLS Authentication. |
+| **[Domain Name System (DNS) security](/windows-server/networking/dns/doh-client-support)** | Starting in Windows 11, the Windows DNS client supports DNS over HTTPS (DoH), an encrypted DNS protocol. This allows administrators to ensure their devices protect DNS queries from on-path attackers, whether they're passive observers logging browsing behavior or active attackers trying to redirect clients to malicious sites.
In a zero-trust model where there is no trust placed in a network boundary, having a secure connection to a trusted name resolver is required. |
+| **Bluetooth pairing and connection protection** | The number of Bluetooth devices connected to Windows continues to increase. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implements host based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG), Standard Vulnerability Reports, and issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that users ensure their firmware and/ or software of their Bluetooth accessories are kept up to date. |
+| **[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)** | Wi-Fi Protected Access (WPA) is a security certification program designed to secure wireless networks. WPA3 is the latest version of the certification and provides a more secure and reliable connection method as compared to WPA2 and older security protocols. Windows supports three WPA3 modes: WPA3 personal with the Hash-to-Element (H2E) protocol, WPA3 Enterprise, and WPA3 Enterprise 192-bit Suite B.
Windows 11 also supports WFA defined WPA3 Enterprise that includes enhanced Server Cert validation and TLS 1.3 for authentication using EAP-TLS Authentication. |
| **Opportunistic Wireless Encryption (OWE)** | Opportunistic Wireless Encryption (OWE) is a technology that allows wireless devices to establish encrypted connections to public Wi-Fi hotspots. |
-| **[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security)** | Windows Firewall with Advanced Securityprovides host-based, two-way network traffic filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks to which the device is connected. Windows Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.
With its integration with Internet Protocol Security (IPsec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. Windows Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). |
+| **[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall)** | Windows Firewall provides host-based, two-way network traffic filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks to which the device is connected. Windows Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.
With its integration with Internet Protocol Security (IPsec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. Windows Firewall is a host-based firewall that is included with the operating system, there's no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). |
| **[Virtual private network (VPN)](/windows/security/operating-system-security/network-security/vpn/vpn-guide)** | The Windows VPN client platform includes built in VPN protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and consumer VPNs, including apps for the most popular enterprise VPN gateways.
In Windows 11, the most commonly used VPN controls are integrated right into the Quick Actions pane. From the Quick Actions pane, users can see the status of their VPN, start and stop the VPN tunnels, and access the Settings app for more controls. |
| **[Always On VPN (device tunnel)](/Windows-server/remote/remote-access/overview-always-on-vpn)** | With Always On VPN, you can create a dedicated VPN profile for the device. Unlike User Tunnel, which only connects after a user logs on to the device, Device Tunnel allows the VPN to establish connectivity before a user sign-in. Both Device Tunnel and User Tunnel operate independently with their VPN profiles, can be connected at the same time, and can use different authentication methods and other VPN configuration settings as appropriate. |
| **[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)** | DirectAccess allows connectivity for remote users to organization network resources without the need for traditional Virtual Private Network (VPN) connections.
With DirectAccess connections, remote devices are always connected to the organization and there's no need for remote users to start and stop connections. |
@@ -51,5 +51,5 @@ ms.topic: include
| **[BitLocker management](/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises)** | The BitLocker CSP allows an MDM solution, like Microsoft Intune, to manage the BitLocker encryption features on Windows devices. This includes OS volumes, fixed drives and removeable storage, and recovery key management into Microsoft Entra ID. |
| **[BitLocker enablement](/windows/security/operating-system-security/data-protection/bitlocker/)** | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker uses AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. Cloud storage on Microsoft OneDrive or Azure can be used to save recovery key content. BitLocker can be managed by any MDM solution such as Microsoft Intune, using a configuration service provider (CSP).
BitLocker provides encryption for the OS, fixed data, and removable data drives leveraging technologies like hardware security test interface (HSTI), Modern Standby, UEFI Secure Boot and TPM. |
| **[Encrypted hard drive](/windows/security/operating-system-security/data-protection/encrypted-hard-drive)** | Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level and allow for full disk hardware encryption while being transparent to the device user. These drives combine the security and management benefits provided by BitLocker Drive Encryption with the power of self-encrypting drives.
By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, BitLocker deployment can be expanded across enterprise devices with little to no impact on productivity. |
-| **[Personal data encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)** | Personal data encryption (PDE) works with BitLocker and Windows Hello for Business to further protect user documents and other files, including when the device is turned on and locked. Files are encrypted automatically and seamlessly to give users more security without interrupting their workflow.
Windows Hello for Business is used to protect the container which houses the encryption keys used by PDE. When the user signs in, the container gets authenticated to release the keys in the container to decrypt user content. |
-| **[Email Encryption (S/MIME)](/windows/security/operating-system-security/data-protection/configure-s-mime)** | Email encryption enables users to encrypt outgoing email messages and attachments, so only intended recipients with a digital ID (certificate) can read them. Users can digitally sign a message, which verifies the identity of the sender and confirms the message has not been tampered with. The encrypted messages can be sent by a user to other users within their organization or external contacts if they have proper encryption certificates. |
+| **[Personal data encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)** | Personal data encryption (PDE) works with BitLocker and Windows Hello for Business to further protect user documents and other files, including when the device is turned on and locked. Files are encrypted automatically and seamlessly to give users more security without interrupting their workflow.
Windows Hello for Business is used to protect the container, which houses the encryption keys used by PDE. When the user signs in, the container gets authenticated to release the keys in the container to decrypt user content. |
+| **[Email Encryption (S/MIME)](/windows/security/operating-system-security/data-protection/configure-s-mime)** | Email encryption enables users to encrypt outgoing email messages and attachments, so only intended recipients with a digital ID (certificate) can read them. Users can digitally sign a message, which verifies the identity of the sender and confirms the message hasn't been tampered with. The encrypted messages can be sent by a user to other users within their organization or external contacts if they have proper encryption certificates. |
diff --git a/windows/security/includes/virtual-smart-card-deprecation-notice.md b/windows/security/includes/virtual-smart-card-deprecation-notice.md
index dea207534a..3a3a9e11c1 100644
--- a/windows/security/includes/virtual-smart-card-deprecation-notice.md
+++ b/windows/security/includes/virtual-smart-card-deprecation-notice.md
@@ -1,9 +1,9 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 02/22/2023
+ms.date: 11/04/2023
ms.topic: include
---
> [!WARNING]
-> [Windows Hello for Business](../identity-protection/hello-for-business/hello-identity-verification.md) is the modern, two-factor authentication for Windows. Microsoft will deprecate virtual smart cards in the near future. Customers using virtual smart cards are strongly encouraged to move to Windows Hello for Business. Microsoft will publish the deprecation date to ensure customers have adequate lead time to move to Windows Hello for Business. We recommend that new Windows deployments use Windows Hello for Business.
\ No newline at end of file
+> [Windows Hello for Business](../identity-protection/hello-for-business/index.md) and FIDO2 security keys are modern, two-factor authentication methods for Windows. Customers using virtual smart cards are encouraged to move to Windows Hello for Business or FIDO2. For new Windows installations, we recommend Windows Hello for Business or FIDO2 security keys.
diff --git a/windows/security/index.yml b/windows/security/index.yml
index 40983d837f..069ecf8fb7 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -9,7 +9,6 @@ metadata:
ms.prod: windows-client
ms.technology: itpro-security
ms.collection:
- - highpri
- tier1
author: paolomatarazzo
ms.author: paoloma
@@ -64,7 +63,7 @@ productDirectory:
- url: /windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines
text: Windows security baselines
- url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/
- text: MMicrosoft Defender SmartScreen
+ text: Microsoft Defender SmartScreen
- url: /windows/security/operating-system-security
text: Learn more about OS security >
diff --git a/windows/security/licensing-and-edition-requirements.md b/windows/security/licensing-and-edition-requirements.md
index 6b192f2171..5f18fd26da 100644
--- a/windows/security/licensing-and-edition-requirements.md
+++ b/windows/security/licensing-and-edition-requirements.md
@@ -1,8 +1,6 @@
---
title: Windows security features licensing and edition requirements
description: Learn about Windows licensing and edition requirements for the features included in Windows.
-ms.collection:
-- tier2
ms.topic: conceptual
ms.date: 06/15/2023
appliesto:
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md
index cf39c89999..22f80cb481 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md
@@ -1,31 +1,27 @@
---
title: BCD settings and BitLocker
-description: This article for IT professionals describes the BCD settings that are used by BitLocker.
+description: Learn how BCD settings are used by BitLocker.
ms.topic: reference
-ms.date: 11/08/2022
+ms.date: 10/30/2023
---
# Boot Configuration Data settings and BitLocker
-This article for IT professionals describes the Boot Configuration Data (BCD) settings that are used by BitLocker.
+This article describes the Boot Configuration Data (BCD) settings that are used by BitLocker.
-When protecting data at rest on an operating system volume, during the boot process BitLocker verifies that the security sensitive BCD settings haven't changed since BitLocker was last enabled, resumed, or recovered.
+During the boot process, BitLocker verifies that the security sensitive BCD settings haven't changed since BitLocker was last enabled, resumed, or recovered.
-## BitLocker and BCD Settings
+If it's believed that there's a risk in excluding a particular BCD setting from the validation profile, you can include that BCD setting in the BCD validation coverage to suit the preferences for validation.\
+If the default BCD setting persistently triggers a recovery for benign changes, you can exclude that BCD setting from the validation coverage.
-In Windows 7 and Windows Server 2008 R2, BitLocker validated BCD settings with the winload, winresume, and memtest prefixes to a large degree. However, this high degree of validation caused BitLocker to go into recovery mode for benign setting changes, for example, when applying a language pack, BitLocker would enter recovery mode.
-
-In Windows 8, Windows Server 2012, and later operating systems, BitLocker narrows the set of BCD settings validated to reduce the chance of benign changes causing a BCD validation problem. If it's believed that there's a risk in excluding a particular BCD setting from the validation profile, include that BCD setting in the BCD validation coverage to suit the preferences for validation. If a default BCD setting is found to persistently trigger a recovery for benign changes, exclude that BCD setting from the validation coverage.
-
-### When secure boot is enabled
-
-Computers with UEFI firmware can use secure boot to provide enhanced boot security. When BitLocker is able to use secure boot for platform and BCD integrity validation, as defined by the **Allow Secure Boot for integrity validation** group policy setting, the **Use enhanced Boot Configuration Data validation profile** group policy is ignored.
+> [!IMPORTANT]
+> Devices with UEFI firmware can use secure boot to provide enhanced boot security. When BitLocker is able to use secure boot for platform and BCD integrity validation, as defined by the **[Allow Secure Boot for integrity validation](configure.md?tabs=os#allow-secure-boot-for-integrity-validation)** policy setting, the **[Use enhanced Boot Configuration Data validation profile](configure.md?tabs=os#use-enhanced-boot-configuration-data-validation-profile)** policy is ignored.
One of the benefits of using secure boot is that it can correct BCD settings during boot without triggering recovery events. Secure boot enforces the same BCD settings as BitLocker. Secure boot BCD enforcement isn't configurable from within the operating system.
-## Customizing BCD validation settings
+## Customize BCD validation settings
-To modify the BCD settings that are validated by BitLocker, the administrator will add or exclude BCD settings from the platform validation profile by enabling and configuring the **Use enhanced Boot Configuration Data validation profile** group policy setting.
+To modify the BCD settings that are validated by BitLocker, the administrator will add or exclude BCD settings from the platform validation profile by enabling and configuring the **[Use enhanced Boot Configuration Data validation profile](configure.md?tabs=os#use-enhanced-boot-configuration-data-validation-profile)** policy setting.
For the purposes of BitLocker validation, BCD settings are associated with a specific set of Microsoft boot applications. These BCD settings can also be applied to the other Microsoft boot applications that aren't part of the set to which the BCD settings are already applicable for. This setting can be done by attaching any of the following prefixes to the BCD settings that are being entered in the group policy settings dialog:
@@ -34,15 +30,15 @@ For the purposes of BitLocker validation, BCD settings are associated with a spe
- memtest
- all of the above
-All BCD settings are specified by combining the prefix value with either a hexadecimal (hex) value or a "friendly name."
+All BCD settings are specified by combining the prefix value with either a hexadecimal (hex) value or a *friendly name*.
The BCD setting hex value is reported when BitLocker enters recovery mode and is stored in the event log (event ID 523). The hex value uniquely identifies the BCD setting that caused the recovery event.
You can quickly obtain the friendly name for the BCD settings on a computer by using the command `bcdedit.exe /enum all`.
-Not all BCD settings have friendly names; for those settings without a friendly name, the hex value is the only way to configure an exclusion policy.
+Not all BCD settings have friendly names. For those settings without a friendly name, the hex value is the only way to configure an exclusion policy.
-When specifying BCD values in the **Use enhanced Boot Configuration Data validation profile** group policy setting, use the following syntax:
+When specifying BCD values in the **[Use enhanced Boot Configuration Data validation profile](configure.md?tabs=os#use-enhanced-boot-configuration-data-validation-profile)** policy setting, use the following syntax:
- Prefix the setting with the boot application prefix
- Append a colon `:`
@@ -54,11 +50,11 @@ For example, either "`winload:hypervisordebugport`" or "`winload:0x250000f4`" yi
A setting that applies to all boot applications may be applied only to an individual application. However, the reverse isn't true. For example, one can specify either "`all:locale`" or "`winresume:locale`", but as the BCD setting "`win-pe`" doesn't apply to all boot applications, "`winload:winpe`" is valid, but "`all:winpe`" isn't valid. The setting that controls boot debugging ("`bootdebug`" or 0x16000010) will always be validated and will have no effect if it's included in the provided fields.
> [!NOTE]
-> Take care when configuring BCD entries in the Group Policy setting. The Local Group Policy Editor does not validate the correctness of the BCD entry. BitLocker will fail to be enabled if the Group Policy setting specified is invalid.
+> Take care when configuring BCD entries in the policy setting. The Local Group Policy Editor doesn't validate the correctness of the BCD entry. BitLocker fails to be enabled if the policy setting specified is invalid.
### Default BCD validation profile
-The following table contains the default BCD validation profile used by BitLocker in Windows 8, Windows Server 2012, and subsequent versions:
+The following table contains the default BCD validation profile used by BitLocker:
| Hex Value | Prefix | Friendly Name |
| - | - | - |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment.md
deleted file mode 100644
index 16a611c770..0000000000
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment.md
+++ /dev/null
@@ -1,455 +0,0 @@
----
-title: BitLocker basic deployment
-description: This article for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
-ms.topic: conceptual
-ms.date: 11/08/2022
----
-
-# BitLocker basic deployment
-
-This article for the IT professional explains how BitLocker features can be used to protect data through drive encryption.
-
-## Using BitLocker to encrypt volumes
-
-BitLocker provides full volume encryption (FVE) for operating system volumes, and fixed and removable data drives. To support fully encrypted operating system drives, BitLocker uses an unencrypted system partition for the files required to boot, decrypt, and load the operating system. This volume is automatically created during a new installation of both client and server operating systems.
-
-If the drive was prepared as a single contiguous space, BitLocker requires a new volume to hold the boot files. BdeHdCfg.exe can create these volumes.
-
-> [!NOTE]
-> For more info about using this tool, see [Bdehdcfg](/windows-server/administration/windows-commands/bdehdcfg) in the Command-Line Reference.
-
-BitLocker encryption can be enabled and managed using the following methods:
-
-- BitLocker control panel
-- Windows Explorer
-- `manage-bde.exe` command-line interface
-- BitLocker Windows PowerShell cmdlets
-
-### Encrypting volumes using the BitLocker control panel
-
-Encrypting volumes with the BitLocker control panel (select **Start**, enter `Bitlocker`, select **Manage BitLocker**) is how many users will use BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data, and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet.
-
-To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the **BitLocker Drive Encryption Wizard**. **BitLocker Drive Encryption Wizard** options vary based on volume type (operating system volume or data volume).
-
-#### Operating system volume
-
-For the operating system volume the **BitLocker Drive Encryption Wizard** presents several screens that prompt for options while it performs several actions:
-
-1. When the **BitLocker Drive Encryption Wizard** first launches, it verifies the computer meets the BitLocker system requirements for encrypting an operating system volume. By default, the system requirements are:
-
- |Requirement|Description|
- |--- |--- |
- |Hardware configuration|The computer must meet the minimum requirements for the supported Windows versions.|
- |Operating system|BitLocker is an optional feature that can be installed by Server Manager on Windows Server 2012 and later.|
- |Hardware TPM|TPM version 1.2 or 2.0.
A TPM isn't required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.|
- |UEFI firmware/BIOS configuration|
|
- |File system| One FAT32 partition for the system drive and one NTFS partition for the operating system drive. This requirement is applicable for computers that boot natively with UEFI firmware.
For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive.
For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.|
- |Hardware encrypted drive prerequisites (optional)|To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.|
-
- If the volume doesn't pass the initial configuration for BitLocker, the user is presented with an error dialog describing the appropriate actions to be taken.
-
-2. Upon passing the initial configuration, users may be prompted to enter a password for the volume, for example, if a TPM isn't available. If a TPM is available, the password screen will be skipped.
-
-3. After the initial configuration/password screens, a recovery key will be generated. The **BitLocker Drive Encryption Wizard** will prompt for a location to save the recovery key. A BitLocker recovery key is a special key that is created when BitLocker Drive Encryption is turned on for the first time on each drive that is encrypted. The recovery key can be used to gain access to the computer if:
-
- - The drive that Windows is installed on (the operating system drive) is encrypted using BitLocker Drive Encryption
- - BitLocker detects a condition that prevents it from unlocking the drive when the computer is starting up
-
- A recovery key can also be used to gain access to the files and folders on a removable data drive (such as an external hard drive or USB flash drive) that is encrypted using BitLocker To Go, if for some reason the password is forgotten or the computer can't access the drive.
-
- The recovery key can be stored using the following methods:
-
- - **Save to your Microsoft Entra account** (if applicable)
- - **Save to a USB flash drive**
- - **Save to a file** - the file needs to be saved to a location that isn't on the computer itself such as a network folder or OneDrive
- - **Print the recovery key**
-
- The recovery key can't be stored at the following locations:
-
- - The drive being encrypted
- - The root directory of a non-removable/fixed drive
- - An encrypted volume
-
- > [!TIP]
- > Ideally, a computer's recovery key should be stored separate from the computer itself.
-
- > [!NOTE]
- > After a recovery key is created, the BitLocker control panel can be used to make additional copies of the recovery key.
-
-4. The **BitLocker Drive Encryption Wizard** will then prompt how much of the drive to encrypt. The **BitLocker Drive Encryption Wizard** will have two options that determine how much of the drive is encrypted:
-
- - **Encrypt used disk space only** - Encrypts only disk space that contains data.
- - **Encrypt entire drive** - Encrypts the entire volume including free space. Also known as full disk encryption.
-
- Each of the methods is recommended in the following scenarios:
-
- - **Encrypt used disk space only**:
-
- - The drive has never had data
- - Formatted or erased drives that in the past have never had confidential data that was never encrypted
-
- - **Encrypt entire drive** (full disk encryption):
-
- - Drives that currently have data
- - Drives that currently have an operating system
- - Formatted or erased drives that in the past had confidential data that was never encrypted
-
- > [!IMPORTANT]
- > Deleted files appear as free space to the file system, which isn't encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools.
-
-5. The **BitLocker Drive Encryption Wizard** will then prompt for an encryption mode:
-
- - **New encryption mode**
- - **Compatible mode**
-
- Normally **New encryption mode** should be chosen, but if the drive will be potentially moved to another computer with an older Windows operating system, then select **Compatible mode**.
-
-6. After selecting an encryption mode, the **BitLocker Drive Encryption Wizard** will give the option of running a BitLocker system check via the option **Run BitLocker system check**. This system check will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. it's recommended run this system check before starting the encryption process. If the system check isn't run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows.
-
-After completing the system check (if selected), the **BitLocker Drive Encryption Wizard** will begin encryption. A reboot may be initiated to start encryption. If a reboot was initiated, if there was no TPM and a password was specified, the password will need to be entered to boot into the operating system volume.
-
-Users can check encryption status by checking the system notification area or the BitLocker control panel.
-
-Until encryption is completed, the only available options for managing BitLocker involve manipulation of the password protecting the operating system volume, backing up the recovery key, and turning off BitLocker.
-
-#### Data volume
-
-Encrypting data volumes using the BitLocker control panel works in a similar fashion to encryption of the operating system volumes. Users select **Turn on BitLocker** within the BitLocker control panel to begin the **BitLocker Drive Encryption Wizard**.
-
-1. Upon launching the **BitLocker Drive Encryption Wizard**, unlike for operating system volumes, data volumes aren't required to pass any configuration tests for the **BitLocker Drive Encryption Wizard** to proceed
-
-2. A choice of authentication methods to unlock the drive appears. The available options are:
-
- - **Use a password to unlock the drive**
- - **Use my smart card to unlock the drive**
- - **Automatically unlock this drive on this computer** - Disabled by default but if enabled, this option will unlock the data volume without user input when the operating system volume is unlocked.
-
-3. The **BitLocker Drive Encryption Wizard** presents options for storage of the recovery key. These options are the same as for operating system volumes:
-
- - **Save to your Microsoft Entra account** (if applicable)
- - **Save to a USB flash drive**
- - **Save to a file** - the file needs to be saved to a location that isn't on the computer itself such as a network folder or OneDrive
- - **Print the recovery key**
-
-4. After saving the recovery key, the **BitLocker Drive Encryption Wizard** will show available options for encryption. These options are the same as for operating system volumes:
-
- - **Encrypt used disk space only** - Encrypts only disk space that contains data.
- - **Encrypt entire drive** - Encrypts the entire volume including free space. Also known as full disk encryption.
-
-5. The **BitLocker Drive Encryption Wizard** will then prompt for an encryption mode:
-
- - **New encryption mode**
- - **Compatible mode**
-
- Normally **New encryption mode** should be chosen, but if the drive will be potentially moved to another computer with an older Windows operating system, then select **Compatible mode**.
-
-6. The **BitLocker Drive Encryption Wizard** will display a final confirmation screen before the encryption process begins. Selecting **Start encrypting** begins encryption.
-
-Encryption status displays in the notification area or within the BitLocker control panel.
-
-### OneDrive option
-
-There's an option for storing the BitLocker recovery key using OneDrive. This option requires that computers aren't members of a domain and that the user is using a Microsoft Account. Local accounts don't give the option to use OneDrive. Using the OneDrive option is the default recommended recovery key storage method for computers that aren't joined to a domain.
-
-Users can verify whether the recovery key was saved properly by checking OneDrive for the BitLocker folder. The BitLocker folder on OneDrive is created automatically during the save process. The folder will contain two files, a `readme.txt` and the recovery key. For users storing more than one recovery password on their OneDrive, they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name.
-
-### Using BitLocker within Windows Explorer
-
-Windows Explorer allows users to launch the **BitLocker Drive Encryption Wizard** by right-clicking a volume and selecting **Turn On BitLocker**. This option is available on client computers by default. On servers, the BitLocker feature and the Desktop-Experience feature must first be installed for this option to be available. After selecting **Turn on BitLocker**, the wizard works exactly as it does when launched using the BitLocker control panel.
-
-## Down-level compatibility
-
-The following table shows the compatibility matrix for systems that have been BitLocker enabled and then presented to a different version of Windows.
-
-Table 1: Cross compatibility for Windows 11, Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes
-
-|Encryption Type|Windows 11, Windows 10, and Windows 8.1|Windows 8|Windows 7|
-|---|---|---|---|
-|Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted|
-|Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted|
-|Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A|
-|Partially encrypted volume from Windows 7|Windows 11, Windows 10, and Windows 8.1 will complete encryption regardless of policy|Windows 8 will complete encryption regardless of policy|N/A|
-
-## Encrypting volumes using the `manage-bde.exe` command-line interface
-
-`Manage-bde.exe` is a command-line utility that can be used for scripting BitLocker operations. `Manage-bde.exe` offers additional options not displayed in the BitLocker control panel. For a complete list of the options, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
-
-`Manage-bde.exe` offers a multitude of wider options for configuring BitLocker. Using the command syntax may require care. For example, using just the `manage-bde.exe -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed. For the volume to be fully protected, an authentication method needs to also be added to the volume in addition to running the `manage-bde.exe`command.
-
-Command-line users need to determine the appropriate syntax for a given situation. The following section covers general encryption for operating system volumes and data volumes.
-
-### Operating system volume commands
-
-Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde.exe -on
Network Unlock allows PCs to start automatically when connected to the internal network. |
-| When BitLocker is enabled, the provisioning process can take several hours. | BitLocker pre-provisioning, encrypting hard drives, and Used Space Only encryption allow administrators to enable BitLocker quickly on new computers. |
-| There's no support for using BitLocker with self-encrypting drives (SEDs). | BitLocker supports offloading encryption to encrypted hard drives. |
-| Administrators have to use separate tools to manage encrypted hard drives. | BitLocker supports encrypted hard drives with onboard encryption hardware built in, which allows administrators to use the familiar BitLocker administrative tools to manage them. |
-| Encrypting a new flash drive can take more than 20 minutes. | Used Space Only encryption in BitLocker To Go allows users to encrypt removable data drives in seconds. |
-| BitLocker could require users to enter a recovery key when system configuration changes occur. | BitLocker requires the user to enter a recovery key only when disk corruption occurs or when the PIN or password is lost. |
-| Users need to enter a PIN to start the PC, and then their password to sign in to Windows. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to help protect the BitLocker encryption keys from cold boot attacks. |
-
-## Prepare for drive and file encryption
-
-The best type of security measures is transparent to the user during implementation and use. Every time there's a possible delay or difficulty because of a security feature, there's a strong likelihood that users will try to bypass security. This situation is especially true for data protection, and that's a scenario that organizations need to avoid. Whether planning to encrypt entire volumes, removable devices, or individual files, Windows 11 and Windows 10 meet these needs by providing streamlined, usable solutions. In fact, several steps can be taken in advance to prepare for data encryption and make the deployment quick and smooth.
-
-### TPM pre-provisioning
-
-In Windows 7, preparing the TPM offered a few challenges:
-
-- Turning on the TPM required going into the BIOS or UEFI firmware of the device. Turning on the TPM at the device requires someone to either physically go into the BIOS or UEFI firmware settings of the device to turn on the TPM, or to install a driver in Windows to turn on the TPM from within Windows.
-- When the TPM is enabled, it may require one or more restarts.
-
-This made preparing the TPM in Windows 7 problematic. If IT staff are provisioning new PCs, they can handle the required steps for preparing a TPM. However, if BitLocker needed to be enabled on devices that are already in users' hands, those users would probably struggle with the technical challenges. The user would then either call to IT for support or leave BitLocker disabled.
-
-Microsoft includes instrumentation in Windows 11 and Windows 10 that enable the operating system to fully manage the TPM. There's no need to go into the BIOS, and all scenarios that required a restart have been eliminated.
-
-## Deploy hard drive encryption
-
-BitLocker is capable of encrypting entire hard drives, including both system and data drives. BitLocker pre-provisioning can drastically reduce the time required to provision new PCs with BitLocker enabled. With Windows 11 and Windows 10, administrators can turn on BitLocker and the TPM from within the Windows Pre-installation Environment before they install Windows or as part of an automated deployment task sequence without any user interaction. Combined with Used Disk Space Only encryption and a mostly empty drive (because Windows isn't yet installed), it takes only a few seconds to enable BitLocker.
-
-With earlier versions of Windows, administrators had to enable BitLocker after Windows had been installed. Although this process could be automated, BitLocker would need to encrypt the entire drive, a process that could take anywhere from several hours to more than a day depending on drive size and performance, which delayed deployment. Microsoft has improved this process through multiple features in Windows 11 and Windows 10.
-
-## BitLocker Device Encryption
-
-Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 11 and Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those devices that are Modern Standby, and devices that run Home edition of Windows 10 or Windows 11.
-
-Microsoft expects that most devices in the future will pass the requirements for BitLocker Device Encryption that will make BitLocker Device Encryption pervasive across modern Windows devices. BitLocker Device Encryption further protects the system by transparently implementing device-wide data encryption.
-
-Unlike a standard BitLocker implementation, BitLocker Device Encryption is enabled automatically so that the device is always protected. The following list outlines how BitLocker Device Encryption is enabled automatically:
-
-- When a clean installation of Windows 11 or Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key that is the equivalent of standard BitLocker suspended state. In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up, as explained in the following bullet points.
-
-- If the device isn't domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using their Microsoft account credentials.
-
-- If the user uses a domain account to sign in, the clear key isn't removed until the user joins the device to a domain, and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). The following Group Policy settings must be enabled for the recovery key to be backed up to AD DS:
-
- *Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives* > **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives**
-
- With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed.
-
-- Similar to signing in with a domain account, the clear key is removed when the user signs in to a Microsoft Entra account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Microsoft Entra ID. Then, the recovery key is backed up to Microsoft Entra ID, the TPM protector is created, and the clear key is removed.
-
-Microsoft recommends automatically enabling BitLocker Device Encryption on any systems that support it. However, the automatic BitLocker Device Encryption process can be prevented by changing the following registry setting:
-
-- **Subkey**: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker`
-- **Type**: `REG_DWORD`
-- **Value**: `PreventDeviceEncryption` equal to `1` (True)
-
-Administrators can manage domain-joined devices that have BitLocker Device Encryption enabled through Microsoft BitLocker Administration and Monitoring (MBAM). In this case, BitLocker Device Encryption automatically makes additional BitLocker options available. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if any configuration changes are required.
-
-> [!NOTE]
-> BitLocker Device Encryption uses the XTS-AES 128-bit encryption method. If a different encryption method and/or cipher strength is needed but the device is already encrypted, it must first be decrypted before the new encryption method and/or cipher strength can be applied. After the device has been decrypted, different BitLocker settings can be applied.
-
-## Used Disk Space Only encryption
-
-BitLocker in earlier Windows versions could take a long time to encrypt a drive because it encrypted every byte on the volume including areas that didn't have data. Encrypting every byte on the volume including areas that didn't have data is known as full disk encryption. Full disk encryption is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted. If a drive previously had confidential data that has been moved or deleted, traces of the confidential data could remain on portions of the drive marked as unused.
-
-To reduce encryption time, BitLocker in Windows 11 and Windows 10 let users choose to encrypt just the areas of the disk that contain data. Areas of the disk that don't contain data and are empty won't be encrypted. Any new data is encrypted as it's created. Depending on the amount of data on the drive, this option can reduce the initial encryption time by more than 99 percent.
-
-Exercise caution when encrypting only used space on an existing volume on which confidential data may have already been stored in an unencrypted state. When using used space encryption, sectors where previously unencrypted data are stored can be recovered through disk-recovery tools until they're overwritten by new encrypted data. In contrast, encrypting only used space on a brand-new volume can significantly decrease deployment time without the security risk because all new data will be encrypted as it's written to the disk.
-
-## Encrypted hard drive support
-
-SEDs have been available for years, but Microsoft couldn't support their use with some earlier versions of Windows because the drives lacked important key management features. Microsoft worked with storage vendors to improve the hardware capabilities, and now BitLocker supports the next generation of SEDs, which are called encrypted hard drives.
-
-Encrypted hard drives provide onboard cryptographic capabilities to encrypt data on drives. This feature improves both drive and system performance by offloading cryptographic calculations from the PC's processor to the drive itself. Data is rapidly encrypted by the drive by using dedicated, purpose-built hardware. If planning to use whole-drive encryption with Windows 11 or Windows 10, Microsoft recommends researching hard drive manufacturers and models to determine whether any of their encrypted hard drives meet the security and budget requirements.
-
-For more information about encrypted hard drives, see [Encrypted hard drive](../encrypted-hard-drive.md).
-
-## Preboot information protection
-
-An effective implementation of information protection, like most security controls, considers usability and security. Users typically prefer a simple security experience. In fact, the more transparent a security solution becomes, the more likely users are to conform to it.
-
-It's crucial that organizations protect information on their PCs regardless of the state of the computer or the intent of users. This protection shouldn't be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows sign-in. Challenging users for input more than once should be avoided.
-
-Windows 11 and Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place. The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they aren't as user-friendly; depending on the devices' configuration they may not offer additional security when it comes to key protection. For more information, see [BitLocker Countermeasures](bitlocker-countermeasures.md).
-
-## Manage passwords and PINs
-
-When BitLocker is enabled on a system drive and the PC has a TPM, users can be required to type a PIN before BitLocker will unlock the drive. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows sign-in, which makes it almost impossible for the attacker to access or modify user data and system files.
-
-Requiring a PIN at startup is a useful security feature because it acts as a second authentication factor. However, this configuration comes with some costs. One of the most significant costs is the need to change the PIN regularly. In enterprises that used BitLocker with Windows 7 and the Windows Vista operating system, users had to contact systems administrators to update their BitLocker PIN or password. This requirement not only increased management costs but made users less willing to change their BitLocker PIN or password regularly.
-
-Windows 11 and Windows 10 users can update their BitLocker PINs and passwords themselves, without administrator credentials. Not only will this feature reduce support costs, but it could improve security, too, because it encourages users to change their PINs and passwords more often. In addition, Modern Standby devices don't require a PIN for startup: They're designed to start infrequently and have other mitigations in place that further reduce the attack surface of the system.
-
-For more information about how startup security works and the countermeasures that Windows 11 and Windows 10 provide, see [Protect BitLocker from pre-boot attacks](bitlocker-countermeasures.md).
-
-## Configure Network Unlock
-
-Some organizations have location specific data security requirements. Location specific data security requirements are most common in environments where high-value data is stored on PCs. The network environment may provide crucial data protection and enforce mandatory authentication. Therefore, policy states that those PCs shouldn't leave the building or be disconnected from the corporate network. Safeguards like physical security locks and geofencing may help enforce this policy as reactive controls. Beyond these safeguards, a proactive security control that grants data access only when the PC is connected to the corporate network is necessary.
-
-Network Unlock enables BitLocker-protected PCs to start automatically when connected to a wired corporate network on which Windows Deployment Services runs. Anytime the PC isn't connected to the corporate network, a user must type a PIN to unlock the drive (if PIN-based unlock is enabled).
-Network Unlock requires the following infrastructure:
-
-- Client PCs that have Unified Extensible Firmware Interface (UEFI) firmware version 2.3.1 or later, which supports Dynamic Host Configuration Protocol (DHCP)
-
-- A server running at least Windows Server 2012 with the Windows deployment services (WDS) role
-
-- A server with the DHCP server role installed
-
-For more information about how to configure Network unlock feature, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
-
-## Microsoft BitLocker administration and monitoring
-
-Part of the Microsoft Desktop Optimization Pack, Microsoft BitLocker Administration and Monitoring (MBAM) makes it easier to manage and support BitLocker and BitLocker To Go. MBAM 2.5 with Service Pack 1, the latest version, has the following key features:
-
-- Enables administrators to automate the process of encrypting volumes on client computers across the enterprise.
-
-- Enables security officers to quickly determine the compliance state of individual computers or even of the enterprise itself.
-
-- Provides centralized reporting and hardware management with Microsoft Configuration Manager.
-
-- Reduces the workload on the help desk to assist end users with BitLocker recovery requests.
-
-- Enables end users to recover encrypted devices independently by using the Self-Service Portal.
-
-- Enables security officers to easily audit access to recovery key information.
-
-- Empowers Windows Enterprise users to continue working anywhere with the assurance that their corporate data is protected.
-
-- Enforces the BitLocker encryption policy options that are set for the enterprise.
-
-- Integrates with existing management tools, such as Microsoft Configuration Manager.
-
-- Offers an IT-customizable recovery user experience.
-
-- Supports Windows 11 and Windows 10.
-
-> [!IMPORTANT]
-> Enterprises could use MBAM to manage client computers with BitLocker that are domain-joined on-premises until mainstream support ended in July 2019, or they could receive extended support until April 2026.
-
-Going forward, the functionality of MBAM will be incorporated into Configuration Manager. For more information, see [Plan for BitLocker management](/mem/configmgr/protect/plan-design/bitlocker-management).
-
-Enterprises not using Configuration Manager can use the built-in features of Microsoft Entra ID and Microsoft Intune for administration and monitoring. For more information, see [Monitor device encryption with Intune](/mem/intune/protect/encryption-monitor).
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md
deleted file mode 100644
index f6aa783b9e..0000000000
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md
+++ /dev/null
@@ -1,1328 +0,0 @@
----
-title: BitLocker Group Policy settings
-description: This article for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption.
-ms.collection:
- - highpri
- - tier1
-ms.topic: reference
-ms.date: 11/08/2022
----
-
-# BitLocker group policy settings
-
-This article for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption.
-
-Group Policy administrative templates or local computer policy settings can be used to control what BitLocker drive encryption tasks and configurations can be performed by users, for example through the **BitLocker Drive Encryption** control panel. Which of these policies are configured and how they're configured depends on how BitLocker is implemented and what level of interaction is desired for end users.
-
-> [!NOTE]
-> A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [TPM Group Policy settings](../../../hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md).
-
-BitLocker Group Policy settings can be accessed using the Local Group Policy Editor and the Group Policy Management Console (GPMC) under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption**.
-
-Most of the BitLocker Group Policy settings are applied when BitLocker is initially turned on for a drive. If a computer isn't compliant with existing Group Policy settings, BitLocker may not be turned on, or BitLocker configuration may be modified until the computer is in a compliant state. When a drive becomes out of compliance with Group Policy settings, only changes to the BitLocker configuration that will bring it into compliance are allowed. This scenario could occur, for example, if a previously encrypted drive was brought out of compliance by change in Group Policy settings.
-
-If multiple changes are necessary to bring the drive into compliance, BitLocker protection may need to be suspended, the necessary changes made, and then protection resumed. This situation could occur, for example, if a removable drive is initially configured for unlock with a password but then Group Policy settings are changed to disallow passwords and require smart cards. In this situation, BitLocker protection needs to be suspended by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool, delete the password unlock method, and add the smart card method. After this process is complete, BitLocker is compliant with the Group Policy setting, and BitLocker protection on the drive can be resumed.
-
-In other scenarios, to bring the drive into compliance with a change in Group Policy settings, BitLocker may need to be disabled and the drive decrypted followed by reenabling BitLocker and then re-encrypting the drive. An example of this scenario is when the BitLocker encryption method or cipher strength is changed. The [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line can also be used in this scenario to help bring the device into compliance.
-
-## BitLocker group policy settings details
-
-> [!NOTE]
-> For more details about Active Directory configuration related to BitLocker enablement, please see [Set up MDT for BitLocker](/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker).
-
-The following sections provide a comprehensive list of BitLocker group policy settings that are organized by usage. BitLocker group policy settings include settings for specific drive types (operating system drives, fixed data drives, and removable data drives) and settings that are applied to all drives.
-
-The following policy settings can be used to determine how a BitLocker-protected drive can be unlocked.
-
-- [Allow devices with Secure Boot and protected DMA ports to opt out of preboot PIN](#allow-devices-with-secure-boot-and-protected-dma-ports-to-opt-out-of-preboot-pin)
-- [Allow network unlock at startup](#allow-network-unlock-at-startup)
-- [Require additional authentication at startup](#require-additional-authentication-at-startup)
-- [Allow enhanced PINs for startup](#allow-enhanced-pins-for-startup)
-- [Configure minimum PIN length for startup](#configure-minimum-pin-length-for-startup)
-- [Disable new DMA devices when this computer is locked](#disable-new-dma-devices-when-this-computer-is-locked)
-- [Disallow standard users from changing the PIN or password](#disallow-standard-users-from-changing-the-pin-or-password)
-- [Configure use of passwords for operating system drives](#configure-use-of-passwords-for-operating-system-drives)
-- [Require additional authentication at startup (Windows Server 2008 and Windows Vista)](#require-additional-authentication-at-startup-windows-server-2008-and-windows-vista)
-- [Configure use of smart cards on fixed data drives](#configure-use-of-smart-cards-on-fixed-data-drives)
-- [Configure use of passwords on fixed data drives](#configure-use-of-passwords-on-fixed-data-drives)
-- [Configure use of smart cards on removable data drives](#configure-use-of-smart-cards-on-removable-data-drives)
-- [Configure use of passwords on removable data drives](#configure-use-of-passwords-on-removable-data-drives)
-- [Validate smart card certificate usage rule compliance](#validate-smart-card-certificate-usage-rule-compliance)
-- [Enable use of BitLocker authentication requiring preboot keyboard input on slates](#enable-use-of-bitlocker-authentication-requiring-preboot-keyboard-input-on-slates)
-
-The following policy settings are used to control how users can access drives and how they can use BitLocker on their computers.
-
-- [Deny write access to fixed drives not protected by BitLocker](#deny-write-access-to-fixed-drives-not-protected-by-bitlocker)
-- [Deny write access to removable drives not protected by BitLocker](#deny-write-access-to-removable-drives-not-protected-by-bitlocker)
-- [Control use of BitLocker on removable drives](#control-use-of-bitlocker-on-removable-drives)
-
-The following policy settings determine the encryption methods and encryption types that are used with BitLocker.
-
-- [Choose drive encryption method and cipher strength](#choose-drive-encryption-method-and-cipher-strength)
-- [Configure use of hardware-based encryption for fixed data drives](#configure-use-of-hardware-based-encryption-for-fixed-data-drives)
-- [Configure use of hardware-based encryption for operating system drives](#configure-use-of-hardware-based-encryption-for-operating-system-drives)
-- [Configure use of hardware-based encryption for removable data drives](#configure-use-of-hardware-based-encryption-for-removable-data-drives)
-- [Enforce drive encryption type on fixed data drives](#enforce-drive-encryption-type-on-fixed-data-drives)
-- [Enforce drive encryption type on operating system drives](#enforce-drive-encryption-type-on-operating-system-drives)
-- [Enforce drive encryption type on removable data drives](#enforce-drive-encryption-type-on-removable-data-drives)
-
-The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used.
-
-- [Choose how BitLocker-protected operating system drives can be recovered](#choose-how-bitlocker-protected-operating-system-drives-can-be-recovered)
-- [Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)](#choose-how-users-can-recover-bitlocker-protected-drives-windows-server-2008-and-windows-vista)
-- [Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)](#store-bitlocker-recovery-information-in-active-directory-domain-services-windows-server-2008-and-windows-vista)
-- [Choose default folder for recovery password](#choose-default-folder-for-recovery-password)
-- [Choose how BitLocker-protected fixed drives can be recovered](#choose-how-bitlocker-protected-fixed-drives-can-be-recovered)
-- [Choose how BitLocker-protected removable drives can be recovered](#choose-how-bitlocker-protected-removable-drives-can-be-recovered)
-- [Configure the pre-boot recovery message and URL](#configure-the-pre-boot-recovery-message-and-url)
-
-The following policies are used to support customized deployment scenarios in an organization.
-
-- [Allow Secure Boot for integrity validation](#allow-secure-boot-for-integrity-validation)
-- [Provide the unique identifiers for your organization](#provide-the-unique-identifiers-for-your-organization)
-- [Prevent memory overwrite on restart](#prevent-memory-overwrite-on-restart)
-- [Configure TPM platform validation profile for BIOS-based firmware configurations](#configure-tpm-platform-validation-profile-for-bios-based-firmware-configurations)
-- [Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)](#configure-tpm-platform-validation-profile-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2)
-- [Configure TPM platform validation profile for native UEFI firmware configurations](#configure-tpm-platform-validation-profile-for-native-uefi-firmware-configurations)
-- [Reset platform validation data after BitLocker recovery](#reset-platform-validation-data-after-bitlocker-recovery)
-- [Use enhanced Boot Configuration Data validation profile](#use-enhanced-boot-configuration-data-validation-profile)
-- [Allow access to BitLocker-protected fixed data drives from earlier versions of Windows](#allow-access-to-bitlocker-protected-fixed-data-drives-from-earlier-versions-of-windows)
-- [Allow access to BitLocker-protected removable data drives from earlier versions of Windows](#allow-access-to-bitlocker-protected-removable-data-drives-from-earlier-versions-of-windows)
-
-### Allow devices with secure boot and protected DMA ports to opt out of preboot PIN
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, TPM-only protection can be allowed for newer, more secure devices, such as devices that support Modern Standby or HSTI, while requiring PIN on older devices.|
-|**Introduced**|Windows 10, version 1703|
-|**Drive type**|Operating system drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
-|**Conflicts**|This setting overrides the **Require startup PIN with TPM** option of the [Require additional authentication at startup](#require-additional-authentication-at-startup) policy on compliant hardware.|
-|**When enabled**|Users on Modern Standby and HSTI compliant devices will have the choice to turn on BitLocker without preboot authentication.|
-|**When disabled or not configured**|The options of the [Require additional authentication at startup](#require-additional-authentication-at-startup) policy apply.|
-
-#### Reference: Allow devices with secure boot and protected DMA ports to opt out of preboot PIN
-
-The preboot authentication option **Require startup PIN with TPM** of the [Require additional authentication at startup](#require-additional-authentication-at-startup) policy is often enabled to help ensure security for older devices that don't support Modern Standby. But visually impaired users have no audible way to know when to enter a PIN.
-This setting enables an exception to the PIN-required policy on secure hardware.
-
-### Allow network unlock at startup
-
-This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the necessary network key protector during encryption.
-
-This policy is used with the BitLocker Drive Encryption Network Unlock Certificate security policy (located in the **Public Key Policies** folder of Local Computer Policy) to allow systems that are connected to a trusted network to properly utilize the Network Unlock feature.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be controlled whether a BitLocker-protected computer that is connected to a trusted local area network and joined to a domain can create and use network key protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started.|
-|**Introduced**|Windows Server 2012 and Windows 8|
-|**Drive type**|Operating system drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
-|**Conflicts**|None|
-|**When enabled**|Clients configured with a BitLocker Network Unlock certificate can create and use Network Key Protectors.|
-|**When disabled or not configured**|Clients can't create and use Network Key Protectors.|
-
-#### Reference: Allow network unlock at startup
-
-To use a network key protector to unlock the computer, the computer and the server that hosts BitLocker Drive Encryption Network Unlock must be provisioned with a Network Unlock certificate. The Network Unlock certificate is used to create a network key protector and to protect the information exchange with the server to unlock the computer. The Group Policy setting **Computer Configuration** > **Windows Settings** > **Security Settings** > **Public Key Policies** > **BitLocker Drive Encryption Network Unlock Certificate** can be used on the domain controller to distribute this certificate to computers in the organization. This unlock method uses the TPM on the computer, so computers that don't have a TPM can't create network key protectors to automatically unlock by using Network Unlock.
-
-> [!NOTE]
-> For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or can't connect to the domain controller at startup.
-
-For more information about Network Unlock feature, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
-
-### Require additional authentication at startup
-
-This policy setting is used to control which unlock options are available for operating system drives.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be configured whether BitLocker requires additional authentication each time the computer starts and whether BitLocker will be used with a Trusted Platform Module (TPM). This policy setting is applied when BitLocker is turned on.|
-|**Introduced**|Windows Server 2008 R2 and Windows 7|
-|**Drive type**|Operating system drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
-|**Conflicts**|If one authentication method is required, the other methods can't be allowed. Use of BitLocker with a TPM startup key or with a TPM startup key and a PIN must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.|
-|**When enabled**|Users can configure advanced startup options in the BitLocker Setup Wizard.|
-|**When disabled or not configured**|Users can configure only basic options on computers with a TPM.
Only one of the additional authentication options can be required at startup; otherwise, a policy error occurs.|
-
-#### Reference: Require additional authentication at startup
-
-If BitLocker needs to be used on a computer without a TPM, select **Allow BitLocker without a compatible TPM**. In this mode, a password or USB drive is required for startup. The USB drive stores the startup key that is used to encrypt the drive. When the USB drive is inserted, the startup key is authenticated, and the operating system drive is accessible. If the USB drive is lost or unavailable, BitLocker recovery is required to access the drive.
-
-On a computer with a compatible TPM, additional authentication methods can be used at startup to improve protection for encrypted data. When the computer starts, it can use:
-
-- Only the TPM
-- Insertion of a USB flash drive containing the startup key
-- The entry of a 4-digit to 20-digit personal identification number (PIN)
-- A combination of the PIN and the USB flash drive
-
-There are four options for TPM-enabled computers or devices:
-
-- Configure TPM startup
- - Allow TPM
- - Require TPM
- - Do not allow TPM
-- Configure TPM startup PIN
-
- - Allow startup PIN with TPM
- - Require startup PIN with TPM
- - Do not allow startup PIN with TPM
-
-- Configure TPM startup key
- - Allow startup key with TPM
- - Require startup key with TPM
- - Do not allow startup key with TPM
-
-- Configure TPM startup key and PIN
- - Allow TPM startup key with PIN
- - Require startup key and PIN with TPM
- - Do not allow TPM startup key with PIN
-
-### Allow enhanced PINs for startup
-
-This policy setting permits the use of enhanced PINs when an unlock method that includes a PIN is used.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be configured whether enhanced startup PINs are used with BitLocker.|
-|**Introduced**|Windows Server 2008 R2 and Windows 7|
-|**Drive type**|Operating system drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
-|**Conflicts**|None|
-|**When enabled**|All new BitLocker startup PINs that are set will be enhanced PINs. Existing drives that were protected by using standard startup PINs aren't affected.|
-|**When disabled or not configured**|Enhanced PINs won't be used.|
-
-#### Reference: Allow enhanced PINs for startup
-
-Enhanced startup PINs permit the use of characters (including uppercase and lowercase letters, symbols, numbers, and spaces). This policy setting is applied when BitLocker is turned on.
-
-> [!IMPORTANT]
-> Not all computers support enhanced PIN characters in the preboot environment. It's strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used.
-
-### Configure minimum PIN length for startup
-
-This policy setting is used to set a minimum PIN length when an unlock method that includes a PIN is used.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be configured a minimum length for a TPM startup PIN. This policy setting is applied when BitLocker is turned on. The startup PIN must have a minimum length of four digits, and it can have a maximum length of 20 digits. By default, the minimum PIN length is 6.|
-|**Introduced**|Windows Server 2008 R2 and Windows 7|
-|**Drive type**|Operating system drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
-|**Conflicts**|None|
-|**When enabled**|The required minimum length of startup PINs set by users can be set between 4 and 20 digits.|
-|**When disabled or not configured**|Users can configure a startup PIN of any length between 6 and 20 digits.|
-
-#### Reference: Configure minimum PIN length for startup
-
-This policy setting is applied when BitLocker is turned on. The startup PIN must have a minimum length of four digits and can have a maximum length of 20 digits.
-
-Originally, BitLocker allowed a length from 4 to 20 characters for a PIN. Windows Hello has its own PIN for sign-in, length of which can be 4 to 127 characters. Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
-
-The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](../../../hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made.
-
-The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This number of attempts totals to a maximum of about 4415 guesses per year. If the PIN is four digits, all 9999 possible PIN combinations could be attempted in a little over two years.
-
-Increasing the PIN length requires a greater number of guesses for an attacker. In that case, the lockout duration between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection.
-
-Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to six characters to better align with other Windows features that use TPM 2.0, including Windows Hello. To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703 with the October 2017 [cumulative update](https://support.microsoft.com/help/4018124) installed, the BitLocker PIN length is six characters by default, but it can be reduced to four characters. If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended.
-
-### Disable new DMA devices when this computer is locked
-
-This policy setting allows blocking of direct memory access (DMA) for all hot pluggable PCI ports until a user signs in to Windows.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|This setting helps prevent attacks that use external PCI-based devices to access BitLocker keys.|
-|**Introduced**|Windows 10, version 1703|
-|**Drive type**|Operating system drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*|
-|**Conflicts**|None|
-|**When enabled**|Every time the user locks the screen, DMA will be blocked on hot pluggable PCI ports until the user signs in again.|
-|**When disabled or not configured**|DMA is available on hot pluggable PCI devices if the device is turned on, regardless of whether a user is signed in.|
-
-#### Reference: Disable new DMA devices when this computer is locked
-
-This policy setting is only enforced when BitLocker or device encryption is enabled. As explained in the [Microsoft Security Guidance blog](/archive/blogs/secguide/issue-with-bitlockerdma-setting-in-windows-10-fall-creators-update-v1709), in some cases when this setting is enabled, internal, PCI-based peripherals can fail, including wireless network drivers and input and audio peripherals. This problem is fixed in the [April 2018 quality update](https://support.microsoft.com/help/4093105).
-
-### Disallow standard users from changing the PIN or password
-
-This policy setting allows configuration of whether standard users are allowed to change the PIN or password that is used to protect the operating system drive.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be configured whether standard users are allowed to change the PIN or password used to protect the operating system drive.|
-|**Introduced**|Windows Server 2012 and Windows 8|
-|**Drive type**|Operating system drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
-|**Conflicts**|None|
-|**When enabled**|Standard users aren't allowed to change BitLocker PINs or passwords.|
-|**When disabled or not configured**|Standard users are permitted to change BitLocker PINs or passwords.|
-
-#### Reference: Disallow standard users from changing the PIN or password
-
-To change the PIN or password, the user must be able to provide the current PIN or password. This policy setting is applied when BitLocker is turned on.
-
-### Configure use of passwords for operating system drives
-
-This policy controls how non-TPM based systems utilize the password protector. Used with the **Password must meet complexity requirements** policy, this policy allows administrators to require password length and complexity for using the password protector. By default, passwords must be eight characters in length. Complexity configuration options determine how important domain connectivity is for the client. For the strongest password security, administrators should choose **Require password complexity** because it requires domain connectivity, and it requires that the BitLocker password meets the same password complexity requirements as domain sign-in passwords.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, the constraints for passwords that are used to unlock operating system drives that are protected with BitLocker can be specified.|
-|**Introduced**|Windows Server 2012 and Windows 8|
-|**Drive type**|Operating system drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
-|**Conflicts**|Passwords can't be used if FIPS-compliance is enabled.
For more information about PCR 7, see [About the Platform Configuration Register (PCR)](#about-the-platform-configuration-register-pcr) in this article.|
-|**When enabled or not configured**|BitLocker uses Secure Boot for platform integrity if the platform is capable of Secure Boot-based integrity validation.|
-|**When disabled**|BitLocker uses legacy platform integrity validation, even on systems that are capable of Secure Boot-based integrity validation.|
-
-#### Reference: Allow Secure Boot for integrity validation
-
-Secure boot ensures that the computer's pre-boot environment loads only firmware that is digitally signed by authorized software publishers. Secure boot also started providing more flexibility for managing pre-boot configurations than BitLocker integrity checks prior to Windows Server 2012 and Windows 8.
-
-When this policy is enabled and the hardware is capable of using secure boot for BitLocker scenarios, the **Use enhanced Boot Configuration Data validation profile** group policy setting is ignored, and secure boot verifies BCD settings according to the secure boot policy setting, which is configured separately from BitLocker.
-
-> [!WARNING]
-> Disabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If this policy is disabled, suspend BitLocker prior to applying firmware updates.
-
-### Provide the unique identifiers for your organization
-
-This policy setting is used to establish an identifier that is applied to all drives that are encrypted in an organization.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, unique organizational identifiers can be associated to a new drive that is enabled with BitLocker.|
-|**Introduced**|Windows Server 2008 R2 and Windows 7|
-|**Drive type**|All drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*|
-|**Conflicts**|Identification fields are required to manage certificate-based data recovery agents on BitLocker-protected drives. BitLocker manages and updates certificate-based data recovery agents only when the identification field is present on a drive and it's identical to the value that is configured on the computer.|
-|**When enabled**|The identification field on the BitLocker-protected drive and any allowed identification field that is used by an organization can be configured.|
-|**When disabled or not configured**|The identification field isn't required.|
-
-#### Reference: Provide the unique identifiers for your organization
-
-These identifiers are stored as the identification field and the allowed identification field. The identification field allows association of a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected drives by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool.
-
-An identification field is required to manage certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker manages and updates data recovery agents only when the identification field on the drive matches the value that is configured in the identification field. In a similar manner, BitLocker updates the BitLocker To Go Reader only when the identification field's value on the drive matches the value that is configured for the identification field.
-
-For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
-
-The allowed identification field is used in combination with the **Deny write access to removable drives not protected by BitLocker** policy setting to help control the use of removable drives in an organization. It's a comma-separated list of identification fields from an internal organization or external organizations.
-
-The identification fields on existing drives can be configured by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool.
-
-When a BitLocker-protected drive is mounted on another BitLocker-enabled computer, the identification field and the allowed identification field are used to determine whether the drive is from an external organization.
-
-Multiple values separated by commas can be entered in the identification and allowed identification fields. The identification field can be any value upto 260 characters.
-
-### Prevent memory overwrite on restart
-
-This policy setting is used to control whether the computer's memory will be overwritten the next time the computer is restarted.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be controlled computer restart performance at the risk of exposing BitLocker secrets.|
-|**Introduced**|Windows Vista|
-|**Drive type**|All drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*|
-|**Conflicts**|None|
-|**When enabled**|The computer won't overwrite memory when it restarts. Preventing memory overwrite may improve restart performance, but it increases the risk of exposing BitLocker secrets.|
-|**When disabled or not configured**|BitLocker secrets are removed from memory when the computer restarts.|
-
-#### Reference: Prevent memory overwrite on restart
-
-This policy setting is applied when BitLocker is turned on. BitLocker secrets include key material that is used to encrypt data. This policy setting applies only when BitLocker protection is enabled.
-
-### Configure TPM platform validation profile for BIOS-based firmware configurations
-
-This policy setting determines what values the TPM measures when it validates early boot components before it unlocks an operating system drive on a computer with a BIOS configuration or with UEFI firmware that has the Compatibility Support Module (CSM) enabled.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be configured how the computer's TPM security hardware secures the BitLocker encryption key.|
-|**Introduced**|Windows Server 2012 and Windows 8|
-|**Drive type**|Operating system drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
-|**Conflicts**|None|
-|**When enabled**|The boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive can be configured. If any of these components change while BitLocker protection is in effect, then the TPM doesn't release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.|
-|**When disabled or not configured**|The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script.|
-
-#### Reference: Configure TPM platform validation profile for BIOS-based firmware configurations
-
-This policy setting doesn't apply if the computer doesn't have a compatible TPM or if BitLocker has already been turned on with TPM protection.
-
-> [!IMPORTANT]
-> This Group Policy setting only applies to computers with BIOS configurations or to computers with UEFI firmware with the CSM enabled. Computers that use a native UEFI firmware configuration store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for native UEFI firmware configurations** Group Policy setting to configure the TPM PCR profile for computers that use native UEFI firmware.
-
-A platform validation profile consists of a set of PCR indices that range from 0 to 23. The default platform validation profile secures the encryption key against changes to the following PCRs:
-
-- Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0)
-- Option ROM Code (PCR 2)
-- Master Boot Record (MBR) Code (PCR 4)
-- NTFS Boot Sector (PCR 8)
-- NTFS Boot Block (PCR 9)
-- Boot Manager (PCR 10)
-- BitLocker Access Control (PCR 11)
-
-> [!NOTE]
-> Changing from the default platform validation profile affects the security and manageability of a computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
-
-The following list identifies all of the available PCRs:
-
-- PCR 0: Core root-of-trust for measurement, BIOS, and platform extensions
-- PCR 1: Platform and motherboard configuration and data.
-- PCR 2: Option ROM code
-- PCR 3: Option ROM data and configuration
-- PCR 4: Master Boot Record (MBR) code
-- PCR 5: Master Boot Record (MBR) partition table
-- PCR 6: State transition and wake events
-- PCR 7: Computer manufacturer-specific
-- PCR 8: NTFS boot sector
-- PCR 9: NTFS boot block
-- PCR 10: Boot manager
-- PCR 11: BitLocker access control
-- PCR 12-23: Reserved for future use
-
-### Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)
-
-This policy setting determines what values the TPM measures when it validates early boot components before unlocking a drive on a computer running Windows Vista, Windows Server 2008, or Windows 7.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be configured how the computer's TPM security hardware secures the BitLocker encryption key.|
-|**Introduced**|Windows Server 2008 and Windows Vista|
-|**Drive type**|Operating system drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
-|**Conflicts**|None|
-|**When enabled**|The boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive can be configured. If any of these components change while BitLocker protection is in effect, the TPM doesn't release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.|
-|**When disabled or not configured**|The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script.|
-
-#### Reference: Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)
-
-This policy setting doesn't apply if the computer doesn't have a compatible TPM or if BitLocker is already turned on with TPM protection.
-
-A platform validation profile consists of a set of PCR indices that range from 0 to 23. The default platform validation profile secures the encryption key against changes to the following PCRs:
-
-- Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0)
-- Option ROM Code (PCR 2)
-- Master Boot Record (MBR) Code (PCR 4)
-- NTFS Boot Sector (PCR 8)
-- NTFS Boot Block (PCR 9)
-- Boot Manager (PCR 10)
-- BitLocker Access Control (PCR 11)
-
-> [!NOTE]
-> The default TPM validation profile PCR settings for computers that use an Extensible Firmware Interface (EFI) are the PCRs 0, 2, 4, and 11 only.
-
-The following list identifies all of the available PCRs:
-
-- PCR 0: Core root-of-trust for measurement, EFI boot and run-time services, EFI drivers embedded in system ROM, ACPI static tables, embedded SMM code, and BIOS code
-- PCR 1: Platform and motherboard configuration and data. Hand-off tables and EFI variables that affect system configuration
-- PCR 2: Option ROM code
-- PCR 3: Option ROM data and configuration
-- PCR 4: Master Boot Record (MBR) code or code from other boot devices
-- PCR 5: Master Boot Record (MBR) partition table. Various EFI variables and the GPT table
-- PCR 6: State transition and wake events
-- PCR 7: Computer manufacturer-specific
-- PCR 8: NTFS boot sector
-- PCR 9: NTFS boot block
-- PCR 10: Boot manager
-- PCR 11: BitLocker access control
-- PCR 12 - 23: Reserved for future use
-
-> [!WARNING]
-> Changing from the default platform validation profile affects the security and manageability of a computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
-
-### Configure TPM platform validation profile for native UEFI firmware configurations
-
-This policy setting determines what values the TPM measures when it validates early boot components before unlocking an operating system drive on a computer with native UEFI firmware configurations.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be configured how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key.|
-|**Introduced**|Windows Server 2012 and Windows 8|
-|**Drive type**|Operating system drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
-|**Conflicts**|Setting this policy with PCR 7 omitted overrides the **Allow Secure Boot for integrity validation** Group Policy setting, and it prevents BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation.
If an environment uses TPM and Secure Boot for platform integrity checks, this policy is configured.
For more information about PCR 7, see [About the Platform Configuration Register (PCR)](#about-the-platform-configuration-register-pcr) in this article.|
-|**When enabled**|Before BitLocker is turned on, the boot components that the TPM validates before it unlocks access to the BitLocker-encrypted operating system drive can be configured. If any of these components change while BitLocker protection is in effect, the TPM doesn't release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.|
-|**When disabled or not configured**|BitLocker uses the default platform validation profile or the platform validation profile that is specified by the setup script.|
-
-#### Reference: Configure TPM platform validation profile for native UEFI firmware configurations
-
-This policy setting doesn't apply if the computer doesn't have a compatible TPM or if BitLocker is already turned on with TPM protection.
-
-> [!IMPORTANT]
-> This group policy setting only applies to computers with a native UEFI firmware configuration. Computers with BIOS or UEFI firmware with a Compatibility Support Module (CSM) enabled store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for BIOS-based firmware configurations** Group Policy setting to configure the TPM PCR profile for computers with BIOS configurations or for computers with UEFI firmware with a CSM enabled.
-
-A platform validation profile consists of a set of PCR indices ranging from 0 to 23. The default platform validation profile secures the encryption key against changes to the core system firmware executable code (PCR 0), extended or pluggable executable code (PCR 2), boot manager (PCR 4), and the BitLocker access control (PCR 11).
-
-The following list identifies all of the available PCRs:
-
-- PCR 0: Core System Firmware executable code
-- PCR 1: Core System Firmware data
-- PCR 2: Extended or pluggable executable code
-- PCR 3: Extended or pluggable firmware data
-- PCR 4: Boot Manager
-- PCR 5: GPT/Partition Table
-- PCR 6: Resume from S4 and S5 Power State Events
-- PCR 7: Secure Boot State
-
- For more information about this PCR, see [About the Platform Configuration Register (PCR)](#about-the-platform-configuration-register-pcr) in this article.
-
-- PCR 8: Initialized to 0 with no Extends (reserved for future use)
-- PCR 9: Initialized to 0 with no Extends (reserved for future use)
-- PCR 10: Initialized to 0 with no Extends (reserved for future use)
-- PCR 11: BitLocker access control
-- PCR 12: Data events and highly volatile events
-- PCR 13: Boot Module Details
-- PCR 14: Boot Authorities
-- PCR 15 - 23: Reserved for future use
-
-> [!WARNING]
-> Changing from the default platform validation profile affects the security and manageability of a computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
-
-### Reset platform validation data after BitLocker recovery
-
-This policy setting determines if platform validation data should refresh when Windows is started following a BitLocker recovery. A platform validation data profile consists of the values in a set of Platform Configuration Register (PCR) indices that range from 0 to 23.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be controlled whether platform validation data is refreshed when Windows is started following a BitLocker recovery.|
-|**Introduced**|Windows Server 2012 and Windows 8|
-|**Drive type**|Operating system drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
-|**Conflicts**|None|
-|**When enabled**|Platform validation data is refreshed when Windows is started following a BitLocker recovery.|
-|**When disabled**|Platform validation data isn't refreshed when Windows is started following a BitLocker recovery.|
-|**When not configured**|Platform validation data is refreshed when Windows is started following a BitLocker recovery.|
-
-#### Reference: Reset platform validation data after BitLocker recovery
-
-For more information about the recovery process, see the [BitLocker recovery guide](bitlocker-recovery-guide-plan.md).
-
-### Use enhanced Boot Configuration Data validation profile
-
-This policy setting determines specific Boot Configuration Data (BCD) settings to verify during platform validation. A platform validation uses the data in the platform validation profile, which consists of a set of Platform Configuration Register (PCR) indices that range from 0 to 23.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, Boot Configuration Data (BCD) settings to verify during platform validation can be specified.|
-|**Introduced**|Windows Server 2012 and Windows 8|
-|**Drive type**|Operating system drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
-|**Conflicts**|When BitLocker is using Secure Boot for platform and Boot Configuration Data integrity validation, the **Use enhanced Boot Configuration Data validation profile** Group Policy setting is ignored (as defined by the **Allow Secure Boot for integrity validation** Group Policy setting).|
-|**When enabled**|Additional BCD settings can be added and specified BCD settings can be excluded. Also a customized BCD validation profile can be created by combining inclusion and exclusion lists. The customized BCD validation profile gives the ability to verify BCD settings.|
-|**When disabled**|The computer reverts to a BCD profile validation similar to the default BCD profile that is used by Windows 7.|
-|**When not configured**|The computer verifies the default BCD settings in Windows.|
-
-#### Reference: Use enhanced Boot Configuration Data validation profile
-
-> [!NOTE]
-> The setting that controls boot debugging (0x16000010) is always validated, and it has no effect if it's included in the inclusion or the exclusion list.
-
-### Allow access to BitLocker-protected fixed data drives from earlier versions of Windows
-
-This policy setting is used to control whether access to drives is allowed by using the BitLocker To Go Reader, and whether BitLocker To Go Reader can be installed on the drive.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be configured whether fixed data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2).|
-|**Introduced**|Windows Server 2008 R2 and Windows 7|
-|**Drive type**|Fixed data drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Fixed Data Drives*|
-|**Conflicts**|None|
-|**When enabled and When not configured**|Fixed data drives that are formatted with the FAT file system can be unlocked on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives.|
-|**When disabled**|Fixed data drives that are formatted with the FAT file system and are BitLocker-protected can't be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) isn't installed.|
-
-#### Reference: Allow access to BitLocker-protected fixed data drives from earlier versions of Windows
-
-> [!NOTE]
-> This policy setting doesn't apply to drives that are formatted with the NTFS file system.
-
-When this policy setting is enabled, select the **Do not install BitLocker To Go Reader on FAT formatted fixed drives** check box to help prevent users from running BitLocker To Go Reader from their fixed drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that doesn't have an identification field specified, or if the drive has the same identification field as specified in the **Provide unique identifiers for your organization** policy setting, the user is prompted to update BitLocker, and BitLocker To Go Reader is deleted from the drive. In this situation, for the fixed drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box isn't selected, then BitLocker To Go Reader will be installed on the fixed drive to enable users to unlock the drive on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2.
-
-### Allow access to BitLocker-protected removable data drives from earlier versions of Windows
-
-This policy setting controls access to removable data drives that are using the BitLocker To Go Reader and whether the BitLocker To Go Reader can be installed on the drive.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be configured whether removable data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2.|
-|**Introduced**|Windows Server 2008 R2 and Windows 7|
-|**Drive type**|Removable data drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*|
-|**Conflicts**|None|
-|**When enabled and When not configured**|Removable data drives that are formatted with the FAT file system can be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives.|
-|**When disabled**|Removable data drives that are formatted with the FAT file system that are BitLocker-protected can't be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) isn't installed.|
-
-#### Reference: Allow access to BitLocker-protected removable data drives from earlier versions of Windows
-
-> [!NOTE]
-> This policy setting doesn't apply to drives that are formatted with the NTFS file system.
-
-When this policy setting is enabled, select the **Do not install BitLocker To Go Reader on FAT formatted removable drives** check box to help prevent users from running BitLocker To Go Reader from their removable drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that doesn't have an identification field specified, or if the drive has the same identification field as specified in the **Provide unique identifiers for your organization** policy setting, the user will be prompted to update BitLocker, and BitLocker To Go Reader is deleted from the drive. In this situation, for the removable drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box isn't selected, then BitLocker To Go Reader will be installed on the removable drive to enable users to unlock the drive on computers running Windows Vista or Windows XP that don't have BitLocker To Go Reader installed.
-
-## FIPS setting
-
-The Federal Information Processing Standard (FIPS) setting for FIPS compliance can be configured. As an effect of FIPS compliance, users can't create or save a BitLocker password for recovery or as a key protector. The use of a recovery key is permitted.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|Notes|
-|**Introduced**|Windows Server 2003 with SP1|
-|**Drive type**|System-wide|
-|**Policy path**|*Local Policies* > *Security Options* > *System cryptography*: **Use FIPS compliant algorithms for encryption, hashing, and signing**|
-|**Conflicts**|Some applications, such as Terminal Services, don't support FIPS-140 on all operating systems.|
-|**When enabled**|Users will be unable to save a recovery password to any location. This policy setting includes AD DS and network folders. Also, WMI or the BitLocker Drive Encryption Setup wizard can't be used to create a recovery password.|
-|**When disabled or not configured**|No BitLocker encryption key is generated|
-
-### Reference: FIPS setting
-
-This policy must be enabled before any encryption key is generated for BitLocker. When this policy is enabled, BitLocker prevents creating or using recovery passwords, so recovery keys should be used instead.
-
-The optional recovery key can be saved to a USB drive. Because recovery passwords can't be saved to AD DS when FIPS is enabled, an error is caused if AD DS backup is required by Group Policy.
-
-The FIPS setting can be edited by using the Security Policy Editor (`Secpol.msc`) or by editing the Windows registry. Only administrators can perform these procedures.
-
-For more information about setting this policy, see [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](../../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md).
-
-## Power management group policy settings: Sleep and Hibernate
-
-PCs default power settings for a computer will cause the computer to enter Sleep mode frequently to conserve power when idle and to help extend the system's battery life. When a computer transitions to Sleep, open programs and documents are persisted in memory. When a computer resumes from Sleep, users aren't required to reauthenticate with a PIN or USB startup key to access encrypted data. Not needing to reauthenticate when resuming from Sleep might lead to conditions where data security is compromised.
-
-However, when a computer hibernates the drive is locked, and when it resumes from hibernation the drive is unlocked, which means that users will need to provide a PIN or a startup key if using multifactor authentication with BitLocker. Therefore, organizations that use BitLocker may want to use Hibernate instead of Sleep for improved security. This setting doesn't have an impact on TPM-only mode, because it provides a transparent user experience at startup and when resuming from the Hibernate states.
-
-To disable all available sleep states, disable the Group Policy settings located in **Computer Configuration** > **Administrative Templates** > **System** > **Power Management** :
-
-- **Allow Standby States (S1-S3) When Sleeping (Plugged In)**
-- **Allow Standby States (S1-S3) When Sleeping (Battery)**
-
-## About the Platform Configuration Register (PCR)
-
-A platform validation profile consists of a set of PCR indices that range from 0 to 23. The scope of the values can be specific to the version of the operating system.
-
-Changing from the default platform validation profile affects the security and manageability of a computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
-
-### About PCR 7
-
-PCR 7 measures the state of Secure Boot. With PCR 7, BitLocker can use Secure Boot for integrity validation. Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. PCR 7 measurements indicate whether Secure Boot is on and which keys are trusted on the platform. If Secure Boot is on and the firmware measures PCR 7 correctly per the UEFI specification, BitLocker can bind to this information rather than to PCRs 0, 2, and 4, which have the measurements of the exact firmware and Bootmgr images loaded. This process reduces the likelihood of BitLocker starting in recovery mode as a result of firmware and image updates, and it provides with greater flexibility to manage the preboot configuration.
-
-PCR 7 measurements must follow the guidance that is described in [Appendix A Trusted Execution Environment EFI Protocol](/windows-hardware/test/hlk/testref/trusted-execution-environment-efi-protocol).
-
-PCR 7 measurements are a mandatory logo requirement for systems that support Modern Standby (also known as Always On, Always Connected PCs), such as the Microsoft Surface RT. On such systems, if the TPM with PCR 7 measurement and secure boot are correctly configured, BitLocker binds to PCR 7 and PCR 11 by default.
-
-## Related articles
-
-- [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview)
-- [TPM Group Policy settings](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings)
-- [BitLocker frequently asked questions (FAQ)](faq.yml)
-- [BitLocker overview](index.md)
-- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
deleted file mode 100644
index 1c64084bcd..0000000000
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
+++ /dev/null
@@ -1,102 +0,0 @@
----
-title: BitLocker How to deploy on Windows Server
-description: This article for the IT professional explains how to deploy BitLocker and Windows Server
-ms.topic: conceptual
-ms.date: 11/08/2022
----
-
-# BitLocker: How to deploy on Windows Server
-
-This article explains how to deploy BitLocker on Windows Server. For all Windows Server editions, BitLocker can be installed using Server Manager or Windows PowerShell cmdlets. BitLocker requires administrator privileges on the server on which it's to be installed.
-
-## Installing BitLocker
-
-### To install BitLocker using server manager
-
-1. Open server manager by selecting the server manager icon or running `servermanager.exe`.
-1. Select **Manage** from the **Server Manager Navigation** bar and select **Add Roles and Features** to start the **Add Roles and Features Wizard.**
-1. With the **Add Roles and Features** wizard open, select **Next** at the **Before you begin** pane (if shown).
-1. Select **Role-based or feature-based installation** on the **Installation type** pane of the **Add Roles and Features** wizard and select **Next** to continue.
-1. Select the **Select a server from the server pool** option in the **Server Selection** pane and confirm the server on which the BitLocker feature is to be installed.
-1. Select **Next** on the **Server Roles** pane of the **Add Roles and Features** wizard to proceed to the **Features** pane.
- > [!NOTE]
- > Server roles and features are installed by using the same wizard in Server Manager.
-1. Select the check box next to **BitLocker Drive Encryption** within the **Features** pane of the **Add Roles and Features** wizard. The wizard shows the extra management features available for BitLocker. If the extra management features aren't needed and/or don't need to be installed, deselect the **Include management tools**.
- > [!NOTE]
- > The **Enhanced Storage** feature is a required feature for enabling BitLocker. This feature enables support for encrypted hard drives on capable systems.
-1. Select **Add Features**. Once optional features selection is complete, select **Next** to proceed in the wizard.
-1. Select **Install** on the **Confirmation** pane of the **Add Roles and Features** wizard to begin BitLocker feature installation. The BitLocker feature requires a restart for its installation to be complete. Selecting the **Restart the destination server automatically if required** option in the **Confirmation** pane forces a restart of the computer after installation is complete.
-1. If the **Restart the destination server automatically if required** check box isn't selected, the **Results** pane of the **Add Roles and Features** wizard displays the success or failure of the BitLocker feature installation. If necessary, a notification of other action necessary to complete the feature installation, such as the restart of the computer, will be displayed in the results text.
-
-### To install BitLocker using Windows PowerShell
-
-Windows PowerShell offers administrators another option for BitLocker feature installation. Windows PowerShell installs features using the `servermanager` or `dism.exe` module. However, the `servermanager` and `dism.exe` modules don't always share feature name parity. Because of this mismatch of feature name parity, it's advisable to confirm the feature or role name prior to installation.
-
-> [!NOTE]
-> The server must be restarted to complete the installation of BitLocker.
-
-### Using the servermanager module to install BitLocker
-
-The `servermanager` Windows PowerShell module can use either the `Install-WindowsFeature` or `Add-WindowsFeature` to install the BitLocker feature. The `Add-WindowsFeature` cmdlet is merely a stub to the `Install-WindowsFeature`. This example uses the `Install-WindowsFeature` cmdlet. The feature name for BitLocker in the `servermanager` module is `BitLocker`.
-
-By default, installation of features in Windows PowerShell doesn't include optional subfeatures or management tools as part of the installation process. What is installed as part of the installation process can be seen using the `-WhatIf` option in Windows PowerShell.
-
-```powershell
-Install-WindowsFeature BitLocker -WhatIf
-```
-
-The results of this command show that only the BitLocker Drive Encryption feature is installed using this command.
-
-To see what would be installed with the BitLocker feature, including all available management tools and subfeatures, use the following command:
-
-```powershell
-Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -WhatIf | fl
-```
-
-The result of this command displays the following list of all the administration tools for BitLocker, which would be installed along with the feature, including tools for use with Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).
-
-- BitLocker Drive Encryption
-- BitLocker Drive Encryption Tools
-- BitLocker Drive Encryption Administration Utilities
-- BitLocker Recovery Password Viewer
-- AD DS Snap-Ins and Command-Line Tools
-- AD DS Tools
-- AD DS and AD LDS Tools
-
-The command to complete a full installation of the BitLocker feature with all available subfeatures and then to reboot the server at completion is:
-
-```powershell
-Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart
-```
-
-> [!IMPORTANT]
-> Installing the BitLocker feature using Windows PowerShell does not install the Enhanced Storage feature. Administrators wishing to support Encrypted Hard Drives in their environment will need to install the Enhanced Storage feature separately.
-
-### Using the dism module to install BitLocker
-
-The `dism.exe` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism.exe` module doesn't support wildcards when searching for feature names. To list feature names for the `dism.exe` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command lists all of the optional features in an online (running) operating system.
-
-```powershell
-Get-WindowsOptionalFeature -Online | ft
-```
-
-From this output, there are three BitLocker-related optional feature names: **BitLocker**, **BitLocker-Utilities** and **BitLocker-NetworkUnlock**. To install the BitLocker feature, the **BitLocker** and **BitLocker-Utilities** features are the only required items.
-
-To install BitLocker using the `dism.exe` module, use the following command:
-
-```powershell
-Enable-WindowsOptionalFeature -Online -FeatureName BitLocker -All
-```
-
-This command prompts the user for a reboot. The Enable-WindowsOptionalFeature cmdlet doesn't offer support for forcing a reboot of the computer. This command doesn't include installation of the management tools for BitLocker. For a complete installation of BitLocker and all available management tools, use the following command:
-
-```powershell
-Enable-WindowsOptionalFeature -Online -FeatureName BitLocker, BitLocker-Utilities -All
-```
-
-## Related articles
-
-- [BitLocker overview](index.md)
-- [BitLocker frequently asked questions (FAQ)](faq.yml)
-- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
-- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
deleted file mode 100644
index 11f7b07e86..0000000000
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
+++ /dev/null
@@ -1,453 +0,0 @@
----
-title: BitLocker - How to enable Network Unlock
-description: This article for the IT professional describes how BitLocker Network Unlock works and how to configure it.
-ms.topic: conceptual
-ms.date: 11/08/2022
----
-
-# BitLocker: How to enable Network Unlock
-
-This article describes how BitLocker Network Unlock works and how to configure it.
-
-Network Unlock is a BitLocker protector option for operating system volumes. Network Unlock enables easier management for BitLocker-enabled desktops and servers in a domain environment by providing automatic unlock of operating system volumes at system reboot when connected to a wired corporate network. This feature requires the client hardware to have a DHCP driver implemented in its UEFI firmware. Without Network Unlock, operating system volumes protected by TPM+PIN protectors require a PIN to be entered when a computer reboots or resumes from hibernation (for example, by Wake on LAN). Requiring a PIN after a reboot can make it difficult to enterprises to roll out software patches to unattended desktops and remotely administered servers.
-
-Network Unlock allows BitLocker-enabled systems that have a TPM+PIN and that meet the hardware requirements to boot into Windows without user intervention. Network Unlock works in a similar fashion to the TPM+StartupKey at boot. Rather than needing to read the StartupKey from USB media, however, the Network Unlock feature needs the key to be composed from a key stored in the TPM and an encrypted network key that is sent to the server, decrypted and returned to the client in a secure session.
-
-## Network Unlock core requirements
-
-Network Unlock must meet mandatory hardware and software requirements before the feature can automatically unlock domain-joined systems. These requirements include:
-
-- Currently supported Windows operating system
-- Any supported operating system with UEFI DHCP drivers that can serve as Network Unlock clients
-- Network Unlock clients with a TPM chip and at least one TPM protector
-- A server running the Windows Deployment Services (WDS) role on any supported server operating system
-- BitLocker Network Unlock optional feature installed on any supported server operating system
-- A DHCP server, separate from the WDS server
-- Properly configured public/private key pairing
-- Network Unlock group policy settings configured
-- Network stack enabled in the UEFI firmware of client devices
-
-> [!NOTE]
-> To properly support DHCP within UEFI, the UEFI-based system should be in native mode and shouldn't have a compatibility support module (CSM) enabled.
-
-For Network Unlock to work reliably on computers, the first network adapter on the computer, usually the onboard adapter, must be configured to support DHCP. This first network adapter must be used for Network Unlock. This configuration is especially worth noting when the device has multiple adapters, and some adapters are configured without DHCP, such as for use with a lights-out management protocol. This configuration is necessary because Network Unlock stops enumerating adapters when it reaches one with a DHCP port failure for any reason. Thus, if the first enumerated adapter doesn't support DHCP, isn't plugged into the network, or fails to report availability of the DHCP port for any reason, then Network Unlock fails.
-
-The Network Unlock server component is installed on supported versions of Windows Server 2012 and later as a Windows feature that uses Server Manager or Windows PowerShell cmdlets. The feature name is BitLocker Network Unlock in Server Manager and BitLocker-NetworkUnlock in Windows PowerShell. This feature is a core requirement.
-
-Network Unlock requires Windows Deployment Services (WDS) in the environment where the feature will be utilized. Configuration of the WDS installation isn't required. However, the WDS service must be running on the server.
-
-The network key is stored on the system drive along with an AES 256 session key and encrypted with the 2048-bit RSA public key of the Unlock server certificate. The network key is decrypted with the help of a provider on a supported version of Windows Server running WDS, and returned encrypted with its corresponding session key.
-
-## Network Unlock sequence
-
-The unlock sequence starts on the client side when the Windows boot manager detects the existence of Network Unlock protector. It uses the DHCP driver in UEFI to obtain an IP address for IPv4 and then broadcasts a vendor-specific DHCP request that contains the network key and a session key for the reply, all encrypted by the server's Network Unlock certificate, as described above. The Network Unlock provider on the supported WDS server recognizes the vendor-specific request, decrypts it with the RSA private key, and returns the network key encrypted with the session key via its own vendor-specific DHCP reply.
-
-On the server side, the WDS server role has an optional plugin component, like a PXE provider, which is what handles the incoming Network Unlock requests. The provider can also be configured with subnet restrictions, which would require that the IP address provided by the client in the Network Unlock request belong to a permitted subnet to release the network key to the client. In instances where the Network Unlock provider is unavailable, BitLocker fails over to the next available protector to unlock the drive. In a typical configuration, the standard TPM+PIN unlock screen is presented to unlock the drive.
-
-The server side configuration to enable Network Unlock also requires provisioning a 2048-bit RSA public/private key pair in the form of an X.509 certificate, and distributing the public key certificate to the clients. This certificate must be managed and deployed through the Group Policy editor directly on a domain controller with at least a Domain Functional Level of Windows Server 2012. This certificate is the public key that encrypts the intermediate network key (which is one of the two secrets required to unlock the drive; the other secret is stored in the TPM).
-
-Manage and deploy this certificate through the Group Policy editor directly on a domain controller that has a domain functional level of at least Windows Server 2012. This certificate is the public key that encrypts the intermediate network key. The intermediate network key is one of the two secrets that are required to unlock the drive; the other secret is stored in the TPM.
-
-
-
-The Network Unlock process follows these phases:
-
-1. The Windows boot manager detects a Network Unlock protector in the BitLocker configuration.
-
-2. The client computer uses its DHCP driver in the UEFI to get a valid IPv4 IP address.
-
-3. The client computer broadcasts a vendor-specific DHCP request that contains:
-
- 1. A network key (a 256-bit intermediate key) that is encrypted by using the 2048-bit RSA Public Key of the Network Unlock certificate from the WDS server.
-
- 2. An AES-256 session key for the reply.
-
-4. The Network Unlock provider on the WDS server recognizes the vendor-specific request.
-
-5. The provider decrypts the request by using the WDS server's BitLocker Network Unlock certificate RSA private key.
-
-6. The WDS provider returns the network key encrypted with the session key by using its own vendor-specific DHCP reply to the client computer. This key is an intermediate key.
-
-7. The returned intermediate key is combined with another local 256-bit intermediate key. This key can be decrypted only by the TPM.
-
-8. This combined key is used to create an AES-256 key that unlocks the volume.
-
-9. Windows continues the boot sequence.
-
-## Configure Network Unlock
-
-The following steps allow an administrator to configure Network Unlock in a domain where the Domain Functional Level is at least Windows Server 2012.
-
-### Install the WDS server role
-
-The BitLocker Network Unlock feature installs the WDS role if it isn't already installed. WDS can be installed separately before BitLocker Network Unlock is installed by using **Server Manager** or **Windows PowerShell**. To install the role using Server Manager, select the **Windows Deployment Services** role in **Server Manager**.
-
-To install the role by using Windows PowerShell, use the following command:
-
-```powershell
-Install-WindowsFeature WDS-Deployment
-```
-
-The WDS server must be configured so that it can communicate with DHCP (and optionally AD DS) and the client computer. The WDS server can be configured using the WDS management tool, `wdsmgmt.msc`, which starts the Windows Deployment Services Configuration wizard.
-
-### Confirm the WDS service is running
-
-To confirm that the WDS service is running, use the Services Management Console or Windows PowerShell. To confirm that the service is running in Services Management Console, open the console using `services.msc` and check the status of the Windows Deployment Services service.
-
-To confirm that the service is running using Windows PowerShell, use the following command:
-
-```powershell
-Get-Service WDSServer
-```
-
-### Install the Network Unlock feature
-
-To install the Network Unlock feature, use Server Manager or Windows PowerShell. To install the feature using Server Manager, select the **BitLocker Network Unlock** feature in the Server Manager console.
-
-To install the feature by using Windows PowerShell, use the following command:
-
-```powershell
-Install-WindowsFeature BitLocker-NetworkUnlock
-```
-
-### Create the certificate template for Network Unlock
-
-A properly configured Active Directory Services Certification Authority can use this certificate template to create and issue Network Unlock certificates.
-
-1. Open the Certificates Template snap-in (`certtmpl.msc`).
-
-2. Locate the User template, right-click the template name and select **Duplicate Template**.
-
-3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8, respectively. Ensure that the **Show resulting changes** dialog box is selected.
-
-4. Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the check box for the **Publish certificate in Active Directory** option.
-
-5. Select the **Request Handling** tab. Select **Encryption** from the **Purpose** drop-down menu. Ensure that the **Allow private key to be exported** option is selected.
-
-6. Select the **Cryptography** tab. Set the **Minimum key size** to 2048. Any Microsoft cryptographic provider that supports RSA can be used for this template, but for simplicity and forward compatibility, it is recommended to use **Microsoft Software Key Storage Provider**.
-
-7. Select the **Requests must use one of the following providers** option and clear all options except for the cryptography provider selected, such as **Microsoft Software Key Storage Provider**.
-
-8. Select the **Subject Name** tab. Select **Supply in the request**. Select **OK** if the certificate templates pop-up dialog appears.
-
-9. Select the **Issuance Requirements** tab. Select both **CA certificate manager approval** and **Valid existing certificate** options.
-
-10. Select the **Extensions** tab. Select **Application Policies** and choose **Edit…**.
-
-11. In the **Edit Application Policies Extension** options dialog box, select **Client Authentication**, **Encrypting File System**, **and Secure Email** and choose **Remove**.
-
-12. On the **Edit Application Policies Extension** dialog box, select **Add**.
-
-13. On the **Add Application Policy** dialog box, select **New**. In the **New Application Policy** dialog box, enter the following information in the space provided and then select **OK** to create the BitLocker Network Unlock application policy:
-
- - *Name:* **BitLocker Network Unlock**
- - *Object Identifier:* **1.3.6.1.4.1.311.67.1.1**
-
-14. Select the newly created **BitLocker Network Unlock** application policy and select **OK**.
-
-15. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog. Select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option.
-
-16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission.
-
-17. Select **OK** to complete configuration of the template.
-
-To add the Network Unlock template to the certificate authority, open the certificate authority snap-in (`certsrv.msc`). Right-click **Certificate Templates**, and then choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate.
-
-After the Network Unlock template is added to the certificate authority, this certificate can be used to configure BitLocker Network Unlock.
-
-### Create the Network Unlock certificate
-
-Network Unlock can use imported certificates from an existing public key infrastructure (PKI). Or it can use a self-signed certificate.
-
-To enroll a certificate from an existing certificate authority:
-
-1. On the WDS server, open Certificate Manager by using `certmgr.msc`.
-
-2. Under **Certificates - Current User**, right-click **Personal**.
-
-3. Select **All Tasks** > **Request New Certificate**.
-
-4. When the Certificate Enrollment wizard opens, select **Next**.
-
-5. Select **Active Directory Enrollment Policy**.
-
-6. Choose the certificate template that was created for Network Unlock on the domain controller. Then select **Enroll**.
-
-7. When prompted for more information, select **Subject Name** and provide a friendly name value. The friendly name should include information for the domain or organizational unit for the certificate. For example:
-
- *BitLocker Network Unlock Certificate for Contoso domain*
-
-8. Create the certificate. Ensure the certificate appears in the **Personal** folder.
-
-9. Export the public key certificate for Network Unlock:
-
- 1. Create a `.cer` file by right-clicking the previously created certificate, selecting **All Tasks**, and then selecting **Export**.
-
- 2. Select **No, do not export the private key**.
-
- 3. Select **DER encoded binary X.509** and complete exporting the certificate to a file.
-
- 4. Give the file a name such as BitLocker-NetworkUnlock.cer.
-
-10. Export the public key with a private key for Network Unlock.
-
- 1. Create a `.pfx` file by right-clicking the previously created certificate, selecting **All Tasks**, and then selecting **Export**.
-
- 2. Select **Yes, export the private key**.
-
- 3. Complete the steps to create the `.pfx` file.
-
-To create a self-signed certificate, either use the `New-SelfSignedCertificate` cmdlet in Windows PowerShell or use `certreq.exe`. For example:
-
-**Windows PowerShell:**
-
-```powershell
-New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "CN=BitLocker Network Unlock certificate" -Provider "Microsoft Software Key Storage Provider" -KeyUsage KeyEncipherment -KeyUsageProperty Decrypt,Sign -KeyLength 2048 -HashAlgorithm sha512 -TextExtension @("1.3.6.1.4.1.311.21.10={text}OID=1.3.6.1.4.1.311.67.1.1","2.5.29.37={text}1.3.6.1.4.1.311.67.1.1")
-```
-
-**certreq.exe:**
-
-1. Create a text file with an `.inf` extension, for example:
-
- ```cmd
- notepad.exe BitLocker-NetworkUnlock.inf
- ```
-
-2. Add the following contents to the previously created file:
-
- ```ini
- [NewRequest]
- Subject="CN=BitLocker Network Unlock certificate"
- ProviderType=0
- MachineKeySet=True
- Exportable=true
- RequestType=Cert
- KeyUsage="CERT_KEY_ENCIPHERMENT_KEY_USAGE"
- KeyUsageProperty="NCRYPT_ALLOW_DECRYPT_FLAG | NCRYPT_ALLOW_SIGNING_FLAG"
- KeyLength=2048
- SMIME=FALSE
- HashAlgorithm=sha512
- [Extensions]
- 1.3.6.1.4.1.311.21.10 = "{text}"
- _continue_ = "OID=1.3.6.1.4.1.311.67.1.1"
- 2.5.29.37 = "{text}"
- _continue_ = "1.3.6.1.4.1.311.67.1.1"
- ```
-
-3. Open an elevated command prompt and use the `certreq.exe` tool to create a new certificate. Use the following command, specifying the full path to the file that was created previously along with the file name:
-
- ```cmd
- certreq.exe -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer
- ```
-
-4. Verify that certificate was properly created by the previous command by confirming that the `.cer` file exists.
-
-5. Launch the **Certificates - Local Computer** console by running `certlm.msc`.
-
-6. Create a `.pfx` file by following the below steps the **Certificates - Local Computer** console:
-
- 1. Navigate to **Certificates - Local Computer** > **Personal** > **Certificates**
-
- 2. Right-click the previously imported certificate, select **All Tasks**, and then select **Export**
-
- 3. Follow through the wizard to create the `.pfx` file.
-
-### Deploy the private key and certificate to the WDS server
-
-After creating the certificate and key, deploy them to the infrastructure to properly unlock systems. To deploy the certificates:
-
-1. On the WDS server, launch the **Certificates - Local Computer** console by running `certlm.msc`.
-
-2. Right-click **BitLocker Drive Encryption Network Unlock** item under **Certificates (Local Computer)**, select **All Tasks**, and then select **Import**.
-
-3. In the **File to Import** dialog, choose the `.pfx` file created previously.
-
-4. Enter the password used to create the `.pfx` and complete the wizard.
-
-### Configure group policy settings for Network Unlock
-
-With certificate and key deployed to the WDS server for Network Unlock, the final step is to use group policy settings to deploy the public key certificate to the desired computers that will use the Network Unlock key to unlock. Group policy settings for BitLocker can be found under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** using the Local Group Policy Editor or the Microsoft Management Console.
-
-The following steps describe how to enable the group policy setting that is a requirement for configuring Network Unlock.
-
-1. Open Group Policy Management Console (`gpmc.msc`).
-2. Enable the policy **Require additional authentication at startup**, and then select **Require startup PIN with TPM** or **Allow startup PIN with TPM**.
-3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers.
-
-The following steps describe how to deploy the required group policy setting:
-
-> [!NOTE]
-> The group policy settings **Allow Network Unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012.
-
-1. Copy the `.cer` file that was created for Network Unlock to the domain controller.
-
-2. On the domain controller, open Group Policy Management Console (`gpmc.msc`).
-
-3. Create a new Group Policy Object or modify an existing object to enable the **Allow Network Unlock at startup** setting.
-
-4. Deploy the public certificate to clients:
-
- 1. Within group policy management console, navigate to the following location:
-
- **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Public Key Policies** > **BitLocker Drive Encryption Network Unlock Certificate**.
-
- 2. Right-click the folder and select **Add Network Unlock Certificate**.
-
- 3. Follow the wizard steps and import the `.cer` file that was copied earlier.
-
- > [!NOTE]
- > Only one Network Unlock certificate can be available at a time. If a new certificate is needed, delete the current certificate before deploying a new one. The Network Unlock certificate is located under the **`HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\FVE_NKP`** registry key on the client computer.
-
-5. Reboot the clients after the Group Policy is deployed.
-
- > [!NOTE]
- > The **Network (Certificate Based)** protector will be added only after a reboot, with the policy enabled and a valid certificate present in the FVE_NKP store.
-
-### Subnet policy configuration files on the WDS server (optional)
-
-By default, all clients with the correct Network Unlock certificate and valid Network Unlock protectors that have wired access to a Network Unlock-enabled WDS server via DHCP are unlocked by the server. A subnet policy configuration file on the WDS server can be created to limit which are the subnet(s) the Network Unlock clients can use to unlock.
-
-The configuration file, called bde-network-unlock.ini, must be located in the same directory as the Network Unlock provider DLL (`%windir%\System32\Nkpprov.dll`) and it applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, the provider fails and stops responding to requests.
-
-The subnet policy configuration file must use a **\[SUBNETS\]** section to identify the specific subnets. The named subnets may then be used to specify restrictions in certificate subsections. Subnets are defined as simple name-value pairs, in the common INI format, where each subnet has its own line, with the name on the left of the equal-sign, and the subnet identified on the right of the equal-sign as a Classless Inter-Domain Routing (CIDR) address or range. The key word **ENABLED** is disallowed for subnet names.
-
-```ini
-[SUBNETS]
-SUBNET1=10.185.250.0/24 ; a comment about this subrange could be here, after the semicolon
-SUBNET2=10.185.252.200/28
-SUBNET3= 2001:4898:a:2::/64 ; an IPv6 subnet
-SUBNET4=2001:4898:a:3::/64; in production, the admin would likely give more useful names, like BUILDING9-EXCEPT-RECEP.
-```
-
-Following the **\[SUBNETS\]** section, there can be sections for each Network Unlock certificate, identified by the certificate thumbprint formatted without any spaces, which define the subnets clients that can be unlocked from that certificate.
-
-> [!NOTE]
-> When specifying the certificate thumbprint, do not include any spaces. If spaces are included in the thumbprint, the subnet configuration fails because the thumbprint will not be recognized as valid.
-
-Subnet restrictions are defined within each certificate section by denoting the allowed list of permitted subnets. If any subnets are listed in a certificate section, then only those subnets are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate doesn't have a section in the subnet policy configuration file, then no subnet restrictions are applied for unlocking with that certificate. For restrictions to apply to every certificate, there must be a certificate section for every Network Unlock certificate on the server, and an explicit allowed list set for each certificate section.
-
-Subnet lists are created by putting the name of a subnet from the **\[SUBNETS\]** section on its own line below the certificate section header. Then, the server will only unlock clients with this certificate on the subnet(s) specified as in the list. For troubleshooting, a subnet can be quickly excluded without deleting it from the section by commenting it out with a prepended semi-colon.
-
-```ini
-[2158a767e1c14e88e27a4c0aee111d2de2eafe60]
-;Comments could be added here to indicate when the cert was issued, which Group Policy should get it, and so on.
-;This list shows this cert is allowed to unlock clients only on the SUBNET1 and SUBNET3 subnets. In this example, SUBNET2 is commented out.
-SUBNET1
-;SUBNET2
-SUBNET3
-```
-
-To disallow the use of a certificate altogether, add a `DISABLED` line to its subnet list.
-
-## Turn off Network Unlock
-
-To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating Network Unlock protectors, the **Allow Network Unlock at startup** group policy setting should be disabled. When this policy setting is updated to **disabled** on client computers, any Network Unlock key protector on the computer is deleted. Alternatively, the BitLocker Network Unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain.
-
-> [!NOTE]
-> Removing the FVE_NKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server's ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the Network Unlock server.
-
-## Update Network Unlock certificates
-
-To update the certificates used by Network Unlock, administrators need to import or generate the new certificate for the server, and then update the Network Unlock certificate group policy setting on the domain controller.
-
-> [!NOTE]
-> Servers that don't receive the Group Policy Object (GPO) will require a PIN when they boot. In such cases, find out why the server didn't receive the GPO to update the certificate.
-
-## Troubleshoot Network Unlock
-
-Troubleshooting Network Unlock issues begins by verifying the environment. Many times, a small configuration issue can be the root cause of the failure. Items to verify include:
-
-- Verify that the client hardware is UEFI-based and is on firmware version 2.3.1 and that the UEFI firmware is in native mode without a Compatibility Support Module (CSM) for BIOS mode enabled. Verification can be done by checking that the firmware doesn't have an option enabled such as "Legacy mode" or "Compatibility mode" or that the firmware doesn't appear to be in a BIOS-like mode.
-
-- All required roles and services are installed and started.
-
-- Public and private certificates have been published and are in the proper certificate containers. The presence of the Network Unlock certificate can be verified in the Microsoft Management Console (MMC.exe) on the WDS server with the certificate snap-ins for the local computer enabled. The client certificate can be verified by checking the registry key **`HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\FVE_NKP`** on the client computer.
-
-- Group policy for Network Unlock is enabled and linked to the appropriate domains.
-
-- Verify whether group policy is reaching the clients properly. Verification of group policy can be done using the `GPRESULT.exe` or `RSOP.msc` utilities.
-
-- Verify whether the clients were rebooted after applying the policy.
-
-- Verify whether the **Network (Certificate Based)** protector is listed on the client. Verification of the protector can be done using either manage-bde or Windows PowerShell cmdlets. For example, the following command will list the key protectors currently configured on the C: drive of the local computer:
-
- ```powershell
- manage-bde.exe -protectors -get C:
- ```
-
- > [!NOTE]
- > Use the output of `manage-bde.exe` along with the WDS debug log to determine whether the proper certificate thumbprint is being used for Network Unlock.
-
-Gather the following files to troubleshoot BitLocker Network Unlock.
-
-- The Windows event logs. Specifically, get the BitLocker event logs and the Microsoft-Windows-Deployment-Services-Diagnostics-Debug log.
-
- Debug logging is turned off by default for the WDS server role. To retrieve WDS debug logs, the WDS debug logs first need to be enabled. Use either of the following two methods to turn on WDS debug logging.
-
- - Start an elevated command prompt, and then run the following command:
-
- ```cmd
- wevtutil.exe sl Microsoft-Windows-Deployment-Services-Diagnostics/Debug /e:true
- ```
-
- - Open **Event Viewer** on the WDS server:
-
- 1. In the left pane, navigate to **Applications and Services Logs** > **Microsoft** > **Windows** > **Deployment-Services-Diagnostics** > **Debug**.
- 2. In the right pane, select **Enable Log**.
-
-- The DHCP subnet configuration file (if one exists).
-
-- The output of the BitLocker status on the volume. Gather this output into a text file by using `manage-bde.exe -status`. Or in Windows PowerShell, use `Get-BitLockerVolume`.
-
-- The Network Monitor capture on the server that hosts the WDS role, filtered by client IP address.
-
-
-
-## Related articles
-
-- [BitLocker overview](index.md)
-- [BitLocker frequently asked questions (FAQ)](faq.yml)
-- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md
deleted file mode 100644
index e9c661179f..0000000000
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md
+++ /dev/null
@@ -1,115 +0,0 @@
----
-title: BitLocker management
-description: Refer to relevant documentation, products, and services to learn about managing BitLocker and see recommendations for different computers.
-ms.topic: conceptual
-ms.date: 11/08/2022
----
-
-# BitLocker management
-
-The ideal solution for BitLocker management is to eliminate the need for IT administrators to set management policies using tools or other mechanisms by having Windows perform tasks that are more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, secure boot, and other hardware improvements, for example, have helped to alleviate the support burden on help desks and a decrease in support-call volumes, yielding improved user satisfaction. Windows continues to be the focus for new features and improvements for built-in encryption management, such as automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1.
-
-Though much Windows [BitLocker documentation](index.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently asked questions, and also provides BitLocker recommendations for different types of computers.
-
-[!INCLUDE [bitlocker](../../../../../includes/licensing/bitlocker-management.md)]
-
-## Managing domain-joined computers and moving to cloud
-
-Companies that image their own computers using Configuration Manager can use an existing task sequence to [pre-provision BitLocker](/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). These steps during an operating system deployment can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use Configuration Manager to pre-set any desired [BitLocker Group Policy](bitlocker-group-policy-settings.md).
-
-Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](/lifecycle/products/?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201%2F) or they can receive extended support until April 2026. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Microsoft Entra ID.
-
-> [!IMPORTANT]
-> Microsoft BitLocker Administration and Monitoring (MBAM) capabilities are offered through Configuration Manager BitLocker Management. See [Plan for BitLocker management](/mem/configmgr/protect/plan-design/bitlocker-management) in the Configuration Manager documentation for additional information.
-
-
-
-## Managing devices joined to Microsoft Entra ID
-
-Devices joined to Microsoft Entra ID are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Prior to Windows 10, version 1809, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10, version 1809, Intune can enable BitLocker for standard users. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider/), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access/) to services like Exchange Online and SharePoint Online.
-
-Starting with Windows 10 version 1703, the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider/) or the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 11, Windows 10, and on Windows phones.
-
-For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Microsoft Entra ID. Microsoft Entra ID provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if necessary. For older devices that aren't yet encrypted, beginning with Windows 10 version 1703, admins can use the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Microsoft Entra ID. This process and feature is applicable to Azure Hybrid AD as well.
-
-## Managing workplace-joined PCs and phones
-
-For Windows PCs and Windows Phones that are enrolled using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, the same as devices joined to Microsoft Entra ID.
-
-## Managing servers
-
-Servers are often installed, configured, and deployed using PowerShell; therefore, the recommendation is to also use [PowerShell to enable BitLocker on a server](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server; therefore, follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC.
-
-The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a [Server Core](/windows-server/get-started/getting-started-with-server-core/) installation, the necessary GUI components must be added first. The steps to add shell components to Server Core are described in [Using Features on Demand with Updated Systems and Patched Images](/archive/blogs/server_core/using-features-on-demand-with-updated-systems-and-patched-images) and [How to update local source media to add roles and features](/archive/blogs/joscon/how-to-update-local-source-media-to-add-roles-and-features).
-
-If a server is being installed manually, such as a stand-alone server, then choosing [Server with Desktop Experience](/windows-server/get-started/getting-started-with-server-with-desktop-experience/) is the easiest path because it avoids performing the steps to add a GUI to Server Core.
-
- Additionally, lights-out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
- For more information, see the BitLocker FAQs article and other useful links in [Related Articles](#related-articles).
-
-## PowerShell examples
-
-For Microsoft Entra joined computers, including virtual machines, the recovery password should be stored in Microsoft Entra ID.
-
-**Example**: *Use PowerShell to add a recovery password and back it up to Microsoft Entra ID before enabling BitLocker*
-
-```powershell
-Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
-
-$BLV = Get-BitLockerVolume -MountPoint "C:"
-
-BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
-```
-
-For domain-joined computers, including servers, the recovery password should be stored in Active Directory Domain Services (AD DS).
-
-**Example**: *Use PowerShell to add a recovery password and back it up to AD DS before enabling BitLocker*
-
-```powershell
-Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
-
-$BLV = Get-BitLockerVolume -MountPoint "C:"
-
-Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
-```
-
-PowerShell can then be used to enable BitLocker:
-
-**Example**: *Use PowerShell to enable BitLocker with a TPM protector*
-
-```powershell
-Enable-BitLocker -MountPoint "D:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector
-```
-
-**Example**: *Use PowerShell to enable BitLocker with a TPM+PIN protector, in this case with a PIN set to 123456*
-
-```powershell
-$SecureString = ConvertTo-SecureString "123456" -AsPlainText -Force
-
-Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector
-```
-
-## Related Articles
-
-- [BitLocker: FAQs](faq.yml)
-- [Microsoft BitLocker Administration and Management (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/)
-- [Overview of BitLocker Device Encryption in Windows](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption)
-- [BitLocker Group Policy Reference](bitlocker-group-policy-settings.md)
-- [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune/)
-*(Overview)*
-- [Configuration Settings Providers](/windows/client-management/mdm/policy-configuration-service-provider)
-*(Policy CSP: See [Security-RequireDeviceEncryption](/windows/client-management/mdm/policy-csp-security#security-policies))*
-- [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/)
-
-### Windows Server setup tools
-
-- [Windows Server Installation Options](/windows-server/get-started-19/install-upgrade-migrate-19/)
-- [How to update local source media to add roles and features](/archive/blogs/joscon/how-to-update-local-source-media-to-add-roles-and-features)
-- [How to add or remove optional components on Server Core](/archive/blogs/server_core/using-features-on-demand-with-updated-systems-and-patched-images) *(Features on Demand)*
-- [How to deploy BitLocker on Windows Server](bitlocker-how-to-deploy-on-windows-server.md)
-- [How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
-- [Shielded VMs and Guarded Fabric](https://blogs.technet.microsoft.com/windowsserver/2016/05/10/a-closer-look-at-shielded-vms-in-windows-server-2016/)
-
-### PowerShell
-
-- [BitLocker cmdlets for Windows PowerShell](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell)
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md
deleted file mode 100644
index a2bf3f755c..0000000000
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ /dev/null
@@ -1,979 +0,0 @@
----
-title: BitLocker recovery guide
-description: This article for IT professionals describes how to recover BitLocker keys from Active Directory Domain Services (AD DS).
-ms.collection:
- - highpri
- - tier1
-ms.topic: conceptual
-ms.date: 11/08/2022
----
-
-# BitLocker recovery guide
-
-This article describes how to recover BitLocker keys from AD DS.
-
-Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. It's recommended to create a recovery model for BitLocker while planning for BitLocker deployment.
-
-This article assumes that it's understood how to set up AD DS to back up BitLocker recovery information automatically, and what types of recovery information are saved to AD DS.
-
-This article doesn't detail how to configure AD DS to store the BitLocker recovery information.
-
-## What is BitLocker recovery?
-
-BitLocker recovery is the process by which access can be restored to a BitLocker-protected drive if the drive can't be unlocked normally. In a recovery scenario, the following options to restore access to the drive are available:
-
-- **The user can supply the recovery password.** If the organization allows users to print or store recovery passwords, the users can enter in the 48-digit recovery password that they printed or stored on a USB drive or with a Microsoft account online. Saving a recovery password with a Microsoft account online is only allowed when BitLocker is used on a PC that isn't a member of a domain.
-
-- **Data recovery agents can use their credentials to unlock the drive.** If the drive is an operating system drive, the drive must be mounted as a data drive on another computer for the data recovery agent to unlock it.
-
-- **A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive.** Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in an organization if needed. This method makes it mandatory to enable this recovery method in the BitLocker group policy setting **Choose how BitLocker-protected operating system drives can be recovered** located at **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** in the Local Group Policy Editor. For more information, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
-
-### What causes BitLocker recovery?
-
-The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive:
-
-- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality, administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** in the Local Group Policy Editor. Or they can use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](/mem/intune)), to limit the number of failed password attempts before the device goes into Device Lockout.
-
-- On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 don't start BitLocker recovery in this case. TPM 2.0 doesn't consider a firmware change of boot device order as a security threat because the OS Boot Loader isn't compromised.
-
-- Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD.
-
-- Failing to boot from a network drive before booting from the hard drive.
-
-- Docking or undocking a portable computer. In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker. So if a portable computer is connected to its docking station when BitLocker is turned on, then it might also need to be connected to the docking station when it's unlocked. Conversely, if a portable computer isn't connected to its docking station when BitLocker is turned on, then it might need to be disconnected from the docking station when it's unlocked.
-
-- Changes to the NTFS partition table on the disk including creating, deleting, or resizing a primary partition.
-
-- Entering the personal identification number (PIN) incorrectly too many times so that the anti-hammering logic of the TPM is activated. Anti-hammering logic is software or hardware methods that increase the difficulty and cost of a brute force attack on a PIN by not accepting PIN entries until after a certain amount of time has passed.
-
-- Turning off the support for reading the USB device in the pre-boot environment from the BIOS or UEFI firmware if using USB-based keys instead of a TPM.
-
-- Turning off, disabling, deactivating, or clearing the TPM.
-
-- Upgrading critical early startup components, such as a BIOS or UEFI firmware upgrade, causing the related boot measurements to change.
-
-- Forgetting the PIN when PIN authentication has been enabled.
-
-- Updating option ROM firmware.
-
-- Upgrading TPM firmware.
-
-- Adding or removing hardware; for example, inserting a new card in the computer, including some PCMIA wireless cards.
-
-- Removing, inserting, or completely depleting the charge on a smart battery on a portable computer.
-
-- Changes to the master boot record on the disk.
-
-- Changes to the boot manager on the disk.
-
-- Hiding the TPM from the operating system. Some BIOS or UEFI settings can be used to prevent the enumeration of the TPM to the operating system. When implemented, this option can make the TPM hidden from the operating system. When the TPM is hidden, BIOS and UEFI secure startup are disabled, and the TPM doesn't respond to commands from any software.
-
-- Using a different keyboard that doesn't correctly enter the PIN or whose keyboard map doesn't match the keyboard map assumed by the pre-boot environment. This problem can prevent the entry of enhanced PINs.
-
-- Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For example, including **PCR\[1\]** would result in BitLocker measuring most changes to BIOS settings, causing BitLocker to enter recovery mode even when non-boot critical BIOS settings change.
-
- > [!NOTE]
- > Some computers have BIOS settings that skip measurements to certain PCRs, such as **PCR\[2\]**. Changing this setting in the BIOS would cause BitLocker to enter recovery mode because the PCR measurement will be different.
-
-- Moving the BitLocker-protected drive into a new computer.
-
-- Upgrading the motherboard to a new one with a new TPM.
-
-- Losing the USB flash drive containing the startup key when startup key authentication has been enabled.
-
-- Failing the TPM self-test.
-
-- Having a BIOS, UEFI firmware, or an option ROM component that isn't compliant with the relevant Trusted Computing Group standards for a client computer. For example, a non-compliant implementation may record volatile data (such as time) in the TPM measurements, causing different measurements on each startup and causing BitLocker to start in recovery mode.
-
-- Changing the usage authorization for the storage root key of the TPM to a non-zero value.
-
- > [!NOTE]
- > The BitLocker TPM initialization process sets the usage authorization value to zero, so another user or process must explicitly have changed this value.
-
-- Disabling the code integrity check or enabling test signing on Windows Boot Manager (Bootmgr).
-
-- Pressing the F8 or F10 key during the boot process.
-
-- Adding or removing add-in cards (such as video or network cards), or upgrading firmware on add-in cards.
-
-- Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive.
-
-> [!NOTE]
-> Before beginning recovery, it is recommend to determine what caused recovery. This might help prevent the problem from occurring again in the future. For instance, if it is determined that an attacker has modified the computer by obtaining physical access, new security policies can be created for tracking who has physical presence. After the recovery password has been used to recover access to the PC, BitLocker reseals the encryption key to the current values of the measured components.
-
-For planned scenarios, such as a known hardware or firmware upgrades, initiating recovery can be avoided by temporarily suspending BitLocker protection. Because suspending BitLocker leaves the drive fully encrypted, the administrator can quickly resume BitLocker protection after the planned task has been completed. Using suspend and resume also reseals the encryption key without requiring the entry of the recovery key.
-
-> [!NOTE]
-> If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified using the manage-bde command line tool.
-
-If software maintenance requires the computer to be restarted and two-factor authentication is being used, the BitLocker network unlock feature can be enabled to provide the secondary authentication factor when the computers don't have an on-premises user to provide the additional authentication method.
-
-Recovery has been described within the context of unplanned or undesired behavior. However, recovery can also be caused as an intended production scenario, for example in order to manage access control. When desktop or laptop computers are redeployed to other departments or employees in the enterprise, BitLocker can be forced into recovery before the computer is given to a new user.
-
-## Testing recovery
-
-Before a thorough BitLocker recovery process is created, it's recommended to test how the recovery process works for both end users (people who call the helpdesk for the recovery password) and administrators (people who help the end user get the recovery password). The `-forcerecovery` command of `manage-bde.exe` is an easy way to step through the recovery process before users encounter a recovery situation.
-
-**To force a recovery for the local computer:**
-
-1. Select the **Start** button and type in **cmd**
-
-2. Right select on **cmd.exe** or **Command Prompt** and then select **Run as administrator**.
-
-3. At the command prompt, enter the following command:
-
- ```cmd
- manage-bde.exe -forcerecovery
-
-
-| Custom URL | No |
-|----------------------|-----------------|
-| Saved to Microsoft Account | No |
-| Saved to Microsoft Entra ID | No |
-| Saved to Active Directory | No |
-| Printed | No |
-| Saved to file | No |
-| Creation time | **3PM** |
-| Key ID | T4521ER5 |
-
-**Result:** Only the hint for a successfully backed up key is displayed, even if it isn't the most recent key.
-
-
-
-#### Example 5 (multiple recovery passwords)
-
-| Custom URL | No |
-|----------------------|-----------------|
-| Saved to Microsoft Account | Yes |
-| Saved to Microsoft Entra ID | Yes |
-| Saved to Active Directory | No |
-| Printed | No |
-| Saved to file | No |
-| Creation time | **1PM** |
-| Key ID | 99631A34 |
-
-| Custom URL | No |
-|----------------------|-----------------|
-| Saved to Microsoft Account | No |
-| Saved to Microsoft Entra ID | Yes |
-| Saved to Active Directory | No |
-| Printed | No |
-| Saved to file | No |
-| Creation time | **3PM** |
-| Key ID | 9DF70931 |
-
-**Result:** The hint for the most recent key is displayed.
-
-
-
-## Using additional recovery information
-
-Besides the 48-digit BitLocker recovery password, other types of recovery information are stored in Active Directory. This section describes how this additional information can be used.
-
-### BitLocker key package
-
-If the recovery methods discussed earlier in this document don't unlock the volume, the BitLocker Repair tool can be used to decrypt the volume at the block level. The tool uses the BitLocker key package to help recover encrypted data from severely damaged drives. The recovered data can then be used to salvage encrypted data, even after the correct recovery password has failed to unlock the damaged volume. It's recommended to still save the recovery password. A key package can't be used without the corresponding recovery password.
-
-> [!NOTE]
-> The BitLocker Repair tool `repair-bde.exe` must be used to use the BitLocker key package.
-
-The BitLocker key package isn't saved by default. To save the package along with the recovery password in AD DS, the **Backup recovery password and key package** option must be selected in the group policy settings that control the recovery method. The key package can also be exported from a working volume. For more information on how to export key packages, see [Retrieving the BitLocker Key Package](#retrieving-the-bitlocker-key-package).
-
-## Resetting recovery passwords
-
-It's recommended to invalidate a recovery password after it has been provided and used. The recovery password can be invalidated when it has been provided and used or for any other valid reason.
-
-The recovery password and be invalidated and reset in two ways:
-
-- **Use `manage-bde.exe`**: `manage-bde.exe` can be used to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method.
-
-- **Run a script**: A script can be run to reset the password without decrypting the volume. The sample script in the procedure illustrates this functionality. The sample script creates a new recovery password and invalidates all other passwords.
-
-### Resetting a recovery password using `manage-bde.exe`
-
-1. Remove the previous recovery password.
-
- ```cmd
- `manage-bde.exe` -protectors -delete C: -type RecoveryPassword
- ```
-
-2. Add the new recovery password.
-
- ```cmd
- `manage-bde.exe` -protectors -add C: -RecoveryPassword
- ```
-
-3. Get the ID of the new recovery password. From the screen, copy the ID of the recovery password.
-
- ```cmd
- `manage-bde.exe` -protectors -get C: -Type RecoveryPassword
- ```
-
-4. Back up the new recovery password to AD DS.
-
- ```cmd
- `manage-bde.exe` -protectors -adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692}
- ```
-
- > [!WARNING]
- > The braces `{}` must be included in the ID string.
-
-### Running the sample recovery password script to reset the recovery passwords
-
-1. Save the following sample script in a VBScript file. For example:
-
- `ResetPassword.vbs`.
-
-2. At the command prompt, enter the following command::
-
- ```cmd
- cscript.exe ResetPassword.vbs
- ```
-
- > [!IMPORTANT]
- > This sample script is configured to work only for the C volume. If necessary, customize the script to match the volume where the password reset needs to be tested.
-
-> [!NOTE]
-> To manage a remote computer, specify the remote computer name rather than the local computer name.
-
-The following sample VBScript can be used to reset the recovery passwords:
-
-
-Expand to view sample recovery password VBscript to reset the recovery passwords
-
-```vb
-' Target drive letter
-strDriveLetter = "c:"
-' Target computer name
-' Use "." to connect to the local computer
-strComputerName = "."
-' --------------------------------------------------------------------------------
-' Connect to the BitLocker WMI provider class
-' --------------------------------------------------------------------------------
-strConnectionStr = "winmgmts:" _
- & "{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\" _
- & strComputerName _
- & "\root\cimv2\Security\MicrosoftVolumeEncryption"
-
-
-On Error Resume Next 'handle permission errors
-Set objWMIService = GetObject(strConnectionStr)
-If Err.Number <> 0 Then
- WScript.Echo "Failed to connect to the BitLocker interface (Error 0x" & Hex(Err.Number) & ")."
- Wscript.Echo "Ensure that you are running with administrative privileges."
- WScript.Quit -1
-End If
-On Error GoTo 0
-strQuery = "Select * from Win32_EncryptableVolume where DriveLetter='" & strDriveLetter & "'"
-Set colTargetVolumes = objWMIService.ExecQuery(strQuery)
-If colTargetVolumes.Count = 0 Then
- WScript.Echo "FAILURE: Unable to find BitLocker-capable drive " & strDriveLetter & " on computer " & strComputerName & "."
- WScript.Quit -1
-End If
-' there should only be one volume found
-For Each objFoundVolume in colTargetVolumes
- set objVolume = objFoundVolume
-Next
-' objVolume is now our found BitLocker-capable disk volume
-' --------------------------------------------------------------------------------
-' Perform BitLocker WMI provider functionality
-' --------------------------------------------------------------------------------
-' Add a new recovery password, keeping the ID around so it doesn't get deleted later
-' ----------------------------------------------------------------------------------
-nRC = objVolume.ProtectKeyWithNumericalPassword("Recovery Password Refreshed By Script", , sNewKeyProtectorID)
-If nRC <> 0 Then
-WScript.Echo "FAILURE: ProtectKeyWithNumericalPassword failed with return code 0x" & Hex(nRC)
-WScript.Quit -1
-End If
-' Removes the other, "stale", recovery passwords
-' ----------------------------------------------------------------------------------
-nKeyProtectorTypeIn = 3 ' type associated with "Numerical Password" protector
-nRC = objVolume.GetKeyProtectors(nKeyProtectorTypeIn, aKeyProtectorIDs)
-If nRC <> 0 Then
-WScript.Echo "FAILURE: GetKeyProtectors failed with return code 0x" & Hex(nRC)
-WScript.Quit -1
-End If
-' Delete those key protectors other than the one we just added.
-For Each sKeyProtectorID In aKeyProtectorIDs
-If sKeyProtectorID <> sNewKeyProtectorID Then
-nRC = objVolume.DeleteKeyProtector(sKeyProtectorID)
-If nRC <> 0 Then
-WScript.Echo "FAILURE: DeleteKeyProtector on ID " & sKeyProtectorID & " failed with return code 0x" & Hex(nRC)
-WScript.Quit -1
-Else
-' no output
-'WScript.Echo "SUCCESS: Key protector with ID " & sKeyProtectorID & " deleted"
-End If
-End If
-Next
-WScript.Echo "A new recovery password has been added. Old passwords have been removed."
-' - some advanced output (hidden)
-'WScript.Echo ""
-'WScript.Echo "Type ""manage-bde.exe -protectors -get " & strDriveLetter & " -type recoverypassword"" to view existing passwords."
-```
-
-
-Expand to view sample key package retrieval VBscript that exports all previously saved key packages from AD DS
-
-```vb
-' --------------------------------------------------------------------------------
-' Usage
-' --------------------------------------------------------------------------------
-Sub ShowUsage
- Wscript.Echo "USAGE: GetBitLockerKeyPackageADDS [Path To Save Key Package] [Optional Computer Name]"
- Wscript.Echo "If no computer name is specified, the local computer is assumed."
- Wscript.Echo
- Wscript.Echo "Example: GetBitLockerKeyPackageADDS E:\bitlocker-ad-key-package mycomputer"
- WScript.Quit
-End Sub
-' --------------------------------------------------------------------------------
-' Parse Arguments
-' --------------------------------------------------------------------------------
-Set args = WScript.Arguments
-Select Case args.Count
- Case 1
- If args(0) = "/?" Or args(0) = "-?" Then
- ShowUsage
- Else
- strFilePath = args(0)
- ' Get the name of the local computer
- Set objNetwork = CreateObject("WScript.Network")
- strComputerName = objNetwork.ComputerName
- End If
-
- Case 2
- If args(0) = "/?" Or args(0) = "-?" Then
- ShowUsage
- Else
- strFilePath = args(0)
- strComputerName = args(1)
- End If
- Case Else
- ShowUsage
-End Select
-' --------------------------------------------------------------------------------
-' Get path to Active Directory computer object associated with the computer name
-' --------------------------------------------------------------------------------
-Function GetStrPathToComputer(strComputerName)
- ' Uses the global catalog to find the computer in the forest
- ' Search also includes deleted computers in the tombstone
- Set objRootLDAP = GetObject("LDAP://rootDSE")
- namingContext = objRootLDAP.Get("defaultNamingContext") ' e.g. string dc=fabrikam,dc=com
- strBase = "
-Expand to view sample VBscript that exports a new key package from an unlocked, encrypted volume
-
-```vb
-' --------------------------------------------------------------------------------
-' Usage
-' --------------------------------------------------------------------------------
-Sub ShowUsage
- Wscript.Echo "USAGE: GetBitLockerKeyPackage [VolumeLetter/DriveLetter:] [Path To Save Key Package]"
- Wscript.Echo
- Wscript.Echo "Example: GetBitLockerKeyPackage C: E:\bitlocker-backup-key-package"
- WScript.Quit
-End Sub
-' --------------------------------------------------------------------------------
-' Parse Arguments
-' --------------------------------------------------------------------------------
-Set args = WScript.Arguments
-Select Case args.Count
- Case 2
- If args(0) = "/?" Or args(0) = "-?" Then
- ShowUsage
- Else
- strDriveLetter = args(0)
- strFilePath = args(1)
- End If
- Case Else
- ShowUsage
-End Select
-' --------------------------------------------------------------------------------
-' Other Inputs
-' --------------------------------------------------------------------------------
-' Target computer name
-' Use "." to connect to the local computer
-strComputerName = "."
-' Default key protector ID to use. Specify "" to let the script choose.
-strDefaultKeyProtectorID = ""
-' strDefaultKeyProtectorID = "{001298E0-870E-4BA0-A2FF-FC74758D5720}" ' sample
-' --------------------------------------------------------------------------------
-' Connect to the BitLocker WMI provider class
-' --------------------------------------------------------------------------------
-strConnectionStr = "winmgmts:" _
- & "{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\" _
- & strComputerName _
- & "\root\cimv2\Security\MicrosoftVolumeEncryption"
-
-
-On Error Resume Next 'handle permission errors
-Set objWMIService = GetObject(strConnectionStr)
-If Err.Number <> 0 Then
- WScript.Echo "Failed to connect to the BitLocker interface (Error 0x" & Hex(Err.Number) & ")."
- Wscript.Echo "Ensure that you are running with administrative privileges."
- WScript.Quit -1
-End If
-On Error GoTo 0
-strQuery = "Select * from Win32_EncryptableVolume where DriveLetter='" & strDriveLetter & "'"
-Set colTargetVolumes = objWMIService.ExecQuery(strQuery)
-If colTargetVolumes.Count = 0 Then
- WScript.Echo "FAILURE: Unable to find BitLocker-capable drive " & strDriveLetter & " on computer " & strComputerName & "."
- WScript.Quit -1
-End If
-' there should only be one volume found
-For Each objFoundVolume in colTargetVolumes
- set objVolume = objFoundVolume
-Next
-' objVolume is now our found BitLocker-capable disk volume
-' --------------------------------------------------------------------------------
-' Perform BitLocker WMI provider functionality
-' --------------------------------------------------------------------------------
-' Collect all possible valid key protector ID's that can be used to get the package
-' ----------------------------------------------------------------------------------
-nNumericalKeyProtectorType = 3 ' type associated with "Numerical Password" protector
-nRC = objVolume.GetKeyProtectors(nNumericalKeyProtectorType, aNumericalKeyProtectorIDs)
-If nRC <> 0 Then
-WScript.Echo "FAILURE: GetKeyProtectors failed with return code 0x" & Hex(nRC)
-WScript.Quit -1
-End If
-nExternalKeyProtectorType = 2 ' type associated with "External Key" protector
-nRC = objVolume.GetKeyProtectors(nExternalKeyProtectorType, aExternalKeyProtectorIDs)
-If nRC <> 0 Then
-WScript.Echo "FAILURE: GetKeyProtectors failed with return code 0x" & Hex(nRC)
-WScript.Quit -1
-End If
-' Get first key protector of the type "Numerical Password" or "External Key", if any
-' ----------------------------------------------------------------------------------
-if strDefaultKeyProtectorID = "" Then
-' Save first numerical password, if exists
-If UBound(aNumericalKeyProtectorIDs) <> -1 Then
-strDefaultKeyProtectorID = aNumericalKeyProtectorIDs(0)
-End If
-' No numerical passwords exist, save the first external key
-If strDefaultKeyProtectorID = "" and UBound(aExternalKeyProtectorIDs) <> -1 Then
-strDefaultKeyProtectorID = aExternalKeyProtectorIDs(0)
-End If
-' Fail case: no recovery key protectors exist.
-If strDefaultKeyProtectorID = "" Then
-WScript.Echo "FAILURE: Cannot create backup key package because no recovery passwords or recovery keys exist. Check that BitLocker protection is on for this drive."
-WScript.Echo "For help adding recovery passwords or recovery keys, enter ""manage-bde.exe -protectors -add -?""."
-WScript.Quit -1
-End If
-End If
-' Get some information about the chosen key protector ID
-' ----------------------------------------------------------------------------------
-' is the type valid?
-nRC = objVolume.GetKeyProtectorType(strDefaultKeyProtectorID, nDefaultKeyProtectorType)
-If Hex(nRC) = "80070057" Then
-WScript.Echo "The key protector ID " & strDefaultKeyProtectorID & " is not valid."
-WScript.Echo "This ID value may have been provided by the script writer."
-ElseIf nRC <> 0 Then
-WScript.Echo "FAILURE: GetKeyProtectorType failed with return code 0x" & Hex(nRC)
-WScript.Quit -1
-End If
-' what's a string that can be used to describe it?
-strDefaultKeyProtectorType = ""
-Select Case nDefaultKeyProtectorType
- Case nNumericalKeyProtectorType
- strDefaultKeyProtectorType = "recovery password"
- Case nExternalKeyProtectorType
- strDefaultKeyProtectorType = "recovery key"
- Case Else
- WScript.Echo "The key protector ID " & strDefaultKeyProtectorID & " does not refer to a valid recovery password or recovery key."
- WScript.Echo "This ID value may have been provided by the script writer."
-End Select
-' Save the backup key package using the chosen key protector ID
-' ----------------------------------------------------------------------------------
-nRC = objVolume.GetKeyPackage(strDefaultKeyProtectorID, oKeyPackage)
-If nRC <> 0 Then
-WScript.Echo "FAILURE: GetKeyPackage failed with return code 0x" & Hex(nRC)
-WScript.Quit -1
-End If
-' Validate file path
-Set fso = CreateObject("Scripting.FileSystemObject")
-If (fso.FileExists(strFilePath)) Then
-WScript.Echo "The file " & strFilePath & " already exists. Please use a different path."
-WScript.Quit -1
-End If
-Dim oKeyPackageByte, bKeyPackage
-For Each oKeyPackageByte in oKeyPackage
- 'WScript.echo "key package byte: " & oKeyPackageByte
- bKeyPackage = bKeyPackage & ChrB(oKeyPackageByte)
-Next
-' Save binary data to the file
-SaveBinaryDataText strFilePath, bKeyPackage
-' Display helpful information
-' ----------------------------------------------------------------------------------
-WScript.Echo "The backup key package has been saved to " & strFilePath & "."
-WScript.Echo "IMPORTANT: To use this key package, the " & strDefaultKeyProtectorType & " must also be saved."
-' Display the recovery password or a note about saving the recovery key file
-If nDefaultKeyProtectorType = nNumericalKeyProtectorType Then
-nRC = objVolume.GetKeyProtectorNumericalPassword(strDefaultKeyProtectorID, sNumericalPassword)
-If nRC <> 0 Then
-WScript.Echo "FAILURE: GetKeyProtectorNumericalPassword failed with return code 0x" & Hex(nRC)
-WScript.Quit -1
-End If
-WScript.Echo "Save this recovery password: " & sNumericalPassword
-ElseIf nDefaultKeyProtectorType = nExternalKeyProtectorType Then
-WScript.Echo "The saved key file is named " & strDefaultKeyProtectorID & ".BEK"
-WScript.Echo "For help re-saving this external key file, enter ""manage-bde.exe -protectors -get -?"""
-End If
-'----------------------------------------------------------------------------------------
-' Utility functions to save binary data
-'----------------------------------------------------------------------------------------
-Function SaveBinaryDataText(FileName, ByteArray)
- 'Create FileSystemObject object
- Dim FS: Set FS = CreateObject("Scripting.FileSystemObject")
-
- 'Create text stream object
- Dim TextStream
- Set TextStream = FS.CreateTextFile(FileName)
-
- 'Convert binary data To text And write them To the file
- TextStream.Write BinaryToString(ByteArray)
-End Function
-Function BinaryToString(Binary)
- Dim I, S
- For I = 1 To LenB(Binary)
- S = S & Chr(AscB(MidB(Binary, I, 1)))
- Next
- BinaryToString = S
-End Function
-```
-
-
By default, the firewall rules in Windows Server 2016. Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 11, Windows 10, Windows 8, Windows 7, and Windows Vista block unsolicited inbound network traffic. Likewise, by default, all outbound network traffic is allowed. The firewall included in previous versions of Windows only filtered inbound network traffic. |
-| Internet Protocol security (IPsec) | A set of industry-standard, cryptography-based protection services and protocols. IPsec protects all protocols in the TCP/IP protocol suite except Address Resolution Protocol (ARP).|
-| IPsec policy | A collection of connection security rules that provide the required protection to network traffic entering and leaving the device. The protection includes authentication of both the sending and receiving device, integrity protection of the network traffic exchanged between them, and can include encryption.|
-| Isolated domain | An Active Directory domain (or an Active Directory forest, or set of domains with two-way trust relationships) that has Group Policy settings applied to help protect its member devices by using IPsec connection security rules. Members of the isolated domain require authentication on all unsolicited inbound connections (with exceptions handled by the other zones).
In this guide, the term *isolated domain* refers to the IPsec concept of a group of devices that can share authentication. The term *Active Directory domain* refers to the group of devices that share a security database by using Active Directory.|
-| Server isolation | A technique for using group membership to restrict access to a server that is typically already a member of an isolated domain. The extra protection comes from using the authentication credentials of the requesting device to determine its group membership, and then only allowing access if the computer account (and optionally the user account) is a member of an authorized group.|
-| Solicited network traffic | Network traffic that is sent in response to a request. By default, Windows Defender Firewall allows all solicited network traffic through.|
-| Unsolicited network traffic | Network traffic that isn't a response to an earlier request, and that the receiving device can't necessarily anticipate. By default, Windows Defender Firewall blocks all unsolicited network traffic. |
-| Zone | A zone is a logical grouping of devices that share common IPsec policies because of their communications requirements. For example, the boundary zone permits inbound connections from non-trusted devices. The encryption zone requires that all connections be encrypted.
This term zone isn't related to the one used by Domain Name System (DNS). |
-
-**Next:** [Understanding the Windows Defender Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md)
-
-
-
-
-
-
-
-
-
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security.md
deleted file mode 100644
index af1b573655..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security.md
+++ /dev/null
@@ -1,40 +0,0 @@
----
-title: Windows Defender Firewall with Advanced Security
-description: Learn overview information about the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features.
-ms.prod: windows-client
-ms.collection:
- - highpri
- - tier3
- - must-keep
-ms.topic: conceptual
-ms.date: 09/08/2021
----
-
-# Windows Defender Firewall with Advanced Security
-
-
-This topic is an overview of the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features.
-
-## Overview of Windows Defender Firewall with Advanced Security
-
-Windows Defender Firewall in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that can't be authenticated as a trusted device can't communicate with your device. You can also use IPsec to require that certain network traffic is encrypted to prevent it from being read by network packet analyzers that could be attached to the network by a malicious user.
-
-The Windows Defender Firewall with Advanced Security MMC snap-in is more flexible and provides much more functionality than the consumer-friendly Windows Defender Firewall interface found in the Control Panel. Both interfaces interact with the same underlying services, but provide different levels of control over those services. While the Windows Defender Firewall Control Panel program can protect a single device in a home environment, it doesn't provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment.
-
-[!INCLUDE [windows-firewall](../../../../../includes/licensing/windows-firewall.md)]
-
-## Feature description
-
-Windows Defender Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device. Windows Defender Firewall also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected. Windows Defender Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Defender Firewall, so Windows Defender Firewall is also an important part of your network's isolation strategy.
-
-## Practical applications
-
-
-To help address your organizational network security challenges, Windows Defender Firewall offers the following benefits:
-
-- **Reduces the risk of network security threats.** Windows Defender Firewall reduces the attack surface of a device, providing an extra layer to the defense-in-depth model. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.
-
-- **Safeguards sensitive data and intellectual property.** With its integration with IPsec, Windows Defender Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data.
-
-- **Extends the value of existing investments.** Because Windows Defender Firewall is a host-based firewall that is included with the operating system, there's no other hardware or software required. Windows Defender Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API).
-
diff --git a/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md b/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md
index b0da2402b2..3daa0cbf86 100644
--- a/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md
+++ b/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md
@@ -4,7 +4,6 @@ description: This article describes how Windows security features help protect y
ms.topic: conceptual
ms.date: 08/11/2023
ms.collection:
- - highpri
- tier1
---
@@ -121,7 +120,7 @@ Figure 2 illustrates the Measured Boot and remote attestation process.
*Figure 2. Measured Boot proves the PC's health to a remote server*:
-Windows includes the application programming interfaces to support Measured Boot. However, to take advanted of it, you need non-Microsoft tools to implement a remote attestation client and trusted attestation server. For example, see the following tools from Microsoft Research:
+Windows includes the application programming interfaces to support Measured Boot. However, to take advantage of it, you need non-Microsoft tools to implement a remote attestation client and trusted attestation server. For example, see the following tools from Microsoft Research:
- [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487)
- [TSS.MSR](https://github.com/microsoft/TSS.MSR#tssmsr)
diff --git a/windows/security/operating-system-security/system-security/trusted-boot.md b/windows/security/operating-system-security/system-security/trusted-boot.md
index 364719eebb..431c65c17d 100644
--- a/windows/security/operating-system-security/system-security/trusted-boot.md
+++ b/windows/security/operating-system-security/system-security/trusted-boot.md
@@ -2,7 +2,7 @@
title: Secure Boot and Trusted Boot
description: Trusted Boot prevents corrupted components from loading during the boot-up process in Windows 11
ms.topic: conceptual
-ms.date: 09/21/2021
+ms.date: 10/30/2023
ms.reviewer: jsuther
appliesto:
- "✅ Windows 11"
diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md
index 713b98447c..310a26dc87 100644
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md
@@ -7,7 +7,7 @@ ms.topic: article
# Firewall and network protection
-The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../../network-security/windows-firewall/windows-firewall-with-advanced-security.md).
+The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../../network-security/windows-firewall/index.md).
This section can be hidden from users of the machine. This information is useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md
index 1970d566b4..a316bca4b5 100644
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md
@@ -3,9 +3,6 @@ title: Windows Security
description: Windows Security brings together common Windows security features into one place.
ms.date: 08/11/2023
ms.topic: article
-ms.collection:
- - highpri
- - tier2
---
# Windows Security
@@ -73,7 +70,7 @@ For more information about each section, options for configuring the sections, a
>
> Microsoft Defender Antivirus will be [disabled automatically when a third-party antivirus product is installed and kept up to date](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility).
>
-> Disabling the Windows Security Center Service won't disable Microsoft Defender Antivirus or [Windows Defender Firewall](../../network-security/windows-firewall/windows-firewall-with-advanced-security.md).
+> Disabling the Windows Security Center Service won't disable Microsoft Defender Antivirus or [Windows Defender Firewall](../../network-security/windows-firewall/index.md).
> [!WARNING]
> If you disable the Windows Security Center Service, or configure its associated group policy settings to prevent it from starting or running, **Windows Security** may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
index 38961897cb..ff13a406b5 100644
--- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
@@ -1,7 +1,7 @@
---
title: Enhanced Phishing Protection in Microsoft Defender SmartScreen
description: Learn how Enhanced Phishing Protection for Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps.
-ms.date: 09/25/2023
+ms.date: 11/02/2023
ms.topic: conceptual
appliesto:
- ✅ Windows 11, version 22H2
@@ -19,7 +19,7 @@ If a user signs into Windows using a password, Enhanced Phishing Protection work
- If users type their work or school password into a website or app that SmartScreen finds suspicious, Enhanced Phishing Protection can automatically collect information from that website or app to help identify security threats. For example, the content displayed, sounds played, and application memory.
> [!NOTE]
-> When a user signs-in to a device using a Windows Hello for Business PIN or biometric, Enhanced Phishing Protection does not alert the user or send events to Microsoft Defender for Endpoint.
+> When a user signs-in to a device using a Windows Hello for Business PIN or biometric, Enhanced Phishing Protection does not alert the user or send events to [Microsoft Defender for Endpoint (MDE)](/microsoft-365/security/defender-endpoint/).
## Benefits of Enhanced Phishing Protection in Microsoft Defender SmartScreen
@@ -37,43 +37,51 @@ Enhanced Phishing Protection provides robust phishing protections for work or sc
## Configure Enhanced Phishing Protection for your organization
-Enhanced Phishing Protection can be configured via Microsoft Intune, Group Policy Objects (GPO) or Configuration Service Providers (CSP) with an MDM service. Follow these instructions to configure your devices using either Microsoft Intune, GPO or CSP.
+Enhanced Phishing Protection can be configured via Microsoft Intune, Group Policy Objects (GPO) or Configuration Service Providers (CSP) with an MDM service. These settings are available to configure your devices using either Microsoft Intune, GPO or CSP.
+
+| Setting | Description |
+|--|--|
+| Automatic Data Collection | This policy setting determines whether Enhanced Phishing Protection can collect additional information-such as content displayed, sounds played, and application memory-when your users enter their work or school password into a suspicious website or app. This information is used only for security purposes and helps SmartScreen determine whether the website or app is malicious.
**Disabled** for all other devices. | **Enabled**: Turns on collection of additional content for security analysis from a suspicious website or app to improve Microsoft's threat intelligence |
+| Service Enabled | **Enabled** | **Enabled**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users. |
+| Notify Malicious | **Disabled** for devices onboarded to MDE.
**Enabled** for all other devices. | **Enabled**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password. |
+| Notify Password Reuse | **Disabled** | **Enabled**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password. |
+| Notify Unsafe App | **Disabled** | **Enabled**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps. |
+
To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen settings.
+
+| Setting | Default Value | Recommendation |
+|---------------------------|------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Automatic Data Collection | **Disabled** for domain joined devices or devices enrolled with MDM.
**Enabled** for all other devices. | **Enabled**: Turns on collection of additional content when users enter their work or school password into a suspicious website or app. This information is used only for security purposes and helps SmartScreen determine whether the website or app is malicious. |
+| Service Enabled | **Enabled** | **Enabled**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users. |
+| Notify Malicious | **Disabled** for devices onboarded to MDE.
**Enabled** for all other devices. | **Enabled**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password. |
+| Notify Password Reuse | **Disabled** | **Enabled**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password. |
+| Notify Unsafe App | **Disabled** | **Enabled**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps. |
+
#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
-|Settings catalog element|Recommendation|
-|---------|---------|
-|Service Enabled|**Enable**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users.|
-|Notify Malicious|**Enable**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password.|
-|Notify Password Reuse|**Enable**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password.|
-|Notify Unsafe App|**Enable**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps.|
+| Settings catalog element | Recommended value |
+|---------------------------|-------------------|
+| Automatic Data Collection | **Enabled** |
+| Service Enabled | **Enabled** |
+| Notify Malicious | **Enabled** |
+| Notify Password Reuse | **Enabled** |
+| Notify Unsafe App | **Enabled** |
#### [:::image type="icon" source="images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
-|Group Policy setting|Recommendation|
-|---------|---------|
-|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Service Enabled| **Enable**: Enhanced Phishing Protection is enabled in audit mode and your users are unable to turn it off.|
-|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Malicious|**Enable**: Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate. It encourages users to change their password.|
-|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse|**Enable**: Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.|
-|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|**Enable**: Enhanced Phishing Protection warns users if they store their password in Notepad and Microsoft 365 Office Apps.|
+| Group Policy setting | Recommended value |
+|---------------------------|-------------------|
+| Automatic Data Collection | **Enabled** |
+| Service Enabled | **Enabled** |
+| Notify Malicious | **Enabled** |
+| Notify Password Reuse | **Enabled** |
+| Notify Unsafe App | **Enabled** |
#### [:::image type="icon" source="images/icons/windows-os.svg"::: **CSP**](#tab/csp)
-|MDM setting|Recommendation|
-|---------|---------|
-|ServiceEnabled|**1**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users.|
-|NotifyMalicious|**1**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password.|
-|NotifyPasswordReuse|**1**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password.|
-|NotifyUnsafeApp|**1**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps.|
-
+| MDM setting | Recommended value |
+|-------------------------|-------------------|
+| AutomaticDataCollection | **1** |
+| ServiceEnabled | **1** |
+| NotifyMalicious | **1** |
+| NotifyPasswordReuse | **1** |
+| NotifyUnsafeApp | **1** |
---
@@ -121,7 +148,4 @@ To better help you protect your organization, we recommend turning on and using
[WIN-1]: /windows/client-management/mdm/policy-csp-webthreatdefense
-
[MEM-2]: /mem/intune/configuration/settings-catalog
-
-
diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md
index 9b52d9fb84..b5af241045 100644
--- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md
@@ -2,11 +2,7 @@
title: Microsoft Defender SmartScreen overview
description: Learn how Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.
ms.date: 08/11/2023
-ms.topic: article
-ms.localizationpriority: high
-ms.collection:
- - tier2
- - highpri
+ms.topic: conceptual
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/security/security-foundations/certification/fips-140-validation.md b/windows/security/security-foundations/certification/fips-140-validation.md
index 1cb3c7c91f..295dd13ce0 100644
--- a/windows/security/security-foundations/certification/fips-140-validation.md
+++ b/windows/security/security-foundations/certification/fips-140-validation.md
@@ -1,18 +1,10 @@
---
title: Federal Information Processing Standard (FIPS) 140 Validation
description: Learn how Microsoft products and cryptographic modules follow the U.S. Federal government standard FIPS 140.
-ms.prod: windows-client
-ms.date: 08/18/2023
-manager: aaroncz
+ms.date: 11/13/2023
+ms.topic: reference
ms.author: paoloma
author: paolomatarazzo
-ms.collection:
- - highpri
- - tier3
-ms.topic: reference
-ms.localizationpriority: medium
-ms.reviewer:
-ms.technology: itpro-security
---
# FIPS 140-2 Validation
@@ -21,7 +13,7 @@ ms.technology: itpro-security
The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard. FIPS is based on Section 5131 of the Information Technology Management Reform Act of 1996. It defines the minimum security requirements for cryptographic modules in IT products.
-The [Cryptographic Module Validation Program (CMVP)][HTTP-1]) is a joint effort of the U.S. National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS). It validates cryptographic modules against the Security Requirements for Cryptographic Modules (part of FIPS 140-2) and related FIPS cryptography standards. The FIPS 140-2 security requirements cover 11 areas related to the design and implementation of a cryptographic module. The NIST Information Technology Laboratory operates a related program that validates the FIPS approved cryptographic algorithms in the module.
+The [Cryptographic Module Validation Program (CMVP)][HTTP-1] is a joint effort of the U.S. National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS). It validates cryptographic modules against the Security Requirements for Cryptographic Modules (part of FIPS 140-2) and related FIPS cryptography standards. The FIPS 140-2 security requirements cover 11 areas related to the design and implementation of a cryptographic module. The NIST Information Technology Laboratory operates a related program that validates the FIPS approved cryptographic algorithms in the module.
## Microsoft's approach to FIPS 140-2 validation
diff --git a/windows/security/security-foundations/certification/windows-platform-common-criteria.md b/windows/security/security-foundations/certification/windows-platform-common-criteria.md
index 0f426874c2..adfc44645c 100644
--- a/windows/security/security-foundations/certification/windows-platform-common-criteria.md
+++ b/windows/security/security-foundations/certification/windows-platform-common-criteria.md
@@ -1,17 +1,13 @@
---
title: Common Criteria Certifications
description: This topic details how Microsoft supports the Common Criteria certification program.
-ms.prod: windows-client
ms.author: sushmanemali
author: s4sush
-manager: aaroncz
ms.topic: reference
-ms.localizationpriority: medium
-ms.date: 11/4/2022
+ms.date: 11/22/2023
ms.reviewer: paoloma
-ms.technology: itpro-security
ms.collection:
- - tier3
+- tier3
---
# Common Criteria certifications
@@ -34,7 +30,7 @@ Certified against the Protection Profile for General Purpose Operating Systems,
- [Administrative Guide](https://download.microsoft.com/download/9/1/7/9178ce6a-8117-42e7-be0d-186fc4a89ca6/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Administrative%20Guide%20(21H2%20et%20al).pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/4/1/6/416151fe-63e7-48c0-a485-1d87148c71fe/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Assurance%20Activity%20Report%20(21H2%20et%20al).pdf)
- [Validation Report](https://download.microsoft.com/download/e/3/7/e374af1a-3c5d-42ee-8e19-df47d2c0e3d6/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Validation%20Report%20(21H2%20et%20al).pdf)
-
+
### Windows 10, version 2004, Windows Server, version 2004, Windows Server Core Datacenter (Azure Fabric Controller), Windows Server Core Datacenter (Azure Stack)
Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients
@@ -105,7 +101,7 @@ Certified against the Protection Profile for General Purpose Operating Systems.
- [Security Target](https://download.microsoft.com/download/e/8/b/e8b8c42a-a0b6-4ba1-9bdc-e704e8289697/windows%2010%20version%201703%20gp%20os%20security%20target%20-%20public%20\(january%2016,%202018\)\(final\)\(clean\).pdf)
- [Administrative Guide](https://download.microsoft.com/download/e/9/7/e97f0c7f-e741-4657-8f79-2c0a7ca928e3/windows%2010%20cu%20gp%20os%20operational%20guidance%20\(jan%208%202017%20-%20public\).pdf)
- [Certification Report](https://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf)
-- [Assurance Activity Report](https://download.microsoft.com/download/a/e/9/ae9a2235-e1cd-4869-964d-c8260f604367/Windows%2010%201703%20GP%20OS%20Assurance%20Activity%20Report.pdf)
+- [Assurance Activity Report](https://download.microsoft.com/download/a/e/9/ae9a2235-e1cd-4869-964d-c8260f604367/Windows%2010%201703%20GP%20OS%20Assurance%20Activity%20Report.pdf)
### Windows 10, version 1607, Windows Server 2016
@@ -149,9 +145,9 @@ Certified against the Protection Profile for Mobile Device Fundamentals.
- [Security Target](https://download.microsoft.com/download/1/5/e/15eee6d3-f2a8-4441-8cb1-ce8c2ab91c24/windows%2010%20anniversary%20update%20mdf%20security%20target%20-%20public%20\(april%203%202017\).docx)
- [Administrative Guide](https://download.microsoft.com/download/4/c/1/4c1f4ea4-2d66-4232-a0f5-925b2bc763bc/windows%2010%20au%20operational%20guidance%20\(16%20mar%202017\)\(clean\).docx)
- [Validation Report](https://download.microsoft.com/download/f/2/f/f2f7176e-34f4-4ab0-993c-6606d207bb3c/st_vid10752-vr.pdf)
-- [Assurance Activity Report](https://download.microsoft.com/download/9/3/9/939b44a8-5755-4d4c-b020-d5e8b89690ab/Windows%2010%20and%20Windows%2010%20Mobile%201607%20MDF%20Assurance%20Activity%20Report.pdf)
+- [Assurance Activity Report](https://download.microsoft.com/download/9/3/9/939b44a8-5755-4d4c-b020-d5e8b89690ab/Windows%2010%20and%20Windows%2010%20Mobile%201607%20MDF%20Assurance%20Activity%20Report.pdf)
-### Windows 10, version 1607, Windows Server 2016
+### Windows 10, version 1607, Windows Server 2016 (VPN)
Certified against the Protection Profile for IPsec Virtual Private Network (VPN) Clients.
@@ -273,7 +269,7 @@ Certified against the Protection Profile for General Purpose Operating Systems.
- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf)
- [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=cb19538d-9e13-4ab6-af38-8f48abfdad08)
-- [Certification Report](http://www.commoncriteriaportal.org:80/files/epfiles/0570a_pdf.pdf)
+- [Certification Report](http://www.commoncriteriaportal.org:80/files/epfiles/0570a_pdf.pdf)
### Windows Server 2003 Certificate Server
diff --git a/windows/security/security-foundations/zero-trust-windows-device-health.md b/windows/security/security-foundations/zero-trust-windows-device-health.md
index 65cc2e9e7d..f80e2bf591 100644
--- a/windows/security/security-foundations/zero-trust-windows-device-health.md
+++ b/windows/security/security-foundations/zero-trust-windows-device-health.md
@@ -1,14 +1,11 @@
---
title: Zero Trust and Windows device health
description: Describes the process of Windows device health attestation
-ms.reviewer:
ms.topic: conceptual
manager: aaroncz
ms.author: paoloma
author: paolomatarazzo
-ms.prod: windows-client
-ms.technology: itpro-security
-ms.date: 12/31/2017
+ms.date: 11/07/2023
---
# Zero Trust and Windows device health
@@ -17,11 +14,9 @@ Organizations need a security model that more effectively adapts to the complexi
The [Zero Trust](https://www.microsoft.com/security/business/zero-trust) principles are:
-- **Verify explicitly**. Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and monitor anomalies.
-
-- **Use least-privileged access**. Limit user access with just-in-time and just-enough-access, risk-based adaptive policies, and data protection to help secure data and maintain productivity.
-
-- **Assume breach**. Prevent attackers from obtaining access to minimize potential damage to data and systems. Protect privileged roles, verify end-to-end encryption, use analytics to get visibility, and drive threat detection to improve defenses.
+- **Verify explicitly**. Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and monitor anomalies
+- **Use least-privileged access**. Limit user access with just-in-time and just-enough-access, risk-based adaptive policies, and data protection to help secure data and maintain productivity
+- **Assume breach**. Prevent attackers from obtaining access to minimize potential damage to data and systems. Protect privileged roles, verify end-to-end encryption, use analytics to get visibility, and drive threat detection to improve defenses
The Zero Trust concept of **verify explicitly** applies to the risks introduced by both devices and users. Windows enables **device health attestation** and **conditional access** capabilities, which are used to grant access to corporate resources.
@@ -45,25 +40,19 @@ Windows includes many security features to help protect users from malware and a
A summary of the steps involved in attestation and Zero Trust on the device side are as follows:
-1. During each step of the boot process, such as a file load, update of special variables, and more, information such as file hashes and signature are measured in the TPM PCRs. The measurements are bound by a [Trusted Computing Group specification](https://trustedcomputinggroup.org/resource/pc-client-platform-tpm-profile-ptp-specification/) (TCG) that dictates what events can be recorded and the format of each event.
+1. During each step of the boot process, such as a file load, update of special variables, and more, information such as file hashes and signature are measured in the TPM PCRs. The measurements are bound by a [Trusted Computing Group specification](https://trustedcomputinggroup.org/resource/pc-client-platform-tpm-profile-ptp-specification/) (TCG) that dictates what events can be recorded and the format of each event
+1. Once Windows has booted, the attestor/verifier requests the TPM to fetch the measurements stored in its Platform Configuration Register (PCR) alongside a TCG log. The measurements in both these components together form the attestation evidence that is then sent to the attestation service
+1. The TPM is verified by using the keys/cryptographic material available on the chipset with an [Azure Certificate Service](/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation)
+1. This information is then sent to the attestation service in the cloud to verify that the device is safe. Microsoft Endpoint Manger integrates with Microsoft Azure Attestation to review device health comprehensively and connect this information with Microsoft Entra Conditional Access. This integration is key for Zero Trust solutions that help bind trust to an untrusted device
+1. The attestation service does the following tasks:
-2. Once Windows has booted, the attestor/verifier requests the TPM to fetch the measurements stored in its Platform Configuration Register (PCR) alongside a TCG log. The measurements in both these components together form the attestation evidence that is then sent to the attestation service.
+ - Verify the integrity of the evidence. This verification is done by validating the PCRs that match the values recomputed by replaying the TCG log
+ - Verify that the TPM has a valid Attestation Identity Key issued by the authenticated TPM
+ - Verify that the security features are in the expected states
-3. The TPM is verified by using the keys/cryptographic material available on the chipset with an [Azure Certificate Service](/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation).
-
-4. This information is then sent to the attestation service in the cloud to verify that the device is safe. Microsoft Endpoint Manger integrates with Microsoft Azure Attestation to review device health comprehensively and connect this information with Microsoft Entra Conditional Access. This integration is key for Zero Trust solutions that help bind trust to an untrusted device.
-
-5. The attestation service does the following tasks:
-
- - Verify the integrity of the evidence. This verification is done by validating the PCRs that match the values recomputed by replaying the TCG log.
- - Verify that the TPM has a valid Attestation Identity Key issued by the authenticated TPM.
- - Verify that the security features are in the expected states.
-
-6. The attestation service returns an attestation report that contains information about the security features based on the policy configured in the attestation service.
-
-7. The device then sends the report to the Microsoft Intune cloud to assess the trustworthiness of the platform according to the admin-configured device compliance rules.
-
-8. Conditional access, along with device-compliance state then decides to allow or deny access.
+1. The attestation service returns an attestation report that contains information about the security features based on the policy configured in the attestation service
+1. The device then sends the report to the Microsoft Intune cloud to assess the trustworthiness of the platform according to the admin-configured device compliance rules
+1. Conditional access, along with device-compliance state then decides to allow or deny access
## Other Resources
diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
index 3648c69063..eaa7ed73d3 100644
--- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
@@ -1,5 +1,5 @@
---
-title: Advanced security audit policy settings
+title: Advanced security audit policy settings
description: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
ms.assetid: 93b28b92-796f-4036-a53b-8b9e80f9f171
ms.author: vinpa
@@ -10,7 +10,7 @@ ms.pagetype: security
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -26,7 +26,7 @@ The security audit policy settings under **Security Settings\\Advanced Audit Pol
- A group administrator has modified settings or data on servers that contain finance information.
- An employee within a defined group has accessed an important file.
- The correct system access control list (SACL) - as a verifiable safeguard against undetected access - is applied to either of the following:
- - every file and folder
+ - every file and folder
- registry key on a computer
- file share.
@@ -34,7 +34,7 @@ You can access these audit policy settings through the Local Security Policy sna
These advanced audit policy settings allow you to select only the behaviors that you want to monitor. You can exclude audit results for the following types of behaviors:
- That are of little or no concern to you
-- That create an excessive number of log entries.
+- That create an excessive number of log entries.
In addition, because security audit policies can be applied by using domain Group Policy Objects, audit policy settings can be modified, tested, and deployed to selected users and groups with relative simplicity.
Audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** are available in the following categories:
@@ -63,7 +63,7 @@ The security audit policy settings in this category can be used to monitor chang
Detailed Tracking security policy settings and audit events can be used for the following purposes:
- To monitor the activities of individual applications and users on that computer
-- To understand how a computer is being used.
+- To understand how a computer is being used.
This category includes the following subcategories:
@@ -161,12 +161,12 @@ Global Object Access Auditing policy settings allow administrators to define com
Auditors can prove that every resource in the system is protected by an audit policy. They can do this task by viewing the contents of the Global Object Access Auditing policy settings. For example, if auditors see a policy setting called "Track all changes made by group administrators," they know that this policy is in effect.
Resource SACLs are also useful for diagnostic scenarios. For example, administrators quickly identify which object in a system is denying a user access by:
-- Setting the Global Object Access Auditing policy to log all the activities for a specific user
+- Setting the Global Object Access Auditing policy to log all the activities for a specific user
- Enabling the policy to track "Access denied" events for the file system or registry can help
> [!NOTE]
> If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the Global Object Access Auditing policy. This means that an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing policy.
-
+
This category includes the following subcategories:
- [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md)
- [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md)
diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing.md b/windows/security/threat-protection/auditing/advanced-security-auditing.md
index b6bf8dec61..1aed416fd1 100644
--- a/windows/security/threat-protection/auditing/advanced-security-auditing.md
+++ b/windows/security/threat-protection/auditing/advanced-security-auditing.md
@@ -1,8 +1,8 @@
---
-title: Advanced security audit policies
-description: Advanced security audit policy settings may appear to overlap with basic policies, but they are recorded and applied differently. Learn more about them here.
+title: Advanced security audit policies
+description: Advanced security audit policy settings might appear to overlap with basic policies, but they're recorded and applied differently. Learn more about them here.
ms.assetid: 6FE8AC10-F48E-4BBF-979B-43A5DFDC5DFC
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,21 +12,21 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/6/2021
ms.technology: itpro-security
---
# Advanced security audit policies
-Advanced security audit policy settings are found in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** and appear to overlap with basic security audit policies, but they are recorded and applied differently.
-When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in, you are editing the effective audit policy, so changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe. In Windows 7 and later, advanced security audit policies can be controlled by using Group Policy.
+Advanced security audit policy settings are found in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** and appear to overlap with basic security audit policies, but they're recorded and applied differently.
+When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in, you're editing the effective audit policy, so changes made to basic audit policy settings appear exactly as configured in Auditpol.exe. In Windows 7 and later, advanced security audit policies can be controlled by using Group Policy.
## In this section
-| Topic | Description |
+| Article | Description |
| - | - |
-| [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md) | This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies |
-| [Advanced security auditing FAQ](advanced-security-auditing-faq.yml) | This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
+| [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md) | This article for IT professionals explains the options that security policy planners must consider, and the tasks that they must complete, to deploy an effective security audit policy in a network that includes advanced security audit policies |
+| [Advanced security auditing FAQ](advanced-security-auditing-faq.yml) | This article for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
| [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) | This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012.
-| [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) | This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
+| [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) | This reference for IT professionals provides information about the advanced audit policy settings in Windows and the audit events that they generate.
diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
index c613a28ed2..d8dcb28e30 100644
--- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
+++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
@@ -1,8 +1,8 @@
---
-title: Apply a basic audit policy on a file or folder
+title: Apply a basic audit policy on a file or folder
description: Apply audit policies to individual files and folders on your computer by setting the permission type to record access attempts in the security log.
ms.assetid: 565E7249-5CD0-4B2E-B2C0-B3A0793A51E2
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -40,18 +40,18 @@ To complete this procedure, you must be signed in as a member of the built-in Ad
- To audit failure events, select **Fail.**
- To audit all events, select **All.**
-
+
6. In the **Applies to** box, select the object(s) to which the audit of events will apply. These objects include:
-
+
- **This folder only**
- **This folder, subfolders and files**
- **This folder and subfolders**
- **This folder and files**
- **Subfolders and files only**
- - **Subfolders only**
+ - **Subfolders only**
- **Files only**
-
+
7. By default, the selected **Basic Permissions** to audit are the following:
- **Read and execute**
- **List folder contents**
@@ -60,8 +60,8 @@ To complete this procedure, you must be signed in as a member of the built-in Ad
- **Full control**
- **Modify**
- **Write**
-
-> [!IMPORTANT]
+
+> [!IMPORTANT]
> Before you set up auditing for files and folders, you must enable [object access auditing](basic-audit-object-access.md). To do this, define auditing policy settings for the object access event category. If you don't enable object access auditing, you'll receive an error message when you set up auditing for files and folders, and no files or folders will be audited.
## More considerations
diff --git a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md
index fd97b2de5e..1b9208a8d5 100644
--- a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md
+++ b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md
@@ -1,5 +1,5 @@
---
-title: Audit Token Right Adjusted
+title: Audit Token Right Adjusted
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Token Right Adjusted, which determines whether the operating system generates audit events when specific changes are made to the privileges of a token.
manager: aaroncz
author: vinaypamnani-msft
@@ -8,13 +8,13 @@ ms.pagetype: security
ms.prod: windows-client
ms.technology: itpro-security
ms.date: 12/31/2017
-ms.topic: article
+ms.topic: reference
---
# Audit Token Right Adjusted
-Audit Token Right Adjusted allows you to audit events generated by adjusting the privileges of a token.
+Audit Token Right Adjusted allows you to audit events generated by adjusting the privileges of a token.
For more information, see [Security Monitoring: A Possible New Way to Detect Privilege Escalation](/archive/blogs/nathangau/security-monitoring-a-possible-new-way-to-detect-privilege-escalation).
diff --git a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
index 7773933079..017fb5ec82 100644
--- a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
@@ -1,8 +1,8 @@
---
-title: Audit account logon events
+title: Audit account logon events
description: Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.
ms.assetid: 84B44181-E325-49A1-8398-AECC3CE0A516
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -45,9 +45,9 @@ You can configure this security setting by opening the appropriate policy under
| 681 | Logon failure. A domain account logon was attempted. This event is not generated in Windows XP or in the Windows Server 2003 family. |
| 682 | A user has reconnected to a disconnected terminal server session. |
| 683 | A user disconnected a terminal server session without logging off. |
-
+
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
-
-
+
+
diff --git a/windows/security/threat-protection/auditing/basic-audit-account-management.md b/windows/security/threat-protection/auditing/basic-audit-account-management.md
index 9a6340c3a8..e3e8fa199c 100644
--- a/windows/security/threat-protection/auditing/basic-audit-account-management.md
+++ b/windows/security/threat-protection/auditing/basic-audit-account-management.md
@@ -1,8 +1,8 @@
---
-title: Audit account management
+title: Audit account management
description: Determines whether to audit each event of account management on a device.
ms.assetid: 369197E1-7E0E-45A4-89EA-16D91EF01689
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -28,7 +28,7 @@ Examples of account management events include:
- A user account is renamed, disabled, or enabled.
- A password is set or changed.
-If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when any account management event succeeds. Failure audits generate an audit entry when any account management event fails. To
+If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when any account management event succeeds. Failure audits generate an audit entry when any account management event fails. To
set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the Define these policy settings check box and clear the **Success** and **Failure** check boxes.
**Default:**
diff --git a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
index 6da1a9c54e..82647ef71b 100644
--- a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
+++ b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
@@ -1,8 +1,8 @@
---
-title: Basic audit directory service access
+title: Basic audit directory service access
description: Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.
ms.assetid: 52F02EED-3CFE-4307-8D06-CF1E27693D09
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -26,7 +26,7 @@ By default, this value is set to no auditing in the Default Domain Controller Gr
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a user successfully accesses an Active Directory object that has a SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access an Active Directory object that has a SACL specified. To set this value to **No auditing,** in the **Properties** dialog box for this policy setting, select the **Define these policy settings** check box and clear the **Success** and **Failure** check boxes.
> **Note:** You can set a SACL on an Active Directory object by using the **Security** tab in that object's **Properties** dialog box. This is the same as Audit object access, except that it applies only to Active Directory objects and not to file system and registry objects.
-
+
**Default:**
- Success on domain controllers.
@@ -41,9 +41,9 @@ There is only one directory service access event, which is identical to the Obje
| Directory service access events | Description |
|---------------------------------|----------------------------------------|
| 566 | A generic object operation took place. |
-
+
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
-
-
+
+
diff --git a/windows/security/threat-protection/auditing/basic-audit-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
index 523fee4769..4b5e68258f 100644
--- a/windows/security/threat-protection/auditing/basic-audit-logon-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
@@ -1,8 +1,8 @@
---
-title: Audit logon events
+title: Audit logon events
description: Determines whether to audit each instance of a user logging on to or logging off from a device.
ms.assetid: 78B5AFCB-0BBD-4C38-9FE9-6B4571B94A35
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -41,11 +41,11 @@ You can configure this security setting by opening the appropriate policy under
| - | - |
| 4624 | A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below. |
| 4625 | Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password. |
-| 4634 | The logoff process was completed for a user. |
+| 4634 | The logoff process was completed for a user. |
| 4647 | A user initiated the logoff process. |
| 4648 | A user successfully logged on to a computer using explicit credentials while already logged on as a different user. |
| 4779 | A user disconnected a terminal server session without logging off. |
-
+
When event 4624 (Legacy Windows Event ID 528) is logged, a logon type is also listed in the event log. The following table describes each logon type.
@@ -60,9 +60,9 @@ When event 4624 (Legacy Windows Event ID 528) is logged, a logon type is also li
| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.|
| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop.|
| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.|
-
+
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
-
-
+
+
diff --git a/windows/security/threat-protection/auditing/basic-audit-object-access.md b/windows/security/threat-protection/auditing/basic-audit-object-access.md
index c9e7094492..66a2833e20 100644
--- a/windows/security/threat-protection/auditing/basic-audit-object-access.md
+++ b/windows/security/threat-protection/auditing/basic-audit-object-access.md
@@ -1,8 +1,8 @@
---
-title: Audit object access
+title: Audit object access
description: The policy setting, Audit object access, determines whether to audit the event generated when a user accesses an object that has its own SACL specified.
ms.assetid: D15B6D67-7886-44C2-9972-3F192D5407EA
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/auditing/basic-audit-policy-change.md b/windows/security/threat-protection/auditing/basic-audit-policy-change.md
index bd7e9a9b7e..4db162688d 100644
--- a/windows/security/threat-protection/auditing/basic-audit-policy-change.md
+++ b/windows/security/threat-protection/auditing/basic-audit-policy-change.md
@@ -1,8 +1,8 @@
---
-title: Audit policy change
+title: Audit policy change
description: Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies.
ms.assetid: 1025A648-6B22-4C85-9F47-FE0897F1FA31
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -37,30 +37,30 @@ You can configure this security setting under Computer Configuration\\Windows Se
| Policy change events | Description |
| - | - |
-| 608 | A user right was assigned.|
+| 608 | A user right was assigned.|
| 609 | A user right was removed. |
-| 610 | A trust relationship with another domain was created.|
-| 611 | A trust relationship with another domain was removed.|
-| 612 | An audit policy was changed.|
-| 613 | An Internet Protocol security (IPSec) policy agent started.|
+| 610 | A trust relationship with another domain was created.|
+| 611 | A trust relationship with another domain was removed.|
+| 612 | An audit policy was changed.|
+| 613 | An Internet Protocol security (IPSec) policy agent started.|
| 614 | An IPSec policy agent was disabled. |
| 615 | An IPSec policy agent changed. |
-| 616 | An IPSec policy agent encountered a potentially serious failure.|
+| 616 | An IPSec policy agent encountered a potentially serious failure.|
| 617 | A Kerberos policy changed. |
-| 618 | Encrypted Data Recovery policy changed.|
-| 620 | A trust relationship with another domain was modified.|
+| 618 | Encrypted Data Recovery policy changed.|
+| 620 | A trust relationship with another domain was modified.|
| 621 | System access was granted to an account. |
-| 622 | System access was removed from an account.|
-| 623 | Per user auditing policy was set for a user.|
+| 622 | System access was removed from an account.|
+| 623 | Per user auditing policy was set for a user.|
| 625 | Per user audit policy was refreshed. |
| 768 | A collision was detected between a namespace element in one forest and a namespace element in another forest.
**Note** When a namespace element in one forest overlaps a namespace element in another forest, it can lead to ambiguity in resolving a name belonging to one of the namespace elements. This overlap is also called a collision. Not all parameters are valid for each entry type. For example, fields such as DNS name, NetBIOS name, and SID are not valid for an entry of type 'TopLevelName'.|
| 769 | Trusted forest information was added.
**Note:** This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type "TopLevelName".|
| 770 | Trusted forest information was deleted.
**Note:** This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type "TopLevelName".|
| 771 | Trusted forest information was modified.
**Note:** This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type "TopLevelName".|
-| 805 | The event log service read the security log configuration for a session.
-
+| 805 | The event log service read the security log configuration for a session.
+
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
-
-
+
+
diff --git a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
index 1382bf0fcb..11a05ab720 100644
--- a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
+++ b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
@@ -1,8 +1,8 @@
---
-title: Audit privilege use
+title: Audit privilege use
description: Determines whether to audit each instance of a user exercising a user right.
ms.assetid: C5C6DAAF-8B58-4DFB-B1CE-F0675AE0E9F8
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -46,10 +46,10 @@ You can configure this security setting under Computer Configuration\\Windows Se
| - | - |
| 576 | Specified privileges were added to a user's access token.
**Note:** This event is generated when the user logs on.|
| 577 | A user attempted to perform a privileged system service operation. |
-| 578 | Privileges were used on an already open handle to a protected object. |
-
+| 578 | Privileges were used on an already open handle to a protected object. |
+
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
-
-
+
+
diff --git a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
index b7eb7ea1fd..796e7f323f 100644
--- a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
+++ b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
@@ -1,8 +1,8 @@
---
-title: Audit process tracking
+title: Audit process tracking
description: Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.
ms.assetid: 91AC5C1E-F4DA-4B16-BEE2-C92D66E4CEEA
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -34,20 +34,20 @@ You can configure this security setting under Computer Configuration\\Windows Se
| Process tracking events | Description |
| - | - |
-| 592 | A new process was created.|
+| 592 | A new process was created.|
| 593 | A process exited. |
-| 594 | A handle to an object was duplicated.|
-| 595 | Indirect access to an object was obtained.|
+| 594 | A handle to an object was duplicated.|
+| 595 | Indirect access to an object was obtained.|
| 596 | A data protection master key was backed up.
**Note:** The master key is used by the CryptProtectData and CryptUnprotectData routines, and Encrypting File System (EFS). The master key is backed up each time a new one is created. (The default setting is 90 days.) The key is usually backed up to a domain controller.|
-| 597 | A data protection master key was recovered from a recovery server.|
+| 597 | A data protection master key was recovered from a recovery server.|
| 598 | Auditable data was protected. |
-| 599 | Auditable data was unprotected.|
-| 600 | A process was assigned a primary token.|
+| 599 | Auditable data was unprotected.|
+| 600 | A process was assigned a primary token.|
| 601 | A user attempted to install a service. |
| 602 | A scheduler job was created. |
-
+
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
-
-
+
+
diff --git a/windows/security/threat-protection/auditing/basic-audit-system-events.md b/windows/security/threat-protection/auditing/basic-audit-system-events.md
index 0af90ae965..c3a231e65c 100644
--- a/windows/security/threat-protection/auditing/basic-audit-system-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-system-events.md
@@ -1,8 +1,8 @@
---
-title: Audit system events
+title: Audit system events
description: Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log.
ms.assetid: BF27588C-2AA7-4365-A4BF-3BB377916447
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -37,14 +37,14 @@ You can configure this security setting by opening the appropriate policy under
| Logon events | Description |
| - | - |
-| 512 | Windows is starting up. |
+| 512 | Windows is starting up. |
| 513 | Windows is shutting down. |
-| 514 | An authentication package was loaded by the Local Security Authority.|
-| 515 | A trusted logon process has registered with the Local Security Authority.|
-| 516 | Internal resources allocated for the queuing of security event messages have been exhausted, leading to the loss of some security event messages.|
+| 514 | An authentication package was loaded by the Local Security Authority.|
+| 515 | A trusted logon process has registered with the Local Security Authority.|
+| 516 | Internal resources allocated for the queuing of security event messages have been exhausted, leading to the loss of some security event messages.|
| 517 | The audit log was cleared. |
-| 518 | A notification package was loaded by the Security Accounts Manager.|
-| 519 | A process is using an invalid local procedure call (LPC) port in an attempt to impersonate a client and reply or read from or write to a client address space.|
+| 518 | A notification package was loaded by the Security Accounts Manager.|
+| 519 | A process is using an invalid local procedure call (LPC) port in an attempt to impersonate a client and reply or read from or write to a client address space.|
| 520 | The system time was changed.
**Note:** This audit normally appears twice.|
## Related topics
diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policies.md b/windows/security/threat-protection/auditing/basic-security-audit-policies.md
index 95d4e51fe0..93ea3850e5 100644
--- a/windows/security/threat-protection/auditing/basic-security-audit-policies.md
+++ b/windows/security/threat-protection/auditing/basic-security-audit-policies.md
@@ -1,8 +1,8 @@
---
-title: Basic security audit policies
+title: Basic security audit policies
description: Learn about basic security audit policies that specify the categories of security-related events that you want to audit for the needs of your organization.
ms.assetid: 3B678568-7AD7-4734-9BB4-53CF5E04E1D3
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -34,15 +34,15 @@ The event categories that you can choose to audit are:
- Audit process tracking
- Audit system events
-If you choose to audit access to objects as part of your audit policy, you must enable either the audit directory service access category (for auditing objects on a domain controller), or the audit object access category (for auditing objects on a member server or workstation). Once you have enabled the object access category, you can specify the types of access you want to audit for each group or user.
+If you choose to audit access to objects as part of your audit policy, you must enable either the audit directory service access category, for auditing objects on a domain controller, or the audit object access category, for auditing objects on a member server or workstation. After you enable the object access category, you can specify the types of access you want to audit for each group or user.
## In this section
-| Topic | Description |
+| Article | Description |
| - | - |
| [Create a basic audit policy for an event category](create-a-basic-audit-policy-settings-for-an-event-category.md) | By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization. On devices that are joined to a domain, auditing settings for the event categories are undefined by default. On domain controllers, auditing is turned on by default. |
-| [Apply a basic audit policy on a file or folder](apply-a-basic-audit-policy-on-a-file-or-folder.md) | You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log. |
-| [View the security event log](view-the-security-event-log.md) | The security log records each event as defined by the audit policies you set on each object.|
+| [Apply a basic audit policy on a file or folder](apply-a-basic-audit-policy-on-a-file-or-folder.md) | You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful or failed access attempts in the security log. |
+| [View the security event log](view-the-security-event-log.md) | The security log records each event as defined by the audit policies you set on each object.|
| [Basic security audit policy settings](basic-security-audit-policy-settings.md) | Basic security audit policy settings are found under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.|
-
-
+
+
diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
index 9c9d050b55..70b4c9c798 100644
--- a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
@@ -1,8 +1,8 @@
---
-title: Basic security audit policy settings
+title: Basic security audit policy settings
description: Basic security audit policy settings are found under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
ms.assetid: 31C2C453-2CFC-4D9E-BC88-8CE1C1A8F900
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -26,18 +26,18 @@ Basic security audit policy settings are found under Computer Configuration\\Win
| Topic | Description |
| - | - |
-| [Audit account logon events](basic-audit-account-logon-events.md) | Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.|
-| [Audit account management](basic-audit-account-management.md) | Determines whether to audit each event of account management on a device.|
-| [Audit directory service access](basic-audit-directory-service-access.md) | Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.|
+| [Audit account logon events](basic-audit-account-logon-events.md) | Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.|
+| [Audit account management](basic-audit-account-management.md) | Determines whether to audit each event of account management on a device.|
+| [Audit directory service access](basic-audit-directory-service-access.md) | Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.|
| [Audit logon events](basic-audit-logon-events.md) | Determines whether to audit each instance of a user logging on to or logging off from a device. |
-| [Audit object access](basic-audit-object-access.md) | Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.|
+| [Audit object access](basic-audit-object-access.md) | Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.|
| [Audit policy change](basic-audit-policy-change.md) | Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies. |
| [Audit privilege use](basic-audit-privilege-use.md) | Determines whether to audit each instance of a user exercising a user right. |
-| [Audit process tracking](basic-audit-process-tracking.md) | Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.|
+| [Audit process tracking](basic-audit-process-tracking.md) | Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.|
| [Audit system events](basic-audit-system-events.md) | Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log. |
-
+
## Related topics
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
+
+
diff --git a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
index 9a49d95bbe..90f66f7720 100644
--- a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
+++ b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
@@ -1,8 +1,8 @@
---
-title: Create a basic audit policy for an event category
+title: Create a basic audit policy for an event category
description: By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization.
ms.assetid: C9F52751-B40D-482E-BE9D-2C61098249D3
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/07/2021
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/auditing/event-4720.md b/windows/security/threat-protection/auditing/event-4720.md
index 726f71bbbd..5ca11d5d60 100644
--- a/windows/security/threat-protection/auditing/event-4720.md
+++ b/windows/security/threat-protection/auditing/event-4720.md
@@ -166,83 +166,9 @@ Typically, **Primary Group** field for new user accounts has the following value
> **Note** **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
-- **Old UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. **Old UAC value** always **“0x0”** for new user accounts. This parameter contains the previous value of **userAccountControl** attribute of user object.
+- **Old UAC Value** [Type = UnicodeString]: is always “0x0” for new accounts.
-- **New UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. This parameter contains the value of **userAccountControl** attribute of new user object.
-
-To decode this value, you can go through the property value definitions in the “Table 7. User’s or Computer’s account UAC flags.” from largest to smallest. Compare each property value to the flags value in the event. If the flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to the next flag.
-
-Here's an example: Flags value from event: 0x15
-
-Decoding:
-
-• PASSWD\_NOTREQD 0x0020
-
-• LOCKOUT 0x0010
-
-• HOMEDIR\_REQUIRED 0x0008
-
-• (undeclared) 0x0004
-
-• ACCOUNTDISABLE 0x0002
-
-• SCRIPT 0x0001
-
-0x0020 > 0x15, so PASSWD\_NOTREQD does not apply to this event
-
-0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5
-
-0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1
-
-0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event
-
-0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done.
-
-So this UAC flags value decodes to: LOCKOUT and SCRIPT
-
-- **User Account Control** \[Type = UnicodeString\]**:** shows the list of changes in **userAccountControl** attribute. You will see a line of text for each change. For new user accounts, when the object for this account was created, the **userAccountControl** value was considered to be **“0x0”**, and then it was changed from **“0x0”** to the real value for the account's **userAccountControl** attribute. See possible values in the table below. In the “User Account Control field text” column, you can see the text that will be displayed in the **User Account Control** field in 4720 event.
-
-| Flag Name | userAccountControl in hexadecimal | userAccountControl in decimal | Description | User Account Control field text |
-|------------------------------------|-----------------------------------|-------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------|
-| SCRIPT | 0x0001 | 1 | The logon script will be run. | Changes of this flag do not show in 4720 events. |
-| ACCOUNTDISABLE | 0x0002 | 2 | The user account is disabled. | Account Disabled
Account Enabled |
-| Undeclared | 0x0004 | 4 | This flag is undeclared. | Changes of this flag do not show in 4720 events. |
-| HOMEDIR\_REQUIRED | 0x0008 | 8 | The home folder is required. | 'Home Directory Required' - Enabled
'Home Directory Required' - Disabled |
-| LOCKOUT | 0x0010 | 16 | | Changes of this flag do not show in 4720 events. |
-| PASSWD\_NOTREQD | 0x0020 | 32 | No password is required. | 'Password Not Required' - Enabled
'Password Not Required' - Disabled |
-| PASSWD\_CANT\_CHANGE | 0x0040 | 64 | The user cannot change the password. This is a permission on the user's object. | Changes of this flag do not show in 4720 events. |
-| ENCRYPTED\_TEXT\_PWD\_ALLOWED | 0x0080 | 128 | The user can send an encrypted password.
Can be set using “Store password using reversible encryption” checkbox. | 'Encrypted Text Password Allowed' - Disabled
'Encrypted Text Password Allowed' - Enabled |
-| TEMP\_DUPLICATE\_ACCOUNT | 0x0100 | 256 | This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account. | Cannot be set for computer account. |
-| NORMAL\_ACCOUNT | 0x0200 | 512 | This is a default account type that represents a typical user. | 'Normal Account' - Disabled
'Normal Account' - Enabled |
-| INTERDOMAIN\_TRUST\_ACCOUNT | 0x0800 | 2048 | This is a permit to trust an account for a system domain that trusts other domains. | Cannot be set for computer account. |
-| WORKSTATION\_TRUST\_ACCOUNT | 0x1000 | 4096 | This is a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain. | 'Workstation Trust Account' - Disabled
'Workstation Trust Account' - Enabled |
-| SERVER\_TRUST\_ACCOUNT | 0x2000 | 8192 | This is a computer account for a domain controller that is a member of this domain. | 'Server Trust Account' - Enabled
'Server Trust Account' - Disabled |
-| DONT\_EXPIRE\_PASSWORD | 0x10000 | 65536 | Represents the password, which should never expire on the account.
Can be set using “Password never expires” checkbox. | 'Don't Expire Password' - Disabled
'Don't Expire Password' - Enabled |
-| MNS\_LOGON\_ACCOUNT | 0x20000 | 131072 | This is an MNS logon account. | 'MNS Logon Account' - Disabled
'MNS Logon Account' - Enabled |
-| SMARTCARD\_REQUIRED | 0x40000 | 262144 | When this flag is set, it forces the user to log on by using a smart card. | 'Smartcard Required' - Disabled
'Smartcard Required' - Enabled |
-| TRUSTED\_FOR\_DELEGATION | 0x80000 | 524288 | When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account.
If you enable Kerberos constraint or unconstraint delegation or disable these types of delegation in Delegation tab you will get this flag changed. | 'Trusted For Delegation' - Enabled
'Trusted For Delegation' - Disabled |
-| NOT\_DELEGATED | 0x100000 | 1048576 | When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.
Can be set using “Account is sensitive and cannot be delegated” checkbox. | 'Not Delegated' - Disabled
'Not Delegated' - Enabled |
-| USE\_DES\_KEY\_ONLY | 0x200000 | 2097152 | Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
Can be set using “Use Kerberos DES encryption types for this account” checkbox. | 'Use DES Key Only' - Disabled
'Use DES Key Only' - Enabled |
-| DONT\_REQ\_PREAUTH | 0x400000 | 4194304 | This account does not require Kerberos pre-authentication for logging on.
Can be set using “Do not require Kerberos preauthentication” checkbox. | 'Don't Require Preauth' - Disabled
'Don't Require Preauth' - Enabled |
-| PASSWORD\_EXPIRED | 0x800000 | 8388608 | The user's password has expired. | Changes of this flag do not show in 4720 events. |
-| TRUSTED\_TO\_AUTH\_FOR\_DELEGATION | 0x1000000 | 16777216 | The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network.
If you enable Kerberos protocol transition delegation or disable this type of delegation in Delegation tab you will get this flag changed. | 'Trusted To Authenticate For Delegation' - Disabled
'Trusted To Authenticate For Delegation' - Enabled |
-| PARTIAL\_SECRETS\_ACCOUNT | 0x04000000 | 67108864 | The account is a read-only domain controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server. | No information. |
-
-For new, manually created, domain or local user accounts typical flags are:
-
-- Account Disabled
-
-- 'Password Not Required' - Enabled
-
-- 'Normal Account' – Enabled
-
- After new user creation event you will typically see couple of “[4738](event-4738.md): A user account was changed.” events with new flags:
-
-- 'Password Not Required' – Disabled
-
-- Account Enabled
-
-
+- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). For a list of account flags you may see here, refer to [[MS-SAMR]: USER_ACCOUNT Codes](/openspecs/windows_protocols/ms-samr/b10cfda1-f24f-441b-8f43-80cb93e786ec).
- **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of user’s account properties, then you will see **<value changed, but not displayed>** in this field in “[4738](event-4738.md): A user account was changed.” This parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has value “**<value not set>**”.
diff --git a/windows/security/threat-protection/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md
index 61cd4e80e6..be3bf1a1e5 100644
--- a/windows/security/threat-protection/auditing/event-4738.md
+++ b/windows/security/threat-protection/auditing/event-4738.md
@@ -192,39 +192,9 @@ Typical **Primary Group** values for user accounts:
> [!NOTE]
> **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
-- **Old UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. This parameter contains the previous value of **userAccountControl** attribute of user object.
+- **Old UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the previous value of the SAM implementation of account flags (definition differs from userAccountControl in AD).
-- **New UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. If the value of **userAccountControl** attribute of user object was changed, you will see the new value here.
-
-To decode this value, you can go through the property value definitions in the [User’s or Computer’s account UAC flags.](/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties) from largest to smallest. Compare each property value to the flags value in the event. If the flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to the next flag.
-
-Here's an example: Flags value from event: 0x15
-
-Decoding:
-
-• PASSWD\_NOTREQD 0x0020
-
-• LOCKOUT 0x0010
-
-• HOMEDIR\_REQUIRED 0x0008
-
-• (undeclared) 0x0004
-
-• ACCOUNTDISABLE 0x0002
-
-• SCRIPT 0x0001
-
-0x0020 > 0x15, so PASSWD\_NOTREQD does not apply to this event
-
-0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5
-
-0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1
-
-0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event
-
-0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done.
-
-So this UAC flags value decodes to: LOCKOUT and SCRIPT
+- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). If the value was changed, you will see the new value here. For a list of account flags you may see here, refer to [[MS-SAMR]: USER_ACCOUNT Codes](/openspecs/windows_protocols/ms-samr/b10cfda1-f24f-441b-8f43-80cb93e786ec).
- **User Account Control** \[Type = UnicodeString\]**:** shows the list of changes in **userAccountControl** attribute. You will see a line of text for each change. See possible values in here: [User’s or Computer’s account UAC flags](/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties). In the “User Account Control field text” column, you can see the text that will be displayed in the **User Account Control** field in 4738 event.
diff --git a/windows/security/threat-protection/auditing/event-4741.md b/windows/security/threat-protection/auditing/event-4741.md
index a245d7e5ce..e26b0c96b3 100644
--- a/windows/security/threat-protection/auditing/event-4741.md
+++ b/windows/security/threat-protection/auditing/event-4741.md
@@ -170,69 +170,9 @@ Typically, **Primary Group** field for new computer accounts has the following v
> [!NOTE]
> **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
-- **Old UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. **Old UAC value** always `0x0` for new computer accounts. This parameter contains the previous value of **userAccountControl** attribute of computer object.
+- **Old UAC Value** [Type = UnicodeString]: is always “0x0” for new accounts.
-- **New UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of **userAccountControl** attribute of new computer object.
-
-To decode this value, you can go through the property value definitions in the “Table 7. User’s or Computer’s account UAC flags.” from largest to smallest. Compare each property value to the flags value in the event. If the flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to the next flag.
-
-Here's an example: Flags value from event: 0x15
-
-Decoding:
-
-• PASSWD\_NOTREQD 0x0020
-
-• LOCKOUT 0x0010
-
-• HOMEDIR\_REQUIRED 0x0008
-
-• (undeclared) 0x0004
-
-• ACCOUNTDISABLE 0x0002
-
-• SCRIPT 0x0001
-
-0x0020 > 0x15, so PASSWD\_NOTREQD does not apply to this event
-
-0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5
-
-0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1
-
-0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event
-
-0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done.
-
-So this UAC flags value decodes to: LOCKOUT and SCRIPT
-
-- **User Account Control** \[Type = UnicodeString\]**:** shows the list of changes in **userAccountControl** attribute. You will see a line of text for each change. For new computer accounts, when the object for this account was created, the **userAccountControl** value was considered to be `0x0`, and then it was changed from `0x0` to the real value for the account's **userAccountControl** attribute. See possible values in the table below. In the “User Account Control field text” column, you can see the text that will be displayed in the **User Account Control** field in 4741 event.
-
-| Flag Name | userAccountControl in hexadecimal | userAccountControl in decimal | Description | User Account Control field text |
-|---|---|---|---|---|
-| SCRIPT | 0x0001 | 1 | The logon script will be run. | Changes of this flag do not show in 4741 events. |
-| ACCOUNTDISABLE | 0x0002 | 2 | The user account is disabled. | Account Disabled
Account Enabled |
-| Undeclared | 0x0004 | 4 | This flag is undeclared. | Changes of this flag do not show in 4741 events. |
-| HOMEDIR\_REQUIRED | 0x0008 | 8 | The home folder is required. | 'Home Directory Required' - Enabled
'Home Directory Required' - Disabled |
-| LOCKOUT | 0x0010 | 16 | | Changes of this flag do not show in 4741 events. |
-| PASSWD\_NOTREQD | 0x0020 | 32 | No password is required. | 'Password Not Required' - Enabled
'Password Not Required' - Disabled |
-| PASSWD\_CANT\_CHANGE | 0x0040 | 64 | The user cannot change the password. This is a permission on the user's object. | Changes of this flag do not show in 4741 events. |
-| ENCRYPTED\_TEXT\_PWD\_ALLOWED | 0x0080 | 128 | The user can send an encrypted password.
Can be set using “Store password using reversible encryption” checkbox. | 'Encrypted Text Password Allowed' - Disabled
'Encrypted Text Password Allowed' - Enabled |
-| TEMP\_DUPLICATE\_ACCOUNT | 0x0100 | 256 | This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account. | Cannot be set for computer account. |
-| NORMAL\_ACCOUNT | 0x0200 | 512 | This is a default account type that represents a typical user. | 'Normal Account' - Disabled
'Normal Account' - Enabled |
-| INTERDOMAIN\_TRUST\_ACCOUNT | 0x0800 | 2048 | This is a permit to trust an account for a system domain that trusts other domains. | Cannot be set for computer account. |
-| WORKSTATION\_TRUST\_ACCOUNT | 0x1000 | 4096 | This is a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain. | 'Workstation Trust Account' - Disabled
'Workstation Trust Account' - Enabled |
-| SERVER\_TRUST\_ACCOUNT | 0x2000 | 8192 | This is a computer account for a domain controller that is a member of this domain. | 'Server Trust Account' - Enabled
'Server Trust Account' - Disabled |
-| DONT\_EXPIRE\_PASSWORD | 0x10000 | 65536 | Represents the password, which should never expire on the account.
Can be set using “Password never expires” checkbox. | 'Don't Expire Password' - Disabled
'Don't Expire Password' - Enabled |
-| MNS\_LOGON\_ACCOUNT | 0x20000 | 131072 | This is an MNS logon account. | 'MNS Logon Account' - Disabled
'MNS Logon Account' - Enabled |
-| SMARTCARD\_REQUIRED | 0x40000 | 262144 | When this flag is set, it forces the user to log on by using a smart card. | 'Smartcard Required' - Disabled
'Smartcard Required' - Enabled |
-| TRUSTED\_FOR\_DELEGATION | 0x80000 | 524288 | When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account.
If you enable Kerberos constraint or unconstraint delegation or disable these types of delegation in Delegation tab you will get this flag changed. | 'Trusted For Delegation' - Enabled
'Trusted For Delegation' - Disabled |
-| NOT\_DELEGATED | 0x100000 | 1048576 | When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.
Can be set using “Account is sensitive and cannot be delegated” checkbox. | 'Not Delegated' - Disabled
'Not Delegated' - Enabled |
-| USE\_DES\_KEY\_ONLY | 0x200000 | 2097152 | Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
Can be set using “Use Kerberos DES encryption types for this account” checkbox. | 'Use DES Key Only' - Disabled
'Use DES Key Only' - Enabled |
-| DONT\_REQ\_PREAUTH | 0x400000 | 4194304 | This account does not require Kerberos pre-authentication for logging on.
Can be set using “Do not require Kerberos preauthentication” checkbox. | 'Don't Require Preauth' - Disabled
'Don't Require Preauth' - Enabled |
-| PASSWORD\_EXPIRED | 0x800000 | 8388608 | The user's password has expired. | Changes of this flag do not show in 4741 events. |
-| TRUSTED\_TO\_AUTH\_FOR\_DELEGATION | 0x1000000 | 16777216 | The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network.
If you enable Kerberos protocol transition delegation or disable this type of delegation in Delegation tab you will get this flag changed. | 'Trusted To Authenticate For Delegation' - Disabled
'Trusted To Authenticate For Delegation' - Enabled |
-| PARTIAL\_SECRETS\_ACCOUNT | 0x04000000 | 67108864 | The account is a read-only domain controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server. | No information. |
-
-> Table 7. User’s or Computer’s account UAC flags.
+- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). For a list of account flags you may see here, refer to [[MS-SAMR]: USER_ACCOUNT Codes](/openspecs/windows_protocols/ms-samr/b10cfda1-f24f-441b-8f43-80cb93e786ec).
- **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of computer’s account properties, then you will see `
Departmental Payroll Managers: Write only on Corp-Finance-1| High| Financial integrity and employee privacy|
| Patient medical records| MedRec-2| Doctors and Nurses: Read/write on Med/Rec-2
Lab Assistants: Write only on MedRec-2
Accounting: Read only on MedRec-2| High| Strict legal and regulatory standards|
| Consumer health information| Web-Ext-1| Public Relations Web Content Creators: Read/write on Web-Ext-1
Public: Read only on Web-Ext-1| Low| Public education and corporate image|
-
+
### Users
Many organizations find it useful to classify the types of users they have and then base permissions on this classification. This classification can help you identify which user activities should be the subject of security auditing and the amount of audit data that they'll generate.
@@ -140,7 +140,7 @@ The following table illustrates an analysis of users on a network. Our example c
| Account administrators| User accounts and security groups| Account administrators have full privileges to create new user accounts, reset passwords, and modify security group memberships. We need a mechanism to monitor these changes. |
| Members of the Finance OU| Financial records| Users in Finance have read/write access to critical financial records but no ability to change permissions on these resources. These financial records are subject to government regulatory compliance requirements. |
| External partners | Project Z| Employees of partner organizations have read/write access to certain project data and servers relating to Project Z but not to other servers or data on the network.|
-
+
### Computers
Security and auditing requirements and audit event volume can vary considerably for different types of computers in an organization. These requirements can be based on:
@@ -151,14 +151,14 @@ Security and auditing requirements and audit event volume can vary considerably
> [!NOTE]
> For more information about auditing:
> - In Exchange Server, see [Exchange 2010 Security Guide](/previous-versions/office/exchange-server-2010/bb691338(v=exchg.141)).
- > - In SQL Server 2008, see [Auditing (Database Engine)](/previous-versions/sql/sql-server-2008-r2/cc280526(v=sql.105)).
+ > - In SQL Server 2008, see [Auditing (Database Engine)](/previous-versions/sql/sql-server-2008-r2/cc280526(v=sql.105)).
> - In SQL Server 2012, see [SQL Server Audit (Database Engine)](/sql/relational-databases/security/auditing/sql-server-audit-database-engine).
-
+
- The operating system versions
> [!NOTE]
> The operating system version determines which auditing options are available and the volume of audit event data.
-
+
- The business value of the data
For example, a web server that's accessed by external users requires different audit settings than a root certification authority (CA) that's never exposed to the public internet or even to regular users on the organization's network.
@@ -171,7 +171,7 @@ The following table illustrates an analysis of computers in an organization.
| File servers | Windows Server 2012| Separate resource OUs by department and (in some cases) by location|
| Portable computers | Windows Vista and Windows 7| Separate portable computer OUs by department and (in some cases) by location|
| Web servers | Windows Server 2008 R2 | WebSrv OU|
-
+
### Regulatory requirements
Many industries and locales have specific requirements for network operations and how resources are protected. In the health care and financial industries, for example, strict guidelines control who can access records and how the records are used. Many countries/regions have strict privacy rules. To identify regulatory requirements, work with your organization's legal department and other departments responsible for these requirements. Then consider the security configuration and auditing options that you can use to comply with these regulations and verify compliance.
@@ -199,7 +199,7 @@ By using Group Policy, you can apply your security audit policy to defined group
> Whether you apply advanced audit policies by using Group Policy or logon scripts, don't use both the basic audit policy settings under **Local Policies\Audit Policy** and the advanced settings under **Security Settings\Advanced Audit Policy Configuration**. Using both basic and advanced audit policy settings can cause unexpected results in audit reporting.
If you use **Advanced Audit Policy Configuration** settings or logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This configuration will prevent conflicts between similar settings by forcing basic security auditing to be ignored.
-
+
The following examples show how you can apply audit policies to an organization's OU structure:
@@ -210,8 +210,8 @@ The following examples show how you can apply audit policies to an organization'
## Map your security auditing goals to a security audit policy configuration
After you identify your security auditing goals, you can map them to a security audit policy configuration. This audit policy configuration must address your security auditing goals. But it also must reflect your organization's constraints, such as the numbers of:
-- Computers that need to be monitored
-- Activities that you want to audit
+- Computers that need to be monitored
+- Activities that you want to audit
- Audit events that your audit configuration will generate
- Administrators available to analyze and act upon audit data
@@ -230,7 +230,7 @@ You can view and configure security audit policy settings in the supported versi
- *Security Settings\\Local Policies\\Audit Policy*
- *Security Settings\\Local Policies\\Security Options*
- *Security Settings\\Advanced Audit Policy Configuration*
-
+
For more information, see [Advanced security audit policy settings](advanced-security-audit-policy-settings.md).
### Choose audit settings to use
@@ -255,16 +255,16 @@ Compromise to an organization's data resources can cause tremendous financial lo
> [!NOTE]
> To audit user attempts to access all file system objects on a computer, use the *Global Object Access Auditing* settings [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md) or [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md).
-
+
- **Object Access\\[Audit Handle Manipulation](audit-handle-manipulation.md)**: This policy setting determines whether the operating system generates audit events when a handle to an object is opened or closed. Only objects with configured SACLs generate these events and only if the attempted handle operation matches the SACL.
Event volume can be high, depending on how the SACLs are configured. When used together with the **Audit File System** or **Audit Registry** policy setting, the **Audit Handle Manipulation** policy setting can provide useful "reason for access" audit data that details the precise permissions on which the audit event is based. For example, if a file is configured as a *read-only* resource but a user tries to save changes to the file, the audit event will log the event *and* the permissions that were used (or attempted to be used) to save the file changes.
-
+
- **Global Object Access Auditing**: Many organizations use security auditing to comply with regulatory requirements that govern data security and privacy. But demonstrating that strict controls are being enforced can be difficult. To address this issue, the supported versions of Windows include two **Global Object Access Auditing** policy settings, one for the registry and one for the file system. When you configure these settings, they apply a global system access control SACL on all objects of that class on a system. These settings can't be overridden or circumvented.
> [!IMPORTANT]
> The **Global Object Access Auditing** policy settings must be configured and applied in conjunction with the **Audit File System** and **Audit Registry** audit policy settings in the **Object Access** category.
-
+
### User activity
The settings in the previous section relate to activity involving the files, folders, and network shares that are stored on a network. The settings in this section focus on the users who may try to access those resources, including employees, partners, and customers.
@@ -279,7 +279,7 @@ In most cases, these attempts are legitimate, and the network needs to make data
> [!NOTE]
> There's no failure event for logoff activity, because failed logoffs (such as when a system abruptly shuts down) don't generate an audit record. Logoff events aren't 100-percent reliable. For example, a computer can be turned off without a proper logoff and shut down, so a logoff event isn't generated.
-
+
- **Logon/Logoff\\[Audit Special Logon](audit-special-logon.md)**: A special logon has administrator-equivalent rights and can be used to elevate a process to a higher level. It's recommended to track these types of logons.
- **Object Access\\[Audit Certification Services](audit-certification-services.md)**: This policy setting enables you to monitor activities on a computer that hosts Active Directory Certificate Services (AD CS) role services to ensure that only authorized users do these tasks and only authorized or desirable tasks are done.
- **Object Access\\[Audit File System](audit-file-system.md) and Object Access\\[Audit File Share](audit-file-share.md)**: These policy settings are described in the previous section.
@@ -288,7 +288,7 @@ In most cases, these attempts are legitimate, and the network needs to make data
> [!IMPORTANT]
> On critical systems where all attempts to change registry settings should be tracked, you can combine the **Audit Registry** and **Global Object Access Auditing** policy settings to track all attempts to modify registry settings on a computer.
-
+
- **Object Access\\[Audit SAM](audit-sam.md)**: The Security Accounts Manager (SAM) is a database on computers running Windows that stores user accounts and security descriptors for users on the local computer. Changes to user and group objects are tracked by the **Account Management** audit category. However, user accounts with the proper user rights could potentially alter the files where the account and password information is stored in the system, bypassing any **Account Management** events.
- **Privilege Use\\[Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md)**: These policy settings and audit events enable you to track the use of certain rights on one or more systems. If you configure this policy setting, an audit event is generated when sensitive rights requests are made.
@@ -301,7 +301,7 @@ The following network activity policy settings enable you to monitor security-re
>[!NOTE]
>**Account Logon** policy settings apply only to specific domain account activities, regardless of which computer is accessed. **Logon/Logoff** policy settings apply to the computer that hosts the resources that are accessed.
-
+
- **Account Logon\\[Audit Other Account Logon Events](audit-other-account-logon-events.md)**: This policy setting can be used to track various network activities, including attempts to create Remote Desktop connections, wired network connections, and wireless connections.
- **DS Access**: Policy settings in this category enable you to monitor AD DS role services. These services provide account data, validate logons, maintain network access permissions, and provide other functionality that's critical to secure and proper functioning of a network. Therefore, auditing the rights to access and modify the configuration of a domain controller can help an organization maintain a secure and reliable network. One of the key tasks that AD DS performs is replication of data between domain controllers.
- **Logon/Logoff\\[Audit IPsec Extended Mode](audit-ipsec-extended-mode.md)**, **Logon/Logoff\\[Audit IPsec Main Mode](audit-ipsec-main-mode.md)**, and **Logon/Logoff\\[Audit IPsec Quick Mode](audit-ipsec-quick-mode.md)**: Networks often support many external users, including remote employees and partners. Because these users are outside the organization's network boundaries, IPsec is often used to help protect communications over the internet. It enables network-level peer authentication, data origin authentication, data integrity checks, data confidentiality (encryption), and protection against replay attacks. You can use these settings to ensure that IPsec services are functioning properly.
diff --git a/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md b/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md
index ac19f5355d..b82b7aa8de 100644
--- a/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md
+++ b/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md
@@ -1,8 +1,8 @@
---
-title: Registry (Global Object Access Auditing)
+title: Registry (Global Object Access Auditing)
description: The Advanced Security Audit policy setting, Registry (Global Object Access Auditing), enables you to configure a global system access control list (SACL).
ms.assetid: 953bb1c1-3f76-43be-ba17-4aed2304f578
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/09/2021
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/auditing/security-auditing-overview.md b/windows/security/threat-protection/auditing/security-auditing-overview.md
index da20ec1bb0..a4e0800569 100644
--- a/windows/security/threat-protection/auditing/security-auditing-overview.md
+++ b/windows/security/threat-protection/auditing/security-auditing-overview.md
@@ -1,8 +1,8 @@
---
-title: Security auditing
+title: Security auditing
description: Learn about security auditing features in Windows, and how your organization can benefit from using them to make your network more secure and easily managed.
ms.assetid: 2d9b8142-49bd-4a33-b246-3f0c2a5f32d4
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/09/2021
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
index 0d0c6e1fb7..076763b3d8 100644
--- a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
+++ b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
@@ -1,8 +1,8 @@
---
-title: Using advanced security auditing options to monitor dynamic access control objects
+title: Using advanced security auditing options to monitor dynamic access control objects
description: Domain admins can set up advanced security audit options in Windows 10 to target specific users, or monitor potentially significant activity on multiple devices
ms.assetid: 0d2c28ea-bdaf-47fd-bca2-a07dce5fed37
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/09/2021
ms.technology: itpro-security
---
@@ -40,9 +40,9 @@ Domain administrators can create and deploy expression-based security audit poli
| [Monitor the resource attributes on files and folders](monitor-the-resource-attributes-on-files-and-folders.md)| This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you're using advanced security auditing options to monitor dynamic access control objects. |
| [Monitor the central access policies associated with files and folders](monitor-the-central-access-policies-associated-with-files-and-folders.md)| This topic for the IT professional describes how to monitor changes to the central access policies that are associated with files and folders when you're using advanced security auditing options to monitor dynamic access control objects. |
| [Monitor claim types](monitor-claim-types.md) | This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you're using advanced security auditing options.|
-
+
>**Important:** This procedure can be configured on computers running any of the supported Windows operating systems. The other monitoring procedures can be configured only as part of a functioning dynamic access control deployment.
-
+
## Related topics
- [Security auditing](security-auditing-overview.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/view-the-security-event-log.md b/windows/security/threat-protection/auditing/view-the-security-event-log.md
index 25265ee877..88b1438852 100644
--- a/windows/security/threat-protection/auditing/view-the-security-event-log.md
+++ b/windows/security/threat-protection/auditing/view-the-security-event-log.md
@@ -1,8 +1,8 @@
---
-title: View the security event log
+title: View the security event log
description: The security log records each event as defined by the audit policies you set on each object.
ms.assetid: 20DD2ACD-241A-45C5-A92F-4BE0D9F198B9
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/09/2021
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md b/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md
index ef99d2c066..2ede0f5748 100644
--- a/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md
+++ b/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md
@@ -1,8 +1,8 @@
---
-title: Which editions of Windows support advanced audit policy configuration
+title: Which editions of Windows support advanced audit policy configuration
description: This reference topic for the IT professional describes which versions of the Windows operating systems support advanced security auditing policies.
ms.assetid: 87c71cc5-522d-4771-ac78-34a2a0825f31
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/09/2021
ms.technology: itpro-security
---
@@ -20,7 +20,7 @@ ms.technology: itpro-security
# Which editions of Windows support advanced audit policy configuration
-Advanced audit policy configuration is supported on all versions of Windows since it was introduced in Windows Vista.
-There's no difference in security auditing support between 32-bit and 64-bit versions.
-Windows editions that can't join a domain, such as Windows 10 Home edition, don't have access to these features.
+Advanced audit policy configuration is supported on all versions of Windows since it was introduced in Windows Vista.
+There's no difference in security auditing support between 32-bit and 64-bit versions.
+Windows editions that can't join a domain, such as Windows 10 Home edition, don't have access to these features.
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index ffc754aaf6..aafae23e17 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -26,7 +26,7 @@ See the following articles to learn more about the different areas of Windows th
- [Network Protection](/microsoft-365/security/defender-endpoint/network-protection)
- [Virtualization-Based Protection of Code Integrity](../hardware-security/enable-virtualization-based-protection-of-code-integrity.md)
- [Web Protection](/microsoft-365/security/defender-endpoint/web-protection-overview)
-- [Windows Firewall](../operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security.md)
+- [Windows Firewall](../operating-system-security/network-security/windows-firewall/index.md)
- [Windows Sandbox](../application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)
## Next-generation protection
diff --git a/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md b/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md
index dc6bf37ae5..81f50b4fda 100644
--- a/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md
+++ b/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md
@@ -1,8 +1,8 @@
---
-title: Access Credential Manager as a trusted caller
+title: Access Credential Manager as a trusted caller
description: Describes best practices, security considerations, and more for the security policy setting, Access Credential Manager as a trusted caller.
ms.assetid: a51820d2-ca5b-47dd-8e9b-d7008603db88
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -56,7 +56,7 @@ The following table shows the default value for the server type or Group Policy
| Domain controller effective default settings | Not defined |
| Member server effective default settings | Not defined |
| Client computer effective default settings | Not defined |
-
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -93,4 +93,4 @@ None. Not defined is the default configuration.
## Related topics
[User Rights Assignment](user-rights-assignment.md)
-
+
diff --git a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md
index b5ace4fc62..f8a0e483fd 100644
--- a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md
+++ b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md
@@ -1,8 +1,8 @@
---
-title: Access this computer from the network - security policy setting
+title: Access this computer from the network - security policy setting
description: Describes the best practices, location, values, policy management, and security considerations for the Access this computer from the network security policy setting.
ms.assetid: f6767bc2-83d1-45f1-847c-54f5362db022
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 06/11/2021
ms.technology: itpro-security
---
@@ -69,7 +69,7 @@ The following table lists the actual and effective default policy values for the
| Domain controller effective default settings | Everyone, Administrators, Authenticated Users, Enterprise Domain Controllers, Pre-Windows 2000 Compatible Access |
| Member server effective default settings | Everyone, Administrators, Users, Backup Operators |
| Client computer effective default settings |Everyone, Administrators, Users, Backup Operators |
-
+
## Policy management
When you modify this user right, the following actions might cause users and services to experience network access issues:
@@ -103,11 +103,11 @@ Users who can connect from their device to the network can access resources on t
### Countermeasure
-Restrict the **Access this computer from the network** user right to only those users and groups who require access to the computer. For example, if you configure this policy setting to the **Administrators** and **Users** groups, users who sign in to the domain can access resources that are shared
+Restrict the **Access this computer from the network** user right to only those users and groups who require access to the computer. For example, if you configure this policy setting to the **Administrators** and **Users** groups, users who sign in to the domain can access resources that are shared
from servers in the domain if members of the **Domain Users** group are included in the local **Users** group.
> **Note** If you are using IPsec to help secure network communications in your organization, ensure that a group that includes machine accounts is given this right. This right is required for successful computer authentication. Assigning this right to **Authenticated Users** or **Domain Computers** meets this requirement.
-
+
### Potential impact
If you remove the **Access this computer from the network** user right on domain controllers for all users, no one can sign in to the domain or use network resources. If you remove this user right on member servers, users can't connect to those servers through the network. If you have installed optional components such as ASP.NET or Internet Information Services (IIS), you may need to assign this user right to other accounts that are required by those components. It's important to verify that authorized users are assigned this user right for the devices that they need to access the network.
@@ -116,5 +116,5 @@ If running Windows Server or Azure Stack HCI Failover Clustering, don't remove A
## Related topics
[User Rights Assignment](user-rights-assignment.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
index 89634c3e27..ab6ba1901c 100644
--- a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
+++ b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
@@ -1,8 +1,8 @@
---
-title: Account lockout duration
+title: Account lockout duration
description: Describes the best practices, location, values, and security considerations for the Account lockout duration security policy setting.
ms.assetid: a4167bf4-27c3-4a9b-8ef0-04e3c6ec3aa4
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 08/16/2021
ms.technology: itpro-security
---
@@ -40,7 +40,7 @@ This policy setting is dependent on the **Account lockout threshold** policy set
If [Account lockout threshold](account-lockout-threshold.md) is configured, after the specified number of failed attempts, the account will be locked out. If the **Account lockout duration** is set to 0, the account will remain locked until an administrator unlocks it manually.
-It's advisable to set **Account lockout duration** to approximately 15 minutes. To specify that the account will never be locked out, set the **Account lockout threshold** value to 0.
+It's advisable to set **Account lockout duration** to approximately 15 minutes. To specify that the account will never be locked out, set the **Account lockout threshold** value to 0.
### Location
@@ -58,7 +58,7 @@ The following table lists the actual and effective default policy values. Defaul
| Domain controller effective default settings | Not defined |
| Member server effective default settings | Not defined |
| Client computer effective default settings | Not applicable |
-
+
## Security considerations
More than a few unsuccessful password submissions during an attempt to sign in to a computer might represent an attacker's attempts to determine an account password by trial and error. The Windows and Windows Server operating systems can track sign-in attempts, and you can configure the operating system to disable the account for a preset period of time after a specified number of failed attempts. Account lockout policy settings control the threshold for this response and what action to take after the threshold is reached.
@@ -78,5 +78,5 @@ Configuring the **Account lockout duration** policy setting to 0 so that account
## Related topics
[Account Lockout Policy](account-lockout-policy.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md
index fe39bbcede..1872b25b41 100644
--- a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md
+++ b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md
@@ -1,8 +1,8 @@
---
-title: Account Lockout Policy
+title: Account Lockout Policy
description: Describes the Account Lockout Policy settings and links to information about each policy setting.
ms.assetid: eb968c28-17c5-405f-b413-50728cb7b724
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 10/11/2018
ms.technology: itpro-security
---
@@ -41,9 +41,9 @@ The following topics provide a discussion of each policy setting's implementatio
| [Account lockout threshold](account-lockout-threshold.md) | Describes the best practices, location, values, and security considerations for the **Account lockout threshold** security policy setting. |
| [Account lockout duration](account-lockout-duration.md) | Describes the best practices, location, values, and security considerations for the **Account lockout duration** security policy setting. |
| [Reset account lockout counter after](reset-account-lockout-counter-after.md) | Describes the best practices, location, values, and security considerations for the **Reset account lockout counter after** security policy setting. |
-
+
## Related topics
[Configure security policy settings](how-to-configure-security-policy-settings.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
index a735631952..2bae54f4e2 100644
--- a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
+++ b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
@@ -1,8 +1,8 @@
---
-title: Account lockout threshold
+title: Account lockout threshold
description: Describes the best practices, location, values, and security considerations for the Account lockout threshold security policy setting.
ms.assetid: 4904bb40-a2bd-4fef-a102-260ba8d74e30
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 11/02/2018
ms.technology: itpro-security
---
@@ -52,7 +52,7 @@ The threshold that you select is a balance between operational efficiency and se
As with other account lockout settings, this value is more of a guideline than a rule or best practice because there's no "one size fits all." For more information, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout).
Implementation of this policy setting is dependent on your operational environment; threat vectors, deployed operating systems, and deployed apps. For more information, see [Implementation considerations](#bkmk-impleconsiderations) in this article.
-
+
### Location
**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy**
@@ -69,7 +69,7 @@ The following table lists the actual and effective default policy values. Defaul
| Domain controller effective default settings | 0 invalid sign-in attempts |
| Member server effective default settings |0 invalid sign-in attempts |
| Effective GPO default settings on client computers |0 invalid sign-in attempts |
-
+
### Policy management
This section describes features and tools that are available to help you manage this policy setting.
@@ -88,7 +88,7 @@ Implementation of this policy setting depends on your operational environment. C
- Not all apps that are used in your environment effectively manage how many times a user can attempt to sign in. For instance, if a connection drops repeatedly when a user is running the app, all subsequent failed sign-in attempts count toward the account lockout threshold.
-For more information about Windows security baseline recommendations for account lockout, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout).
+For more information about Windows security baseline recommendations for account lockout, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout).
## Security considerations
@@ -105,7 +105,7 @@ However, a DoS attack could be performed on a domain that has an account lockout
> [!NOTE]
> Offline password attacks are not countered by this policy setting.
-
+
### Countermeasure
Because vulnerabilities can exist when this value is configured and when it's not configured, two distinct countermeasures are defined. Organizations should weigh the choice between the two, based on their identified threats and the risks that they want to mitigate. The two countermeasure options are:
@@ -114,11 +114,11 @@ Because vulnerabilities can exist when this value is configured and when it's no
- The password policy setting requires all users to have complex passwords of eight or more characters.
- A robust audit mechanism is in place to alert administrators when a series of failed sign-ins occurs in the environment.
-
+
- Configure the **Account lockout threshold** policy setting to a sufficiently high value to provide users with the ability to accidentally mistype their password several times before the account is locked, but ensure that a brute force password attack still locks the account.
[Windows security baselines](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) recommend configuring a threshold of 10 invalid sign-in attempts, which prevents accidental account lockouts and reduces the number of Help Desk calls, but doesn't prevent a DoS attack.
-
+
Using this type of policy must be accompanied by a process to unlock locked accounts. It must be possible to implement this policy whenever it's needed to help mitigate massive lockouts caused by an attack on your systems.
### Potential impact
diff --git a/windows/security/threat-protection/security-policy-settings/account-policies.md b/windows/security/threat-protection/security-policy-settings/account-policies.md
index a3fdbe5a3f..4504d333df 100644
--- a/windows/security/threat-protection/security-policy-settings/account-policies.md
+++ b/windows/security/threat-protection/security-policy-settings/account-policies.md
@@ -1,8 +1,8 @@
---
-title: Account Policies
+title: Account Policies
description: An overview of account policies in Windows and provides links to policy descriptions.
ms.assetid: 711b3797-b87a-4cd9-a2e3-1f8ef18688fb
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -28,7 +28,7 @@ An overview of account policies in Windows and provides links to policy descript
All account policies settings applied by using Group Policy are applied at the domain level. Default values are present in the built-in default domain controller policy for Password Policy settings, Account Lockout Policy settings, and Kerberos Policy settings. The domain account policy becomes the default local account policy of any device that is a member of the domain. If these policies are set at any level below the domain level in Active Directory Domain Services (AD DS), they affect only local accounts on member servers.
> [!NOTE]
> Each domain can have only one account policy. The account policy must be defined in the default domain policy or in a new policy that is linked to the root of the domain and given precedence over the default domain policy, which is enforced by the domain controllers in the domain. These domain-wide account policy settings (Password Policy, Account Lockout Policy, and Kerberos Policy) are enforced by the domain controllers in the domain; therefore, domain controllers always retrieve the values of these account policy settings from the default domain policy Group Policy Object (GPO).
-
+
The only exception is when another account policy is defined for an organizational unit (OU). The account policy settings for the OU affect the local policy on any computers that are contained in the OU. For example, if an OU policy defines a maximum password age that differs from the domain-level account policy, the OU policy will be applied and enforced only when users sign in to the local computer. The default local computer policies apply only to computers that are in a workgroup or in a domain where both an OU account policy and a domain policy don't apply.
## In this section
@@ -38,7 +38,7 @@ The only exception is when another account policy is defined for an organization
| [Password Policy](password-policy.md) | An overview of password policies for Windows and links to information for each policy setting. |
| [Account Lockout Policy](account-lockout-policy.md) | Describes the Account Lockout Policy settings and links to information about each policy setting. |
| [Kerberos Policy](kerberos-policy.md) | Describes the Kerberos Policy settings and provides links to policy setting descriptions. |
-
+
## Related topics
[Configure security policy settings](how-to-configure-security-policy-settings.md)
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md b/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md
index 23e43f6d45..179f5ba556 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md
@@ -1,8 +1,8 @@
---
-title: Accounts Administrator account status
+title: Accounts Administrator account status
description: Describes the best practices, location, values, and security considerations for the Accounts Administrator account status security policy setting.
ms.assetid: 71a3bd48-1014-49e0-a936-bfe9433af23e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 08/01/2017
ms.technology: itpro-security
---
@@ -87,7 +87,7 @@ When you start a device in safe mode, the disabled administrator account is enab
### How to access a disabled Administrator account
You can use the following methods to access a disabled Administrator account:
-- For non-domain joined computers: when all the local administrator accounts are disabled, start the device in safe mode (locally or over a network), and sign in by using the credentials for the default local administrator account on that computer.
+- For non-domain joined computers: when all the local administrator accounts are disabled, start the device in safe mode (locally or over a network), and sign in by using the credentials for the default local administrator account on that computer.
- For domain-joined computers: remotely run the command **net user administrator /active: yes** by using psexec to enable the default local administrator account.
## Security considerations
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
index ab6175a99f..1ac6245b9b 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
@@ -1,8 +1,8 @@
---
-title: Accounts Block Microsoft accounts
+title: Accounts Block Microsoft accounts
description: Describes the best practices, location, values, management, and security considerations for the Accounts Block Microsoft accounts security policy setting.
ms.assetid: 94c76f45-057c-4d80-8d01-033cf28ef2f7
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 08/10/2017
ms.technology: itpro-security
---
@@ -67,7 +67,7 @@ The following table lists the actual and effective default values for this polic
| DC Effective Default Settings | Disabled |
| Member Server Effective Default Settings | Disabled |
| Client Computer Effective Default Settings | Disabled |
-
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -95,4 +95,4 @@ Establishing greater control over accounts in your organization can give you mor
## Related topics
[Security Options](security-options.md)
-
+
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md b/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md
index ca1a50819a..6c768ad6d6 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md
@@ -1,8 +1,8 @@
---
-title: Accounts Guest account status - security policy setting
+title: Accounts Guest account status - security policy setting
description: Describes the best practices, location, values, and security considerations for the Accounts Guest account status security policy setting.
ms.assetid: 07e53fc5-b495-4d02-ab42-5b245d10d0ce
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -56,7 +56,7 @@ The following table lists the actual and effective default values for this polic
| DC Effective Default Settings | Disabled |
| Member Server Effective Default Settings | Disabled |
| Client Computer Effective Default Settings | Disabled |
-
+
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
@@ -76,5 +76,5 @@ All network users must be authenticated before they can access shared resources.
## Related topics
[Security Options](security-options.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
index 05b4e8f3ea..947a4c0f6f 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
@@ -1,8 +1,8 @@
---
-title: Accounts Limit local account use of blank passwords
+title: Accounts Limit local account use of blank passwords
description: Learn best practices, security considerations, and more for the policy setting, Accounts Limit local account use of blank passwords to console logon only.
ms.assetid: a1bfb58b-1ae8-4de9-832b-aa889a6e64bd
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -62,7 +62,7 @@ The following table lists the actual and effective default values for this polic
| DC Effective Default Settings | Enabled |
| Member Server Effective Default Settings | Enabled |
| Client Computer Effective Default Settings | Enabled |
-
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md b/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md
index 0e9b3c3257..44905ab096 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md
@@ -1,8 +1,8 @@
---
-title: Accounts Rename administrator account
+title: Accounts Rename administrator account
description: This security policy reference topic for the IT professional describes the best practices, location, values, and security considerations for this policy setting.
ms.assetid: d21308eb-7c60-4e48-8747-62b8109844f9
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -55,7 +55,7 @@ The following table lists the actual and effective default values for this polic
| DC Effective Default Settings | Administrator |
| Member Server Effective Default Settings | Administrator |
| Client Computer Effective Default Settings | Administrator |
-
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -93,5 +93,5 @@ You must provide users who are authorized to use this account with the new accou
## Related topics
[Security Options](security-options.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md b/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md
index da35071790..d034cdf835 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md
@@ -1,8 +1,8 @@
---
-title: Accounts Rename guest account - security policy setting
+title: Accounts Rename guest account - security policy setting
description: Describes the best practices, location, values, and security considerations for the Accounts Rename guest account security policy setting.
ms.assetid: 9b8052b4-bbb9-4cc1-bfee-ce25390db707
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -55,7 +55,7 @@ The following table lists the actual and effective default values for this polic
| DC Effective Default Settings | Guest |
| Member Server Effective Default Settings | Guest |
| Client Computer Effective Default Settings | *User-defined text* |
-
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -78,7 +78,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-The guest account exists in all Windows server and client operating system versions beginning with Windows Server 2003 and Windows XP Professional. Because the account name is well known, it provides a vector for a malicious user to get access to network resources and attempt to elevate privileges
+The guest account exists in all Windows server and client operating system versions beginning with Windows Server 2003 and Windows XP Professional. Because the account name is well known, it provides a vector for a malicious user to get access to network resources and attempt to elevate privileges
or install software that could be used for a later attack on your system.
### Countermeasure
@@ -92,5 +92,5 @@ There should be little impact because the Guest account is disabled by default i
## Related topics
[Security Options](security-options.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md b/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md
index d8915c4e18..1bdbf787f1 100644
--- a/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md
+++ b/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md
@@ -1,8 +1,8 @@
---
-title: Act as part of the operating system
+title: Act as part of the operating system
description: Describes the best practices, location, values, policy management, and security considerations for the Act as part of the operating system security policy setting.
ms.assetid: c1b7e084-a9f7-4377-b678-07cc913c8b0c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -21,7 +21,7 @@ ms.technology: itpro-security
**Applies to**
- Windows 11
-- Windows 10
+- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Act as part of the operating system** security policy setting.
@@ -51,11 +51,11 @@ The following table lists the actual and effective default policy values for the
| - | - |
| Default domain policy | Not defined |
| Default domain controller policy| Not defined |
-| Stand-alone server default settings | Not defined |
+| Stand-alone server default settings | Not defined |
| Domain controller effective default settings | Not defined |
| Member server effective default settings | Not defined |
| Client computer effective default settings | Not defined |
-
+
## Policy management
A restart of the device isn't required for this policy setting to be effective.
@@ -90,4 +90,4 @@ There should be little or no impact because the **Act as part of the operating s
## Related topics
[User Rights Assignment](user-rights-assignment.md)
-
+
diff --git a/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md b/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md
index 139d15f4ec..fb594e8748 100644
--- a/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md
@@ -1,13 +1,13 @@
---
title: Add workstations to domain
description: Describes the best practices, location, values, policy management and security considerations for the Add workstations to domain security policy setting.
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -81,7 +81,7 @@ This policy has the following security considerations:
### Vulnerability
-The **Add workstations to domain** user right presents a moderate vulnerability. Users with this right could add a device to the domain that is configured in a way that violates organizational security policies. For example, if your organization doesn't want its users to have administrative
+The **Add workstations to domain** user right presents a moderate vulnerability. Users with this right could add a device to the domain that is configured in a way that violates organizational security policies. For example, if your organization doesn't want its users to have administrative
privileges on their devices, users could install Windows on their computers and then add the computers to the domain. The user would know the password for the local administrator account, could sign in with that account, and then add a personal domain account to the local Administrators group.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md b/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md
index 5ec3171725..5c9b499b8b 100644
--- a/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md
+++ b/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md
@@ -1,8 +1,8 @@
---
-title: Adjust memory quotas for a process
+title: Adjust memory quotas for a process
description: Describes the best practices, location, values, policy management, and security considerations for the Adjust memory quotas for a process security policy setting.
ms.assetid: 6754a2c8-6d07-4567-9af3-335fd8dd7626
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,7 +53,7 @@ By default, members of the Administrators, Local Service, and Network Service gr
The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
-| Server type or GPO | Default value |
+| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Administrators
Local Service
Network Service |
| Default Domain Controller Policy | Administrators
Local Service
Network Service |
@@ -61,7 +61,7 @@ The following table lists the actual and effective default policy values. Defaul
| Domain Controller Effective Default Settings | Administrators
Local Service
Network Service |
| Member Server Effective Default Settings | Administrators
Local Service
Network Service |
| Client Computer Effective Default Settings | Administrators
Local Service
Network Service |
-
+
## Policy management
A restart of the device is not required for this policy setting to be effective.
@@ -97,5 +97,5 @@ Organizations that have not restricted users to roles with limited privileges ma
## Related topics
- [User Rights Assignment](user-rights-assignment.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
index bca371957d..3a11417c5b 100644
--- a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
@@ -1,8 +1,8 @@
---
-title: Administer security policy settings
+title: Administer security policy settings
description: This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization.
ms.assetid: 7617d885-9d28-437a-9371-171197407599
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -250,7 +250,7 @@ For example, a workstation that is joined to a domain will have its local securi
both the domain and local settings. If the workstation is a member of more than one Organizational Unit, then the Organizational Unit that immediately contains the workstation has the highest order of precedence.
> [!NOTE]
-> Use gpresult.exe to find out what policies are applied to a device and in what order.
+> Use gpresult.exe to find out what policies are applied to a device and in what order.
For domain accounts, there can be only one account policy that includes password policies, account lockout policies, and Kerberos policies.
**Persistence in security settings**
@@ -300,10 +300,10 @@ To avoid continued flagging of settings that you've investigated and determined
You can resolve discrepancies between analysis database and system settings by:
- Accepting or changing some or all of the values that are flagged or not included in the configuration, if you determine that the local system security levels are valid due to the context (or role) of that computer. These attribute values are then updated in the database and applied to the system when you click **Configure Computer Now**.
-- Configuring the system to the analysis database values, if you determine the system isn't in compliance with valid security levels.
-- Importing a more appropriate template for the role of that computer into the database as the new base configuration and applying it to the system.
-Changes to the analysis database are made to the stored template in the database, not to the security template file. The security template file will only be modified if you either return to Security Templates and edit that template or export the stored configuration to the same template file.
-You should use **Configure Computer Now** only to modify security areas *not* affected by Group Policy settings, such as security on local files and folders, registry keys, and system services. Otherwise, when the Group Policy settings are applied, it will take precedence over local settings—such as account policies.
+- Configuring the system to the analysis database values, if you determine the system isn't in compliance with valid security levels.
+- Importing a more appropriate template for the role of that computer into the database as the new base configuration and applying it to the system.
+Changes to the analysis database are made to the stored template in the database, not to the security template file. The security template file will only be modified if you either return to Security Templates and edit that template or export the stored configuration to the same template file.
+You should use **Configure Computer Now** only to modify security areas *not* affected by Group Policy settings, such as security on local files and folders, registry keys, and system services. Otherwise, when the Group Policy settings are applied, it will take precedence over local settings—such as account policies.
In general, don't use **Configure Computer Now** when you're analyzing security for domain-based clients, since you'll have to configure each client individually. In this case, you should return to Security Templates, modify the template, and reapply it to the appropriate Group Policy Object.
### Automating security configuration tasks
diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md
index 5c246fea41..ec8dd1980d 100644
--- a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md
+++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md
index aa212b8064..b76363e1b5 100644
--- a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md
+++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md
@@ -1,8 +1,8 @@
---
-title: Allow log on through Remote Desktop Services
+title: Allow log on through Remote Desktop Services
description: Best practices, location, values, policy management, and security considerations for the security policy setting. Allow a sign-in through Remote Desktop Services.
ms.assetid: 6267c376-8199-4f2b-ae56-9c5424e76798
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -55,11 +55,11 @@ The following table lists the actual and effective default policy values. Defaul
| Default Domain Policy | Not Defined |
| Default Domain Controller Policy | Not Defined |
| Domain Controller Local Security Policy | Administrators |
-| Stand-Alone Server Default Settings | Administrators
Remote Desktop Users |
-| Domain Controller Effective Default Settings | Administrators |
+| Stand-Alone Server Default Settings | Administrators
Remote Desktop Users |
+| Domain Controller Effective Default Settings | Administrators |
| Member Server Effective Default Settings | Administrators
Remote Desktop Users |
| Client Computer Effective Default Settings | Administrators
Remote Desktop Users |
-
+
## Policy management
This section describes different features and tools available to help you manage this policy.
@@ -96,7 +96,7 @@ Any account with the **Allow log on through Remote Desktop Services** user right
For domain controllers, assign the **Allow log on through Remote Desktop Services** user right only to the Administrators group. For other server roles and devices, add the Remote Desktop Users group. For servers that have the Remote Desktop (RD) Session Host role service enabled and don't run in Application Server mode, ensure that only authorized IT personnel who must manage the computers remotely belong to these groups.
> **Caution:** For RD Session Host servers that run in Application Server mode, ensure that only users who require access to the server have accounts that belong to the Remote Desktop Users group because this built-in group has this logon right by default.
-
+
Alternatively, you can assign the **Deny log on through Remote Desktop Services** user right to groups such as Account Operators, Server Operators, and Guests. However, be careful when you use this method because you could block access to legitimate administrators who also belong to a group that has the **Deny log on through Remote Desktop Services** user right.
### Potential impact
@@ -106,5 +106,5 @@ Removal of the **Allow log on through Remote Desktop Services** user right from
## Related topics
- [User Rights Assignment](user-rights-assignment.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
index 5957adf4ab..25ef7bc3d6 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
@@ -1,8 +1,8 @@
---
-title: Audit the access of global system objects
+title: Audit the access of global system objects
description: Describes the best practices, location, values, and security considerations for the audit of the access to global system objects security policy setting.
ms.assetid: 20d40a79-ce89-45e6-9bb4-148f83958460
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -54,13 +54,13 @@ The following table lists the actual and effective default values for this polic
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default Domain Policy | Not defined |
-| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings | Disabled |
-| DC Effective Default Settings | Disabled |
-| Member Server Effective Default Settings | Disabled |
-| Client Computer Effective Default Settings | Disabled |
-
+| Default Domain Policy | Not defined |
+| Default Domain Controller Policy | Not defined |
+| Stand-Alone Server Default Settings | Disabled |
+| DC Effective Default Settings | Disabled |
+| Member Server Effective Default Settings | Disabled |
+| Client Computer Effective Default Settings | Disabled |
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -86,22 +86,22 @@ If the [Audit Kernel Object](../auditing/audit-kernel-object.md) setting is conf
| Event ID | Event message |
| - | - |
-| 4659 | A handle to an object was requested with intent to delete. |
-| 4660 | An object was deleted. |
-| 4661 | A handle to an object was requested. |
-| 4663 | An attempt was made to access an object. |
-
+| 4659 | A handle to an object was requested with intent to delete. |
+| 4660 | An object was deleted. |
+| 4661 | A handle to an object was requested. |
+| 4663 | An attempt was made to access an object. |
+
If the [Audit Object Access](../auditing/basic-audit-object-access.md) setting is configured, the following events are generated:
| Event ID | Event message |
| - | - |
-| 560 | Access was granted to an already existing object. |
-| 562 | A handle to an object was closed. |
+| 560 | Access was granted to an already existing object. |
+| 562 | A handle to an object was closed. |
| 563 | An attempt was made to open an object with the intent to delete it.
**Note:** This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile() |
| 564 | A protected object was deleted. |
-| 565 | Access was granted to an already existing object type. |
+| 565 | Access was granted to an already existing object type. |
| 567 | A permission associated with a handle was used.
**Note:** A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used. |
-| 569 | The resource manager in Authorization Manager attempted to create a client context. |
+| 569 | The resource manager in Authorization Manager attempted to create a client context. |
| 570 | A client attempted to access an object.
**Note:** An event will be generated for every attempted operation on the object. |
## Security considerations
diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md
index 7d38765755..011e035679 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md
@@ -2,7 +2,7 @@
title: "Audit: Audit the use of Backup and Restore privilege (Windows 10)"
description: "Describes the best practices, location, values, and security considerations for the 'Audit: Audit the use of Backup and Restore privilege' security policy setting."
ms.assetid: f656a2bb-e8d6-447b-8902-53df3a7756c5
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/01/2019
ms.technology: itpro-security
---
@@ -51,11 +51,11 @@ The following table lists the actual and effective default values for this polic
| - | - |
| Default Domain Policy | Not defined |
| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings | Disabled |
-| DC Effective Default Settings | Disabled |
-| Member Server Effective Default Settings | Disabled |
-| Client Computer Effective Default Settings | Disabled |
-
+| Stand-Alone Server Default Settings | Disabled |
+| DC Effective Default Settings | Disabled |
+| Member Server Effective Default Settings | Disabled |
+| Client Computer Effective Default Settings | Disabled |
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -92,4 +92,4 @@ If you enable this policy setting, a large number of security events could be ge
## Related topics
- [Security Options](security-options.md)
-
+
diff --git a/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md b/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md
index 5caf39e495..663cfb1d30 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md
@@ -1,8 +1,8 @@
---
-title: Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
+title: Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
description: Learn more about the security policy setting, Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.
ms.assetid: 8ddc06bc-b6d6-4bac-9051-e0d77035bd4e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -51,12 +51,12 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not defined |
-| Default Domain Controller Policy | Not defined |
+| Default Domain Controller Policy | Not defined |
| Stand-Alone Server Default Settings | Enabled |
| DC Effective Default Settings | Enabled |
-| Member Server Effective Default Settings | Enabled |
-| Client Computer Effective Default Settings | Enabled |
-
+| Member Server Effective Default Settings | Enabled |
+| Client Computer Effective Default Settings | Enabled |
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -93,12 +93,12 @@ Enable audit policy subcategories as needed to track specific events.
### Potential impacts
-If you attempt to modify an audit setting by using Group Policy after enabling this setting through the command-line tools, the Group Policy audit setting is ignored in favor of the custom policy setting. To modify audit settings by using Group Policy, you must first disable the
+If you attempt to modify an audit setting by using Group Policy after enabling this setting through the command-line tools, the Group Policy audit setting is ignored in favor of the custom policy setting. To modify audit settings by using Group Policy, you must first disable the
**SCENoApplyLegacyAuditPolicy** key.
> **Important:** Be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable success or failure auditing for all of the Privilege Use subcategories, the high volume of audit events that are generated can make it difficult to find other types of entries in the security event log. Such a configuration could also have a significant impact on system performance.
-
+
## Related topics
- [Security Options](security-options.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/audit-policy.md b/windows/security/threat-protection/security-policy-settings/audit-policy.md
index a542276f2e..bf27ff18aa 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-policy.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-policy.md
@@ -1,8 +1,8 @@
---
-title: Audit Policy
+title: Audit Policy
description: Provides information about basic audit policies that are available in Windows and links to information about each setting.
ms.assetid: 2e8ea400-e555-43e5-89d6-0898cb89da90
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
index 61bd4aecfc..da06353caf 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
@@ -1,8 +1,8 @@
---
-title: Audit Shut down system immediately if unable to log security audits
+title: Audit Shut down system immediately if unable to log security audits
description: Best practices, security considerations, and more for the security policy setting, Audit Shut down system immediately if unable to log security audits.
ms.assetid: 2cd23cd9-0e44-4d0b-a1f1-39fc29303826
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -57,13 +57,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined
-| Default Domain Controller Policy | Not defined
-| Stand-Alone Server Default Settings | Disabled
-| DC Effective Default Settings | Disabled
-| Member Server Effective Default Settings | Disabled
-| Client Computer Effective Default Settings | Disabled
-
+| Default Domain Policy | Not defined
+| Default Domain Controller Policy | Not defined
+| Stand-Alone Server Default Settings | Disabled
+| DC Effective Default Settings | Disabled
+| Member Server Effective Default Settings | Disabled
+| Client Computer Effective Default Settings | Disabled
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -96,5 +96,5 @@ If you enable this policy setting, the administrative burden can be significant,
## Related topics
- [Security Options](security-options.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md b/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md
index 40d4bdfda2..3bd99b5590 100644
--- a/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md
+++ b/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md
@@ -1,8 +1,8 @@
---
-title: Back up files and directories - security policy setting
+title: Back up files and directories - security policy setting
description: Describes the recommended practices, location, values, policy management, and security considerations for the Back up files and directories security policy setting.
ms.assetid: 1cd6bdd5-1501-41f4-98b9-acf29ac173ae
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -78,7 +78,7 @@ The following table lists the actual and effective default policy values for the
| Domain Controller Effective Default Settings | Administrators
Backup Operators
Server Operators|
| Member Server Effective Default Settings | Administrators
Backup Operators|
| Client Computer Effective Default Settings | Administrators
Backup Operators|
-
+
## Policy management
A restart of the device isn't required for this policy setting to be effective.
@@ -115,5 +115,5 @@ Changes in the membership of the groups that have the user right to back up file
## Related topics
- [User Rights Assignment](user-rights-assignment.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md
index 6f06c8e9a2..f4a8745518 100644
--- a/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md
+++ b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md
@@ -1,8 +1,8 @@
---
-title: Bypass traverse checking
+title: Bypass traverse checking
description: Describes the best practices, location, values, policy management, and security considerations for the Bypass traverse checking security policy setting.
ms.assetid: 1c828655-68d3-4140-aa0f-caa903a7087e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not Defined |
-| Default Domain Controller Policy | Administrators
Authenticated Users
Everyone
Local Service
Network Service
Pre-Windows 2000 Compatible Access|
-| Stand-Alone Server Default Settings | Administrators
Backup Operators
Users
Everyone
Local Service
Network Service|
-| Domain Controller Effective Default Settings | Administrators
Authenticated Users
Everyone
Local Service
Network Service
Pre-Windows 2000 Compatible Access|
-| Member Server Effective Default Settings | Administrators
Backup Operators
Users
Everyone
Local Service
Network Service|
-| Client Computer Effective Default Settings | Administrators
Backup Operators
Users
Everyone
Local Service
Network Service|
-
+| Default Domain Policy| Not Defined |
+| Default Domain Controller Policy | Administrators
Authenticated Users
Everyone
Local Service
Network Service
Pre-Windows 2000 Compatible Access|
+| Stand-Alone Server Default Settings | Administrators
Backup Operators
Users
Everyone
Local Service
Network Service|
+| Domain Controller Effective Default Settings | Administrators
Authenticated Users
Everyone
Local Service
Network Service
Pre-Windows 2000 Compatible Access|
+| Member Server Effective Default Settings | Administrators
Backup Operators
Users
Everyone
Local Service
Network Service|
+| Client Computer Effective Default Settings | Administrators
Backup Operators
Users
Everyone
Local Service
Network Service|
+
## Policy management
Permissions to files and folders are controlled through the appropriate configuration of file system access control lists (ACLs). The ability to traverse the folder doesn't provide any Read or Write permissions to the user.
@@ -98,4 +98,4 @@ The Windows operating systems and many applications were designed with the expec
## Related topics
- [User Rights Assignment](user-rights-assignment.md)
-
+
diff --git a/windows/security/threat-protection/security-policy-settings/change-the-system-time.md b/windows/security/threat-protection/security-policy-settings/change-the-system-time.md
index e09a09a6bb..d985a6eaf9 100644
--- a/windows/security/threat-protection/security-policy-settings/change-the-system-time.md
+++ b/windows/security/threat-protection/security-policy-settings/change-the-system-time.md
@@ -1,8 +1,8 @@
---
-title: Change the system time - security policy setting
+title: Change the system time - security policy setting
description: Describes the best practices, location, values, policy management, and security considerations for the Change the system time security policy setting.
ms.assetid: f2f6637d-acbc-4352-8ca3-ec563f918e65
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not Defined |
+| Default Domain Policy| Not Defined |
| Default Domain Controller Policy | Administrators
Server Operators
Local Service|
| Stand-Alone Server Default Settings | Administrators
Local Service|
-| DC Effective Default Settings | Administrators
Server Operators
Local Service|
+| DC Effective Default Settings | Administrators
Server Operators
Local Service|
| Member Server Effective Default Settings | Administrators
Local Service|
-| Client Computer Effective Default Settings | Administrators
Local Service|
-
+| Client Computer Effective Default Settings | Administrators
Local Service|
+
## Policy management
This section describes features, tools and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md b/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md
index dffd58d25b..3ac7b50a9c 100644
--- a/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md
+++ b/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md
@@ -1,8 +1,8 @@
---
-title: Change the time zone - security policy setting
+title: Change the time zone - security policy setting
description: Describes the best practices, location, values, policy management, and security considerations for the Change the time zone security policy setting.
ms.assetid: 3b1afae4-68bb-472f-a43e-49e300d73e50
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -50,13 +50,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not Defined|
-| Default Domain Controller Policy | Administrators
Users|
-| Stand-Alone Server Default Settings | Administrators
Users|
-| Domain Controller Effective Default Settings | Administrators
Users|
-| Member Server Effective Default Settings | Administrators
Users|
-| Client Computer Effective Default Settings | Administrators
Users|
-
+| Default Domain Policy| Not Defined|
+| Default Domain Controller Policy | Administrators
Users|
+| Stand-Alone Server Default Settings | Administrators
Users|
+| Domain Controller Effective Default Settings | Administrators
Users|
+| Member Server Effective Default Settings | Administrators
Users|
+| Client Computer Effective Default Settings | Administrators
Users|
+
## Policy management
A restart of the device is not required for this policy setting to be effective.
diff --git a/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md b/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md
index 0a179de698..a28a19a33f 100644
--- a/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md
+++ b/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md
@@ -1,8 +1,8 @@
---
-title: Create a pagefile - security policy setting
+title: Create a pagefile - security policy setting
description: Describes the best practices, location, values, policy management, and security considerations for the Create a pagefile security policy setting.
ms.assetid: dc087897-459d-414b-abe0-cd86c8dccdea
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -54,13 +54,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Administrators |
-| Default Domain Controller Policy | Administrators |
-| Stand-Alone Server Default Settings | Administrators |
-| Domain Controller Effective Default Settings | Administrators |
-| Member Server Effective Default Settings | Administrators |
-| Client Computer Effective Default Settings | Administrators |
-
+| Default Domain Policy | Administrators |
+| Default Domain Controller Policy | Administrators |
+| Stand-Alone Server Default Settings | Administrators |
+| Domain Controller Effective Default Settings | Administrators |
+| Member Server Effective Default Settings | Administrators |
+| Client Computer Effective Default Settings | Administrators |
+
## Policy management
A restart of the device isn't required for this policy setting to be effective.
diff --git a/windows/security/threat-protection/security-policy-settings/create-a-token-object.md b/windows/security/threat-protection/security-policy-settings/create-a-token-object.md
index 90c8d547a4..6c50cc0ce0 100644
--- a/windows/security/threat-protection/security-policy-settings/create-a-token-object.md
+++ b/windows/security/threat-protection/security-policy-settings/create-a-token-object.md
@@ -1,8 +1,8 @@
---
-title: Create a token object
+title: Create a token object
description: Describes the best practices, location, values, policy management, and security considerations for the Create a token object security policy setting.
ms.assetid: bfbf52fc-6ba4-442a-9df7-bd277e55729c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -54,13 +54,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not Defined |
-| Default Domain Controller Policy | Not Defined |
-| Stand-Alone Server Default Settings | Not Defined |
-| Domain Controller Effective Default Settings | Local System |
-| Member Server Effective Default Settings | Local System |
-| Client Computer Effective Default Settings | Local System |
-
+| Default Domain Policy | Not Defined |
+| Default Domain Controller Policy | Not Defined |
+| Stand-Alone Server Default Settings | Not Defined |
+| Domain Controller Effective Default Settings | Local System |
+| Member Server Effective Default Settings | Local System |
+| Client Computer Effective Default Settings | Local System |
+
## Policy management
A restart of the device isn't required for this policy setting to be effective.
@@ -85,7 +85,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
>**Caution:** A user account that is given this user right has complete control over the system, and it can lead to the system being compromised. We highly recommend that you do not assign this right to any user accounts.
-
+
Windows examines a user's access token to determine the level of the user's privileges. Access tokens are built when users sign in to the local device or connect to a remote device over a network. When you revoke a privilege, the change is immediately recorded, but the change isn't reflected in the user's access token until the next time the user logs on or connects. Users with the ability to create or modify tokens can change the level of access for any account on a computer if they're currently logged on. They could escalate their privileges or create a DoS condition.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/create-global-objects.md b/windows/security/threat-protection/security-policy-settings/create-global-objects.md
index 748588c0e1..18fb5d25ad 100644
--- a/windows/security/threat-protection/security-policy-settings/create-global-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/create-global-objects.md
@@ -1,8 +1,8 @@
---
-title: Create global objects
+title: Create global objects
description: Describes the best practices, location, values, policy management, and security considerations for the Create global objects security policy setting.
ms.assetid: 9cb6247b-44fc-4815-86f2-cb59b6f0221e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -54,13 +54,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not Defined |
-| Default Domain Controller Policy | Administrators
Local Service
Network Service
Service|
-| Stand-Alone Server Default Settings | Administrators
Local Service
Network Service
Service|
-| Domain Controller Effective Default Settings | Administrators
Local Service
Network Service
Service|
-| Member Server Effective Default Settings | Administrators
Local Service
Network Service
Service|
-| Client Computer Effective Default Settings | Administrators
Local Service
Network Service
Service|
-
+| Default Domain Policy | Not Defined |
+| Default Domain Controller Policy | Administrators
Local Service
Network Service
Service|
+| Stand-Alone Server Default Settings | Administrators
Local Service
Network Service
Service|
+| Domain Controller Effective Default Settings | Administrators
Local Service
Network Service
Service|
+| Member Server Effective Default Settings | Administrators
Local Service
Network Service
Service|
+| Client Computer Effective Default Settings | Administrators
Local Service
Network Service
Service|
+
## Policy management
A restart of the device isn't required for this policy setting to take effect.
@@ -86,7 +86,7 @@ This section describes how an attacker might exploit a feature or its configurat
The **Create global objects** user right is required for a user account to create global objects in Remote Desktop sessions. Users can still create session-specfic objects without being assigned this user right. Assigning this right can be a security risk.
-By default, members of the **Administrators** group, the System account, and services that are started by the Service Control Manager are assigned the **Create global objects** user right. Users who are added to the **Remote Desktop Users** group also have this user right.
+By default, members of the **Administrators** group, the System account, and services that are started by the Service Control Manager are assigned the **Create global objects** user right. Users who are added to the **Remote Desktop Users** group also have this user right.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md b/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md
index 29994f1b96..e5d58fc80d 100644
--- a/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md
@@ -1,8 +1,8 @@
---
-title: Create permanent shared objects
+title: Create permanent shared objects
description: Describes the best practices, location, values, policy management, and security considerations for the Create permanent shared objects security policy setting.
ms.assetid: 6a58438d-65ca-4c4a-a584-450eed976649
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not Defined|
-| Default Domain Controller Policy | Not Defined |
-| Stand-Alone Server Default Settings | Not Defined|
-| Domain Controller Effective Default Settings | **LocalSystem**|
-| Member Server Effective Default Settings | **LocalSystem**|
-| Client Computer Effective Default Settings | **LocalSystem**|
-
+| Default Domain Policy | Not Defined|
+| Default Domain Controller Policy | Not Defined |
+| Stand-Alone Server Default Settings | Not Defined|
+| Domain Controller Effective Default Settings | **LocalSystem**|
+| Member Server Effective Default Settings | **LocalSystem**|
+| Client Computer Effective Default Settings | **LocalSystem**|
+
## Policy management
This section describes different features and tools available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md
index e728e58567..970e2ddfd7 100644
--- a/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md
+++ b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md
@@ -1,8 +1,8 @@
---
-title: Create symbolic links
+title: Create symbolic links
description: Describes the best practices, location, values, policy management, and security considerations for the Create symbolic links security policy setting.
ms.assetid: 882922b9-0ff8-4ee9-8afc-4475515ee3fd
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -57,13 +57,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not Defined|
-| Default Domain Controller Policy | Not Defined|
-| Stand-Alone Server Default Settings | Not Defined|
-| Domain Controller Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Administrators|
-
+| Default Domain Policy | Not Defined|
+| Default Domain Controller Policy | Not Defined|
+| Stand-Alone Server Default Settings | Not Defined|
+| Domain Controller Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Administrators|
+
## Policy management
This section describes different features and tools available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
index 03d85f19cb..6426a749bf 100644
--- a/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
+++ b/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
@@ -1,8 +1,8 @@
---
-title: DCOM Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax
+title: DCOM Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax
description: Learn about best practices and more for the syntax policy setting, DCOM Machine Access Restrictions in Security Descriptor Definition Language (SDDL).
ms.assetid: 0fe3521a-5252-44df-8a47-8d92cf936e7c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -55,12 +55,12 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value
| - | - |
| Default Domain Policy | Blank |
-| Default Domain Controller Policy | Blank |
-| Stand-Alone Server Default Settings | Blank |
-| DC Effective Default Settings | Not defined |
-| Member Server Effective Default Settings | Not defined |
-| Client Computer Effective Default Settings | Not defined |
-
+| Default Domain Controller Policy | Blank |
+| Stand-Alone Server Default Settings | Blank |
+| DC Effective Default Settings | Not defined |
+| Member Server Effective Default Settings | Not defined |
+| Client Computer Effective Default Settings | Not defined |
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -72,7 +72,7 @@ None. Changes to this policy become effective without a computer restart when th
The registry settings that are created as a result of enabling the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting take precedence over the previous registry settings when this policy setting was configured. The Remote Procedure Call (RPC) service checks the new registry keys in the Policies section for the computer restrictions, and these registry entries take precedence over the existing registry keys under OLE. This precedence means that previously existing registry settings are no longer effective, and if you make changes to the existing settings, device access permissions for users aren't changed. Use care in configuring the list of users and groups.
-If the administrator is denied permission to access DCOM applications due to the changes made to DCOM in the Windows operating system, the administrator can use the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting to manage DCOM access to the computer. The administrator can use this setting to specify which users and groups can access the DCOM application on the computer locally and remotely. This setting will restore control of the DCOM application to the administrator and users. To define this setting, open the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** setting, and click
+If the administrator is denied permission to access DCOM applications due to the changes made to DCOM in the Windows operating system, the administrator can use the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting to manage DCOM access to the computer. The administrator can use this setting to specify which users and groups can access the DCOM application on the computer locally and remotely. This setting will restore control of the DCOM application to the administrator and users. To define this setting, open the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** setting, and click
**Edit Security**. Specify the users or groups you want to include and the computer access permissions for those users or groups. This information defines the setting and sets the appropriate SDDL value.
## Security considerations
@@ -96,5 +96,5 @@ Windows implements default COM ACLs when they're installed. Modifying these ACLs
## Related topics
- [Security Options](security-options.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
index d4c07f3415..5accd3bbbc 100644
--- a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
+++ b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
@@ -1,8 +1,8 @@
---
-title: DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax
+title: DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax
description: Best practices and more for the security policy setting, DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax.
ms.assetid: 4b95d45f-dd62-4c34-ba32-43954528dabe
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -30,7 +30,7 @@ Describes the best practices, location, values, and security considerations for
This policy setting is similar to the [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md) setting in that it allows you to define more computer-wide controls that govern access to all DCOM–based applications on a device. However, the ACLs that are specified in this policy setting control local and remote COM launch requests (not access requests) on the device. A simple way to think about this access control is as an extra access check that is performed against a device-wide ACL on each launch of any COM-based server. If the access check fails, the call, activation, or launch request is denied. (This check is in addition to any access check that is run against the server-specific ACLs.) In effect, it provides a minimum authorization standard that must be passed to launch any COM-based server. The DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting differs in that it provides a minimum access check that is applied to attempts to access an already launched COM-based server.
These device-wide ACLs provide a way to override weak security settings that are specified by an application through CoInitializeSecurity or application-specific security settings. They provide a minimum security standard that must be passed, regardless of the settings of the specific COM-based server. These ACLs provide a centralized location for an administrator to set a general authorization policy that applies to all COM-based servers.
-The **DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax** setting allows you to specify an ACL in two ways. You can type the security descriptor in SDDL, or you can grant or deny Local
+The **DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax** setting allows you to specify an ACL in two ways. You can type the security descriptor in SDDL, or you can grant or deny Local
Access and Remote Access permissions to users and groups. We recommend that you use the built-in user interface to specify the ACL contents that you want to apply with this setting. The default ACL settings vary, depending on the version of Windows you're running.
### Possible values
@@ -53,13 +53,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Blank |
-| Default Domain Controller Policy | Blank|
-| Stand-Alone Server Default Settings |Blank |
-| DC Effective Default Settings | Not defined|
-| Member Server Effective Default Settings | Not defined |
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy | Blank |
+| Default Domain Controller Policy | Blank|
+| Stand-Alone Server Default Settings |Blank |
+| DC Effective Default Settings | Not defined|
+| Member Server Effective Default Settings | Not defined |
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/debug-programs.md b/windows/security/threat-protection/security-policy-settings/debug-programs.md
index d5058a6e3f..c65db98a6f 100644
--- a/windows/security/threat-protection/security-policy-settings/debug-programs.md
+++ b/windows/security/threat-protection/security-policy-settings/debug-programs.md
@@ -1,8 +1,8 @@
---
-title: Debug programs
+title: Debug programs
description: Describes the best practices, location, values, policy management, and security considerations for the Debug programs security policy setting.
ms.assetid: 594d9f2c-8ffc-444b-9522-75615ec87786
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Administrators |
-| Stand-Alone Server Default Settings | Administrators |
-| Domain Controller Effective Default Settings | Administrators |
-| Member Server Effective Default Settings | Administrators |
-| Client Computer Effective Default Settings | Administrators |
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Administrators |
+| Stand-Alone Server Default Settings | Administrators |
+| Domain Controller Effective Default Settings | Administrators |
+| Member Server Effective Default Settings | Administrators |
+| Client Computer Effective Default Settings | Administrators |
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -84,7 +84,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-The **Debug programs** user right can be exploited to capture sensitive device information from system memory or to access and modify kernel or application structures. Some attack tools exploit this user right to extract hashed passwords and other private security information or to insert malware.
+The **Debug programs** user right can be exploited to capture sensitive device information from system memory or to access and modify kernel or application structures. Some attack tools exploit this user right to extract hashed passwords and other private security information or to insert malware.
By default, the **Debug programs** user right is assigned only to administrators, which helps mitigate risk from this vulnerability.
### Countermeasure
@@ -93,7 +93,7 @@ Remove the accounts of all users and groups that do not require the **Debug prog
### Potential impact
-If you revoke this user right, no one can debug programs. However, typical circumstances rarely require this capability on production devices. If an issue arises that requires an application to be debugged on a production server, you can move the server to a different organizational unit (OU)
+If you revoke this user right, no one can debug programs. However, typical circumstances rarely require this capability on production devices. If an issue arises that requires an application to be debugged on a production server, you can move the server to a different organizational unit (OU)
temporarily and assign the **Debug programs** user right to a separate Group Policy for that OU.
## Related topics
diff --git a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md
index b069fd1da1..09c0633dea 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md
@@ -1,8 +1,8 @@
---
-title: Deny access to this computer from the network
+title: Deny access to this computer from the network
description: Best practices, location, values, policy management, and security considerations for the Deny access to this computer from the network security policy setting.
ms.assetid: 935e9f89-951b-4163-b186-fc325682bb0b
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 05/19/2021
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md
index 42bdc8d2a2..c4bc52c008 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md
@@ -1,8 +1,8 @@
---
-title: Deny log on as a batch job
+title: Deny log on as a batch job
description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on as a batch job security policy setting.
ms.assetid: 0ac36ebd-5e28-4b6a-9b4e-8924c6ecf44b
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings | Not defined |
-| Domain Controller Effective Default Settings | Not defined |
-| Member Server Effective Default Settings | Not defined |
-| Client Computer Effective Default Settings | Not defined |
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined |
+| Stand-Alone Server Default Settings | Not defined |
+| Domain Controller Effective Default Settings | Not defined |
+| Member Server Effective Default Settings | Not defined |
+| Client Computer Effective Default Settings | Not defined |
+
## Policy management
This section describes features and tools available to help you manage this policy.
@@ -73,7 +73,7 @@ This policy setting might conflict with and negate the **Log on as a batch job**
On a domain-joined device, including the domain controller, this policy can be overwritten by a domain policy, which will prevent you from modifying the local policy setting.
-For example, to configure Task Scheduler on your domain controller, check the Settings tab of your two domain controller policy and domain policy GPOs in the Group Policy Management Console (GPMC). Verify the targeted account isn't present in the **Deny log on as a batch job** setting.
+For example, to configure Task Scheduler on your domain controller, check the Settings tab of your two domain controller policy and domain policy GPOs in the Group Policy Management Console (GPMC). Verify the targeted account isn't present in the **Deny log on as a batch job** setting.
User Rights Assignment and also correctly configured in the **Log on as a batch job** setting.
diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md
index 8e61df03d2..7bdd2075ca 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md
@@ -1,8 +1,8 @@
---
-title: Deny log on as a service
+title: Deny log on as a service
description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on as a service security policy setting.
ms.assetid: f1114964-df86-4278-9b11-e35c66949794
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined |
-| Domain Controller Effective Default Settings | Not defined |
-| Member Server Effective Default Settings | Not defined |
-| Client Computer Effective Default Settings | Not defined |
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined |
+| Domain Controller Effective Default Settings | Not defined |
+| Member Server Effective Default Settings | Not defined |
+| Client Computer Effective Default Settings | Not defined |
+
## Policy management
This section describes features and tools available to help you manage this policy.
@@ -89,7 +89,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-Accounts that can sign in to a service application could be used to configure and start new unauthorized services, such as a keylogger or other malware. The benefit of the specified countermeasure is reduced by the fact that only users with administrative rights can install and configure
+Accounts that can sign in to a service application could be used to configure and start new unauthorized services, such as a keylogger or other malware. The benefit of the specified countermeasure is reduced by the fact that only users with administrative rights can install and configure
services, and an attacker who already has that level of access could configure the service to run by using the System account.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md
index 8cc1881127..263496c85d 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md
@@ -1,8 +1,8 @@
---
-title: Deny log on locally
+title: Deny log on locally
description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on locally security policy setting.
ms.assetid: 00150e88-ec9c-43e1-a70d-33bfe10434db
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -51,13 +51,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined |
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| Domain Controller Effective Default Settings | Not defined|
-| Member Server Effective Default Settings | Not defined|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy | Not defined |
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| Domain Controller Effective Default Settings | Not defined|
+| Member Server Effective Default Settings | Not defined|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md
index 6a3f748155..24e896eb79 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md
@@ -1,8 +1,8 @@
---
-title: Deny log on through Remote Desktop Services
+title: Deny log on through Remote Desktop Services
description: Best practices, location, values, policy management, and security considerations for the security policy setting, Deny log on through Remote Desktop Services.
ms.assetid: 84bbb807-287c-4acc-a094-cf0ffdcbca67
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -51,12 +51,12 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not defined |
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| Domain Controller Effective Default Settings | Not defined|
-| Member Server Effective Default Settings | Not defined|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| Domain Controller Effective Default Settings | Not defined|
+| Member Server Effective Default Settings | Not defined|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md b/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md
index c0ec06ad12..abbf2b5679 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md
@@ -1,8 +1,8 @@
---
-title: Devices Allow undock without having to log on
+title: Devices Allow undock without having to log on
description: Describes the best practices, location, values, and security considerations for the Devices Allow undock without having to sign in security policy setting.
ms.assetid: 1d403f5d-ad41-4bb4-9f4a-0779c1c14b8c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -30,7 +30,7 @@ Describes the best practices, location, values, and security considerations for
This policy setting enables or disables the ability of a user to remove a portable device from a docking station without logging on. If you enable this policy setting, users can press a docked portable device's physical eject button to safely undock the device. If you disable this policy setting, the user must sign in to receive permission to undock the device. Only users who have the **Remove Computer from Docking Station** privilege can obtain this permission.
>**Note:** Disabling this policy setting only reduces theft risk for portable devices that cannot be mechanically undocked. Devices that can be mechanically undocked can be physically removed by the user whether or not they use the Windows undocking functionality.
-
+
Enabling this policy setting means that anyone with physical access to a device that has been placed in its docking station can remove the computer and possibly tamper with it. For devices that don't have docking stations, this policy setting has no impact. However, for users with a mobile computer that is normally docked while they are in the office, this policy setting will help lower the risk of equipment theft or a malicious user gaining physical access to these devices
### Possible values
@@ -53,13 +53,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings | Enabled|
-| Client Computer Effective Default Settings| Enabled|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined |
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings | Enabled|
+| Client Computer Effective Default Settings| Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md b/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md
index c27928a04e..c2b35adf67 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md
@@ -1,8 +1,8 @@
---
-title: Devices Allowed to format and eject removable media
+title: Devices Allowed to format and eject removable media
description: Describes the best practices, location, values, and security considerations for the Devices Allowed to format and eject removable media security policy setting.
ms.assetid: d1b42425-7244-4ab1-9d46-d68de823459c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Administrators|
-| DC Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Administrators|
+| DC Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -73,7 +73,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-Users could move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices eject media when a mechanical button
+Users could move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices eject media when a mechanical button
is pressed diminishes the advantage of this policy setting.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md
index 40487ac65b..9a909d447c 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md
@@ -1,8 +1,8 @@
---
-title: Devices Prevent users from installing printer drivers
+title: Devices Prevent users from installing printer drivers
description: Describes the best practices, location, values, and security considerations for the Devices Prevent users from installing printer drivers security policy setting.
ms.assetid: ab70a122-f7f9-47e0-ad8c-541f30a27ec3
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 01/05/2022
ms.technology: itpro-security
---
@@ -44,7 +44,7 @@ Although it might be appropriate in some organizations to allow users to install
- It's advisable to set **Devices: Prevent users from installing printer drivers** to Enabled. Only users in the Administrative, Power User, or Server Operator groups will be able to install printers on servers. If this policy setting is enabled, but the driver for a network printer already exists on the local computer, users can still add the network printer. This policy setting doesn't affect a user's ability to add a local printer.
> [!NOTE]
-> After applying the [July 6, 2021 updates](https://support.microsoft.com/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7), non-administrators, including delegated admin groups like printer operators, cannot install signed and unsigned printer drivers to a print server. By default, only administrators can install both signed and unsigned printer drivers to a print server.
+> After applying the [July 6, 2021 updates](https://support.microsoft.com/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7), non-administrators, including delegated admin groups like printer operators, cannot install signed and unsigned printer drivers to a print server. By default, only administrators can install both signed and unsigned printer drivers to a print server.
### Location
@@ -56,13 +56,13 @@ The following table lists the actual and effective default values for this polic
Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings | Enabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings | Enabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -77,7 +77,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only administrators, not users, to do so on servers because printer driver installation on a server may unintentionally cause the computer to become less
+It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only administrators, not users, to do so on servers because printer driver installation on a server may unintentionally cause the computer to become less
stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
index 2f3acd5122..30a9097f46 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
@@ -1,8 +1,8 @@
---
-title: Restrict CD-ROM access to locally logged-on user
+title: Restrict CD-ROM access to locally logged-on user
description: Describes the best practices, location, values, and security considerations for the Devices Restrict CD-ROM access to locally logged-on user only security policy setting.
ms.assetid: 8b8f44bb-84ce-4f18-af30-ab89910e234d
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -54,13 +54,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined |
-| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings | Disabled |
-| DC Effective Default Settings | Disabled |
-| Member Server Effective Default Settings | Disabled |
-| Client Computer Effective Default Settings | Disabled |
-
+| Default Domain Policy | Not defined |
+| Default Domain Controller Policy | Not defined |
+| Stand-Alone Server Default Settings | Disabled |
+| DC Effective Default Settings | Disabled |
+| Member Server Effective Default Settings | Disabled |
+| Client Computer Effective Default Settings | Disabled |
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -75,7 +75,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-A remote user could potentially access a mounted CD that contains sensitive information. This risk is small because CD drives aren't automatically made available as shared drives; you must deliberately choose to share the drive. However, you can deny network users the ability to view data or run
+A remote user could potentially access a mounted CD that contains sensitive information. This risk is small because CD drives aren't automatically made available as shared drives; you must deliberately choose to share the drive. However, you can deny network users the ability to view data or run
applications from removable media on the server.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md b/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md
index 511ccc907f..0a4d6c2250 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md
@@ -1,8 +1,8 @@
---
-title: Devices Restrict floppy access to locally logged-on user only
+title: Devices Restrict floppy access to locally logged-on user only
description: Describes the best practices, location, values, and security considerations for the Devices Restrict floppy access to locally logged-on user only security policy setting.
ms.assetid: 92997910-da95-4c03-ae6f-832915423898
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md b/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md
index 28361156ef..8d5b95d46a 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md
@@ -1,13 +1,13 @@
---
title: Domain controller Allow server operators to schedule tasks
description: Describes the best practices, location, values, and security considerations for the Domain controller Allow server operators to schedule tasks security policy setting.
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -24,7 +24,7 @@ Describes the best practices, location, values, and security considerations for
This policy setting determines whether server operators can use the **at** command to submit jobs. If you enable this policy setting, jobs that are created by server operators by means of the **at** command run in the context of the account that runs the Task Scheduler service. By default, that account is the Local System account.
>**Note:** This security option setting affects only the scheduler tool for the **at** command. It does not affect the Task Scheduler tool.
-
+
Enabling this policy setting means jobs that are created by server operators through the **at** command will be executed in the context of the account that is running that service—by default, that is, the Local System account. This synchronization with the local account means that server operators can perform tasks that the Local System account is able to do, but server operators would normally not be able to do, such as add their account to the local Administrators group.
The impact of enabling this policy setting should be small for most organizations. Users, including those users in the Server Operators group, will still be able to create jobs by using the Task Scheduler Wizard, but those jobs will run in the context of the account that the user authenticates with when setting up the job.
@@ -49,13 +49,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings | Not defined|
-| DC Effective Default Settings | Not defined|
-| Member Server Effective Default Settings | Not defined|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined |
+| Stand-Alone Server Default Settings | Not defined|
+| DC Effective Default Settings | Not defined|
+| Member Server Effective Default Settings | Not defined|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md
index 24614ad5c4..af6812e273 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md
@@ -7,7 +7,7 @@ ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/26/2023
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md
index 39803ce695..0745e54ec3 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md
@@ -1,13 +1,13 @@
---
title: Domain controller LDAP server signing requirements
description: Describes the best practices, location, values, and security considerations for the Domain controller LDAP server signing requirements security policy setting.
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -30,7 +30,7 @@ This setting doesn't have any impact on LDAP simple bind through SSL (LDAP TCP/6
If signing is required, then LDAP simple binds not using SSL are rejected (LDAP TCP/389).
>**Caution:** If you set the server to Require signature, you must also set the client device. Not setting the client device results in loss of connection with the server.
-
+
### Possible values
- None. Data signatures aren't required to bind with the server. If the client computer requests data signing, the server supports it.
@@ -51,13 +51,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| DC Effective Default Settings | None|
-| Member Server Effective Default Settings | None|
-| Client Computer Effective Default Settings | None|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| DC Effective Default Settings | None|
+| Member Server Effective Default Settings | None|
+| Client Computer Effective Default Settings | None|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
index 63d863c555..dcc3e3be66 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
@@ -1,13 +1,13 @@
---
title: Refuse machine account password changes policy
description: Describes the best practices, location, values, and security considerations for the Domain controller Refuse machine account password changes security policy setting.
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-ms.topic: conceptual
+ms.topic: reference
ms.technology: itpro-security
ms.date: 12/31/2017
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
|---|---|
-| Default Domain Policy | Not defined |
-| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings | Not defined |
-| DC Effective Default Settings | Disabled |
-| Member Server Effective Default Settings | Disabled |
-| Client Computer Effective Default Settings | Not applicable |
-
+| Default Domain Policy | Not defined |
+| Default Domain Controller Policy | Not defined |
+| Stand-Alone Server Default Settings | Not defined |
+| DC Effective Default Settings | Disabled |
+| Member Server Effective Default Settings | Disabled |
+| Client Computer Effective Default Settings | Not applicable |
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
index d918369b03..820c7facca 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
@@ -1,8 +1,8 @@
---
-title: Domain member Digitally encrypt or sign secure channel data (always)
+title: Domain member Digitally encrypt or sign secure channel data (always)
description: Best practices, location, values, and security considerations for the policy setting, Domain member Digitally encrypt or sign secure channel data (always).
ms.assetid: 4480c7cb-adca-4f29-b4b8-06eb68d272bf
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -49,7 +49,7 @@ When a device joins a domain, a machine account is created. After being connecte
- Enabled
- The policy [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) is assumed to be enabled regardless of its current setting. This enablement ensures that the domain member attempts to negotiate at least signing of the secure
+ The policy [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) is assumed to be enabled regardless of its current setting. This enablement ensures that the domain member attempts to negotiate at least signing of the secure
channel traffic.
- Disabled
@@ -67,7 +67,7 @@ When a device joins a domain, a machine account is created. After being connecte
- Set [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) to **Enabled**.
>**Note:** You can enable the policy settings [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) and [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) on all devices in the domain that support these policy settings without affecting earlier-version clients and applications.
-
+
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
@@ -78,13 +78,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Enabled |
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings | Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Enabled |
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings | Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -103,7 +103,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-When a device joins a domain, a machine account is created. After the device is joined with the domain, it uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and
+When a device joins a domain, a machine account is created. After the device is joined with the domain, it uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and
sensitive information such as passwords are encrypted—but the channel isn't integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller can't sign or encrypt any portion of the secure channel data, the computer and domain controller can't establish a secure channel. If the device is configured to encrypt or sign secure channel data, when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
index c277be4b30..0086d01e2c 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
@@ -1,8 +1,8 @@
---
-title: Domain member Digitally encrypt secure channel data (when possible)
+title: Domain member Digitally encrypt secure channel data (when possible)
description: Best practices, security considerations, and more for the security policy setting, Domain member Digitally encrypt secure channel data (when possible).
ms.assetid: 73e6023e-0af3-4531-8238-82f0f0e4965b
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -27,7 +27,7 @@ Describes the best practices, location, values, and security considerations for
## Reference
-This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be encrypted. Sign-in information that is transmitted over
+This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be encrypted. Sign-in information that is transmitted over
the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated.
In addition to this policy setting, the following policy settings determine whether a secure channel can be established with a domain controller that isn't capable of signing or encrypting secure channel traffic:
@@ -54,7 +54,7 @@ When a device joins a domain, a machine account is created. After the device is
The domain member won't attempt to negotiate secure channel encryption.
>**Note:** If the security policy setting [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) is enabled, this setting will be overwritten.
-
+
- Not defined
### Best practices
@@ -74,12 +74,12 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Enabled|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Controller Policy | Enabled|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md
index 302edcac50..cadfa2282e 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md
@@ -1,8 +1,8 @@
---
-title: Domain member Digitally sign secure channel data (when possible)
+title: Domain member Digitally sign secure channel data (when possible)
description: Best practices, location, values, and security considerations for the security policy setting, Domain member Digitally sign secure channel data (when possible).
ms.assetid: a643e491-4f45-40ea-b12c-4dbe47e54f34
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -27,7 +27,7 @@ Describes the best practices, location, values, and security considerations for
## Reference
-This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed. Sign-in information that is transmitted over the
+This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed. Sign-in information that is transmitted over the
secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated.
The following policy settings determine whether a secure channel can be established with a domain controller that isn't capable of signing or encrypting secure channel traffic:
@@ -60,7 +60,7 @@ When a device joins a domain, a machine account is created. After the device is
- Set [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) to **Enabled**.
- Set **Domain member: Digitally sign secure channel data (when possible)** to **Enabled**.
>**Note:** You can enable the other two policy settings, Domain member: [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) and **Domain member: Digitally sign secure channel data (when possible)**, on all devices joined to the domain that support these policy settings without affecting earlier-version clients and applications.
-
+
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
@@ -71,13 +71,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Enabled |
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Enabled |
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md
index 72e15d7783..324f36b008 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md
@@ -1,8 +1,8 @@
---
-title: Domain member Disable machine account password changes
+title: Domain member Disable machine account password changes
description: Describes the best practices, location, values, and security considerations for the Domain member Disable machine account password changes security policy setting.
ms.assetid: 1f660300-a07a-4243-a09f-140aa1ab8867
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 06/27/2019
ms.technology: itpro-security
---
@@ -44,8 +44,8 @@ Verify that the **Domain member: Disable machine account password changes** opti
3. You may want to consider using this policy setting in specific environments, such as the following ones:
- Non-persistent Virtual Desktop Infrastructure implementations. In such implementations, each session starts from a read-only base image.
- - Embedded devices that don't have write access to the OS volume.
-
+ - Embedded devices that don't have write access to the OS volume.
+
In either case, a password change that was made during normal operations would be lost as soon as the session ends. We strongly recommend that you plan password changes for maintenance windows. Add the password changes to the updates and modifications that Windows performs during maintenance windows. To trigger a password update on a specific OS volume, run the following command:
```
@@ -62,15 +62,15 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
-| Server type or GPO | Default value |
+| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Disabled |
-| Default Domain Controller Policy | Disabled|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy | Disabled |
+| Default Domain Controller Policy | Disabled|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -85,7 +85,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-By default, devices running Windows Server that belong to a domain automatically change their passwords for their accounts every certain number of days, typically 30. If you disable this policy setting, devices that run Windows Server retain the same passwords as their machine accounts. Devices
+By default, devices running Windows Server that belong to a domain automatically change their passwords for their accounts every certain number of days, typically 30. If you disable this policy setting, devices that run Windows Server retain the same passwords as their machine accounts. Devices
that can't automatically change their account password are at risk from an attacker who could determine the password for the machine's domain account.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
index aacfa76378..278f2854fa 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
@@ -1,8 +1,8 @@
---
-title: Domain member Maximum machine account password age
+title: Domain member Maximum machine account password age
description: Describes the best practices, location, values, and security considerations for the Domain member Maximum machine account password age security policy setting.
ms.assetid: 0ec6f7c1-4d82-4339-94c0-debb2d1ac109
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 05/29/2020
ms.technology: itpro-security
---
@@ -31,8 +31,8 @@ The **Domain member: Maximum machine account password age** policy setting deter
In Active Directory–based domains, each device has an account and password. By default, the domain members submit a password change every 30 days. You can extend or reduce this interval. Additionally, you can use the **Domain member: Disable machine account password changes** policy to disable the password change requirement completely. However, before you consider this option, review the implications as described in [Domain member: Disable machine account password changes](domain-member-disable-machine-account-password-changes.md).
-> [!IMPORTANT]
-> Significantly increasing the password change interval (or disabling password changes) gives an attacker more time to undertake a brute-force password-guessing attack against one of the machine accounts.
+> [!IMPORTANT]
+> Significantly increasing the password change interval (or disabling password changes) gives an attacker more time to undertake a brute-force password-guessing attack against one of the machine accounts.
For more information, see [Machine Account Password Process](https://techcommunity.microsoft.com/t5/Ask-the-Directory-Services-Team/Machine-Account-Password-Process/ba-p/396026).
@@ -43,7 +43,7 @@ For more information, see [Machine Account Password Process](https://techcommuni
### Best practices
-We recommend that you set **Domain member: Maximum machine account password age** to about 30 days. Setting the value to fewer days can increase replication and affect domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The extra replication churn would affect domain controllers in large organizations that have many computers or slow links between sites.
+We recommend that you set **Domain member: Maximum machine account password age** to about 30 days. Setting the value to fewer days can increase replication and affect domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The extra replication churn would affect domain controllers in large organizations that have many computers or slow links between sites.
### Location
@@ -55,13 +55,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined |
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | 30 days|
-| DC Effective Default Settings | 30 days|
-| Member Server Effective Default Settings|30 days|
-| Client Computer Effective Default Settings | 30 days|
-
+| Default Domain Policy | Not defined |
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | 30 days|
+| DC Effective Default Settings | 30 days|
+| Member Server Effective Default Settings|30 days|
+| Client Computer Effective Default Settings | 30 days|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md b/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md
index d5c4b65fcc..5f03addc62 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md
@@ -1,8 +1,8 @@
---
-title: Domain member Require strong (Windows 2000 or later) session key
+title: Domain member Require strong (Windows 2000 or later) session key
description: Best practices, location, values, and security considerations for the security policy setting, Domain member Require strong (Windows 2000 or later) session key.
ms.assetid: 5ab8993c-5086-4f09-bc88-1b27454526bd
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -55,7 +55,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
-| Server type or GPO
+| Server type or GPO
| Default value |
|--------------------------------------------|
diff --git a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
index 8f52bd244e..2580f51ed8 100644
--- a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
+++ b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
@@ -1,8 +1,8 @@
---
-title: Trust computer and user accounts for delegation
+title: Trust computer and user accounts for delegation
description: Learn about best practices, security considerations and more for the security policy setting, Enable computer and user accounts to be trusted for delegation.
ms.assetid: 524062d4-1595-41f3-8ce1-9c85fd21497b
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -55,13 +55,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| Domain Controller Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Administrators|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| Domain Controller Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Administrators|
+
## Policy management
This section describes features, tools and guidance to help you manage this policy.
@@ -94,7 +94,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-Misuse of the **Enable computer and user accounts to be trusted for delegation** user right could allow unauthorized users to impersonate other users on the network. An attacker could exploit this privilege to gain access to network resources and make it difficult to determine what has happened
+Misuse of the **Enable computer and user accounts to be trusted for delegation** user right could allow unauthorized users to impersonate other users on the network. An attacker could exploit this privilege to gain access to network resources and make it difficult to determine what has happened
after a security incident.
### Countermeasure
@@ -102,7 +102,7 @@ after a security incident.
The **Enable computer and user accounts to be trusted for delegation** user right should be assigned only if there's a clear need for its functionality. When you assign this right, you should investigate the use of constrained delegation to control what the delegated accounts can do. On domain controllers, this right is assigned to the Administrators group by default.
>**Note:** There is no reason to assign this user right to anyone on member servers and workstations that belong to a domain because it has no meaning in those contexts. It is only relevant on domain controllers and stand-alone computers.
-
+
### Potential impact
None. Not defined is the default configuration.
diff --git a/windows/security/threat-protection/security-policy-settings/enforce-password-history.md b/windows/security/threat-protection/security-policy-settings/enforce-password-history.md
index 69915eba98..b2b87b7314 100644
--- a/windows/security/threat-protection/security-policy-settings/enforce-password-history.md
+++ b/windows/security/threat-protection/security-policy-settings/enforce-password-history.md
@@ -1,8 +1,8 @@
---
-title: Enforce password history
+title: Enforce password history
description: Describes the best practices, location, values, policy management, and security considerations for the Enforce password history security policy setting.
ms.assetid: 8b2ab871-3e52-4dd1-9776-68bb1e935442
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default domain policy | 24 passwords remembered|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | 0 passwords remembered|
-| Domain controller effective default settings | 24 passwords remembered|
-| Member server effective default settings | 24 passwords remembered|
-| Effective GPO default settings on client computers | 24 passwords remembered|
-
+| Default domain policy | 24 passwords remembered|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | 0 passwords remembered|
+| Domain controller effective default settings | 24 passwords remembered|
+| Member server effective default settings | 24 passwords remembered|
+| Effective GPO default settings on client computers | 24 passwords remembered|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -79,7 +79,7 @@ The longer a user uses the same password, the greater the chance that an attacke
If you specify a low number for this policy setting, users can use the same small number of passwords repeatedly. If you don't also configure the [Minimum password age](minimum-password-age.md) policy setting, users might repeatedly change their passwords until they can reuse their original password.
>**Note:** After an account has been compromised, a simple password reset might not be enough to restrict a malicious user because the malicious user might have modified the user's environment so that the password is changed back to a known value automatically at a certain time. If an account has been compromised, it is best to delete the account and assign the user a new account after all affected systems have been restored to normal operations and verified that they are no longer compromised.
-
+
### Countermeasure
Configure the **Enforce password history** policy setting to 24 (the maximum setting) to help minimize the number of vulnerabilities that are caused by password reuse.
diff --git a/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md b/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md
index a119f6c131..faf39c7570 100644
--- a/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md
+++ b/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md
@@ -1,8 +1,8 @@
---
-title: Enforce user logon restrictions
+title: Enforce user logon restrictions
description: Describes the best practices, location, values, policy management, and security considerations for the Enforce user logon restrictions security policy setting.
ms.assetid: 5891cb73-f1ec-48b9-b703-39249e48a29f
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -50,13 +50,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server Type or GPO | Default Value |
| - | - |
-| Default Domain Policy | Enabled|
+| Default Domain Policy | Enabled|
| Default Domain Controller Policy | Not defined |
| Stand-Alone Server Default Settings| Not applicable |
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Not applicable|
-| Client Computer Effective Default Settings | Not applicable|
-
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Not applicable|
+| Client Computer Effective Default Settings | Not applicable|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md b/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md
index bb10d2ce82..fbf329985c 100644
--- a/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md
+++ b/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md
@@ -1,8 +1,8 @@
---
-title: Force shutdown from a remote system
+title: Force shutdown from a remote system
description: Describes the best practices, location, values, policy management, and security considerations for the Force shutdown from a remote system security policy setting.
ms.assetid: 63129243-31ea-42a4-a598-c7064f48a3df
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Administrators
Server Operators|
-| Stand-Alone Server Default Settings | Administrators|
-| Domain Controller Effective Default Settings | Administrators
Server Operators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Administrators|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators
Server Operators|
+| Stand-Alone Server Default Settings | Administrators|
+| Domain Controller Effective Default Settings | Administrators
Server Operators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Administrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/generate-security-audits.md b/windows/security/threat-protection/security-policy-settings/generate-security-audits.md
index 5b8810a11e..9b9ab36731 100644
--- a/windows/security/threat-protection/security-policy-settings/generate-security-audits.md
+++ b/windows/security/threat-protection/security-policy-settings/generate-security-audits.md
@@ -1,8 +1,8 @@
---
-title: Generate security audits
+title: Generate security audits
description: Describes the best practices, location, values, policy management, and security considerations for the Generate security audits security policy setting.
ms.assetid: c0e1cd80-840e-4c74-917c-5c2349de885f
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Local Service
Network Service|
-| Stand-Alone Server Default Settings | Local Service
Network Service|
-| Domain Controller Effective Default Settings | Local Service
Network Service|
-| Member Server Effective Default Settings | Local Service
Network Service|
-| Client Computer Effective Default Settings | Local Service
Network Service|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Local Service
Network Service|
+| Stand-Alone Server Default Settings | Local Service
Network Service|
+| Domain Controller Effective Default Settings | Local Service
Network Service|
+| Member Server Effective Default Settings | Local Service
Network Service|
+| Client Computer Effective Default Settings | Local Service
Network Service|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
index 6dcfe5687d..37573dfb33 100644
--- a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
@@ -8,7 +8,7 @@ manager: aaroncz
ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 06/07/2023
appliesto:
- ✅ Windows 11
diff --git a/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md b/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md
index 698d38e82a..918c634443 100644
--- a/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md
+++ b/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md
@@ -1,8 +1,8 @@
---
-title: Impersonate a client after authentication
+title: Impersonate a client after authentication
description: Describes the best practices, location, values, policy management, and security considerations for the Impersonate a client after authentication security policy setting.
ms.assetid: 4cd241e2-c680-4b43-8ed0-3b391925cec5
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -65,12 +65,12 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy| Not defined |
-| Default Domain Controller Policy| Administrators
Local Service
Network Service
Service|
-| Stand-Alone Server Default Settings | Administrators
Local Service
Network Service
Service|
-| Domain Controller Effective Default Settings | Administrators
Local Service
Network Service
Service|
-| Member Server Effective Default Settings | Administrators
Local Service
Network Service
Service|
-| Client Computer Effective Default Settings | Administrators
Local Service
Network Service
Service|
-
+| Default Domain Controller Policy| Administrators
Local Service
Network Service
Service|
+| Stand-Alone Server Default Settings | Administrators
Local Service
Network Service
Service|
+| Domain Controller Effective Default Settings | Administrators
Local Service
Network Service
Service|
+| Member Server Effective Default Settings | Administrators
Local Service
Network Service
Service|
+| Client Computer Effective Default Settings | Administrators
Local Service
Network Service
Service|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md b/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md
index 0d6a6d694f..b383d4e733 100644
--- a/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md
+++ b/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md
@@ -1,8 +1,8 @@
---
-title: Increase a process working set
+title: Increase a process working set
description: Describes the best practices, location, values, policy management, and security considerations for the Increase a process working set security policy setting.
ms.assetid: b742ad96-37f3-4686-b8f7-f2b48367105b
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -54,11 +54,11 @@ The following table lists the actual and effective default policy values. Defaul
| - | - |
| Default Domain Policy| Not Defined|
| Default Domain Controller Policy | Users|
-| Stand-Alone Server Default Settings| Users|
-| Domain Controller Effective Default Settings| Users|
-| Member Server Effective Default Settings | Users|
-| Client Computer Effective Default Settings | Users|
-
+| Stand-Alone Server Default Settings| Users|
+| Domain Controller Effective Default Settings| Users|
+| Member Server Effective Default Settings | Users|
+| Client Computer Effective Default Settings | Users|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md
index 1bcfcdb42e..e0afba5ecc 100644
--- a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md
+++ b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md
@@ -1,8 +1,8 @@
---
-title: Increase scheduling priority
+title: Increase scheduling priority
description: Describes the best practices, location, values, policy management, and security considerations for the Increase scheduling priority security policy setting.
ms.assetid: fbec5973-d35e-4797-9626-d0d56061527f
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 2/6/2020
ms.technology: itpro-security
---
@@ -46,7 +46,7 @@ Constant: SeIncreaseBasePriorityPrivilege
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
-
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -82,9 +82,9 @@ Verify that only Administrators and Window Manager\Window Manager Group have the
None. Restricting the **Increase scheduling priority** user right to members of the Administrators group and Window Manager\Window Manager Group is the default configuration.
-> [!Warning]
-> If you remove **Window Manager\Window Manager Group** from the **Increase scheduling priority** user right, certain applications and computers do not function correctly. In particular, the INK workspace does not function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 (or later) and that use the Intel GFX driver.
->
+> [!Warning]
+> If you remove **Window Manager\Window Manager Group** from the **Increase scheduling priority** user right, certain applications and computers do not function correctly. In particular, the INK workspace does not function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 (or later) and that use the Intel GFX driver.
+>
> On affected computers, the display blinks when users draw on INK workspaces such as those that are used by Microsoft Edge, Microsoft PowerPoint, or Microsoft OneNote. The blinking occurs because the inking-related processes repeatedly try to use the Real-Time priority, but are denied permission.
## Related topics
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
index a1ee602ed9..6b6a223a3c 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
@@ -1,8 +1,8 @@
---
-title: Interactive logon Display user information when the session is locked
+title: Interactive logon Display user information when the session is locked
description: Best practices, security considerations, and more for the security policy setting, Interactive logon Display user information when the session is locked.
ms.assetid: 9146aa3d-9b2f-47ba-ac03-ff43efb10530
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -66,7 +66,7 @@ This setting has these possible values:
For a domain sign in only, the domain\username is displayed.
The **Privacy** setting is automatically on and grayed out.
-
+
- **Blank**
Default setting.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md
index 1917c4b70b..6d7880e8fe 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.reviewer:
ms.author: vinpa
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
index e4c4d49b0a..a13d25cd15 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
@@ -1,8 +1,8 @@
---
-title: Interactive logon Do not require CTRL+ALT+DEL
+title: Interactive logon Do not require CTRL+ALT+DEL
description: Describes the best practices, location, values, and security considerations for the Interactive logon Do not require CTRL+ALT+DEL security policy setting.
ms.assetid: 04e2c000-2eb2-4d4b-8179-1e2cb4793e18
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -59,13 +59,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md
index eadc6514fe..85cca7c7f1 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md
index bc3ee80c44..a9c3a468db 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md
@@ -1,8 +1,8 @@
---
-title: Interactive logon Machine account lockout threshold
+title: Interactive logon Machine account lockout threshold
description: Best practices, location, values, management, and security considerations for the security policy setting, Interactive logon Machine account lockout threshold.
ms.assetid: ebbd8e22-2611-4ebe-9db9-d49344e631e4
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -51,13 +51,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings| Disabled|
-| DC Effective Default Settings | Disabled|
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined |
+| Stand-Alone Server Default Settings| Disabled|
+| DC Effective Default Settings | Disabled|
| Member Server Effective Default Settings | Disabled |
-| Client Computer Effective Default Settings | Disabled|
-
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
index 40c0bcb254..499c8ea921 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
@@ -1,8 +1,8 @@
---
-title: Interactive logon Machine inactivity limit
+title: Interactive logon Machine inactivity limit
description: Describes the best practices, location, values, management, and security considerations for the Interactive logon Machine inactivity limit security policy setting.
ms.assetid: 7065b4a9-0d52-41d5-afc4-5aedfc4162b5
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/18/2018
ms.technology: itpro-security
---
@@ -57,13 +57,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
index 7f6a3535a6..9ea2643a8c 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
@@ -1,8 +1,8 @@
---
-title: Interactive Logon Message text
+title: Interactive Logon Message text
description: Learn about best practices, security considerations and more for the security policy setting, Interactive logon Message text for users attempting to log on.
ms.assetid: fcfe8a6d-ca65-4403-b9e6-2fa017a31c2e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
index fc861f5e80..f97c4515e8 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
@@ -1,8 +1,8 @@
---
-title: Interactive logon Message title for users attempting to log on
+title: Interactive logon Message title for users attempting to log on
description: Best practices, security considerations, and more for the security policy setting, Interactive logon Message title for users attempting to log on.
ms.assetid: f2596470-4cc0-4ef1-849c-bef9dc3533c6
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
index 079531c038..60159d1dd5 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
@@ -1,8 +1,8 @@
---
-title: Interactive logon Number of previous logons to cache (in case domain controller is not available)
+title: Interactive logon Number of previous logons to cache (in case domain controller is not available)
description: Best practices and more for the security policy setting, Interactive logon Number of previous logons to cache (in case domain controller is not available).
ms.assetid: 660e925e-cc3e-4098-a41e-eb8db8062d8d
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 08/27/2018
ms.technology: itpro-security
---
@@ -39,7 +39,7 @@ The system can't log you on now because the domain *DOMAIN NAME* isn't available
The value of this policy setting indicates the number of users whose sign-in information the server caches locally. If the value is 10, the server caches sign-in information for 10 users. When an 11th user signs in to the device, the server overwrites the oldest cached sign-in session.
-Users who access the server console will have their sign-in credentials cached on that server. A malicious user who is able to access the file system of the server can locate this cached information and use a brute-force attack to determine user passwords. Windows mitigates this type of attack by
+Users who access the server console will have their sign-in credentials cached on that server. A malicious user who is able to access the file system of the server can locate this cached information and use a brute-force attack to determine user passwords. Windows mitigates this type of attack by
encrypting the information and keeping the cached credentials in the system's registries, which are spread across numerous physical locations.
> [!NOTE]
@@ -52,7 +52,7 @@ encrypting the information and keeping the cached credentials in the system's re
### Best practices
-The [Windows security baselines](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) don't recommend configuring this setting.
+The [Windows security baselines](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) don't recommend configuring this setting.
### Location
@@ -64,13 +64,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | 10 logons|
-| DC Effective Default Settings | No effect|
-| Member Server Effective Default Settings | 10 logons|
-| Client Computer Effective Default Settings| 10 logons|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | 10 logons|
+| DC Effective Default Settings | No effect|
+| Member Server Effective Default Settings | 10 logons|
+| Client Computer Effective Default Settings| 10 logons|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -105,7 +105,7 @@ Configure the **Interactive logon: Number of previous logons to cache (in case d
### Potential impact
-Users can't sign in to any devices if there's no domain controller available to authenticate them. Organizations can configure this value to 2 for end-user computers, especially for mobile users. A configuration value of 2 means that the user's sign-in information is still in the cache, even if a
+Users can't sign in to any devices if there's no domain controller available to authenticate them. Organizations can configure this value to 2 for end-user computers, especially for mobile users. A configuration value of 2 means that the user's sign-in information is still in the cache, even if a
member of the IT department has recently logged on to the device to perform system maintenance. This method allows users to sign in to their computers when they aren't connected to the organization's network.
## Related topics
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
index b63d35d0b2..1c2bd90367 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
@@ -1,8 +1,8 @@
---
-title: Interactive log-on prompt user to change password before expiration
+title: Interactive log-on prompt user to change password before expiration
description: Best practices and security considerations for an interactive log-on prompt for users to change passwords before expiration.
ms.assetid: 8fe94781-40f7-4fbe-8cfd-5e116e6833e9
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -50,13 +50,13 @@ The following table lists the default values for this policy. Default values are
| Server type or Group Policy Object | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
| Stand-Alone Server Default Settings | Five days|
-| DC Effective Default Settings | Five days |
+| DC Effective Default Settings | Five days |
| Member Server Effective Default Settings| Five days |
-| Client Computer Effective Default Settings | Five days|
-
+| Client Computer Effective Default Settings | Five days|
+
## Policy management
This section describes features and tools that you can use to manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
index c418e7adeb..12c079fced 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
@@ -1,8 +1,8 @@
---
-title: Interactive logon Require Domain Controller authentication to unlock workstation
+title: Interactive logon Require Domain Controller authentication to unlock workstation
description: Best practices security considerations, and more for the policy setting, Interactive logon Require Domain Controller authentication to unlock workstation.
ms.assetid: 97618ed3-e946-47db-a212-b5e7a4fc6ffc
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -55,13 +55,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md
index 8d49c17278..7175af2912 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md
@@ -4,11 +4,11 @@ description: "Describes the best practices, location, values, policy management,
author: vinaypamnani-msft
ms.author: vinpa
manager: aaroncz
-ms.reviewer:
+ms.reviewer:
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: reference
ms.date: 01/13/2023
---
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md
index 55213f035f..4ae503eb5d 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md
@@ -1,8 +1,8 @@
---
-title: Interactive logon Smart card removal behavior
+title: Interactive logon Smart card removal behavior
description: Best practices, location, values, policy management, and security considerations for the security policy setting, Interactive logon Smart card removal behavior.
ms.assetid: 61487820-9d49-4979-b15d-c7e735999460
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -67,13 +67,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | No Action|
-| DC Effective Default Settings | No Action|
-| Member Server Effective Default Settings | No Action|
-| Client Computer Effective Default Settings | No Action|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | No Action|
+| DC Effective Default Settings | No Action|
+| Member Server Effective Default Settings | No Action|
+| Client Computer Effective Default Settings | No Action|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/kerberos-policy.md b/windows/security/threat-protection/security-policy-settings/kerberos-policy.md
index b63e17c8c2..c8b07ad5e2 100644
--- a/windows/security/threat-protection/security-policy-settings/kerberos-policy.md
+++ b/windows/security/threat-protection/security-policy-settings/kerberos-policy.md
@@ -1,8 +1,8 @@
---
-title: Kerberos Policy
+title: Kerberos Policy
description: Describes the Kerberos Policy settings and provides links to policy setting descriptions.
ms.assetid: 94017dd9-b1a3-4624-af9f-b29161b4bf38
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -28,7 +28,7 @@ The Kerberos version 5 authentication protocol provides the default mechanism f
These policy settings are located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy**.
-The following topics provide a discussion of implementation and best practices considerations, policy location, default values for the server type or GPO, relevant differences in operating system versions, security considerations (including the possible settings vulnerabilities of each setting),
+The following topics provide a discussion of implementation and best practices considerations, policy location, default values for the server type or GPO, relevant differences in operating system versions, security considerations (including the possible settings vulnerabilities of each setting),
countermeasures you can take, and the potential impact for each setting.
## In this section
@@ -40,7 +40,7 @@ countermeasures you can take, and the potential impact for each setting.
| [Maximum lifetime for user ticket](maximum-lifetime-for-user-ticket.md) | Describes the best practices, location, values, policy management, and security considerations for the **Maximum lifetime for user ticket** policy setting. |
| [Maximum lifetime for user ticket renewal](maximum-lifetime-for-user-ticket-renewal.md) | Describes the best practices, location, values, policy management, and security considerations for the **Maximum lifetime for user ticket renewal** security policy setting. |
| [Maximum tolerance for computer clock synchronization](maximum-tolerance-for-computer-clock-synchronization.md) | Describes the best practices, location, values, policy management, and security considerations for the **Maximum tolerance for computer clock synchronization** security |
-
+
## Related topics
- [Configure security policy settings](how-to-configure-security-policy-settings.md)
diff --git a/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md b/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md
index 1e9c0d4b8b..7a97507fb3 100644
--- a/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md
+++ b/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md
@@ -1,8 +1,8 @@
---
-title: Load and unload device drivers
+title: Load and unload device drivers
description: Describes the best practices, location, values, policy management, and security considerations for the Load and unload device drivers security policy setting.
ms.assetid: 66262532-c610-470c-9792-35ff4389430f
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -56,13 +56,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Administrators
Print Operators|
-| Stand-Alone Server Default Settings | Administrators|
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators
Print Operators|
+| Stand-Alone Server Default Settings | Administrators|
| Domain Controller Effective Default Settings | Administrators
Print Operators |
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Administrators|
-
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Administrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -91,7 +91,7 @@ This section describes how an attacker might exploit a feature or its configurat
Device drivers run as highly privileged code. A user who has the **Load and unload device drivers** user right could unintentionally install malware that masquerades as a device driver. Administrators should exercise care and install only drivers with verified digital signatures.
>**Note:** You must have this user right or be a member of the local Administrators group to install a new driver for a local printer or to manage a local printer and configure defaults for options such as duplex printing.
-
+
### Countermeasure
Don't assign the **Load and unload device drivers** user right to any user or group other than Administrators on member servers. On domain controllers, don't assign this user right to any user or group other than Domain Admins.
diff --git a/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md b/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md
index c591706f9c..6be9e7a10f 100644
--- a/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md
+++ b/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md
@@ -1,8 +1,8 @@
---
-title: Lock pages in memory
+title: Lock pages in memory
description: Describes the best practices, location, values, policy management, and security considerations for the Lock pages in memory security policy setting.
ms.assetid: cc724979-aec0-496d-be4e-7009aef660a3
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -35,7 +35,7 @@ Enabling this policy setting for a specific account (a user account or a process
> [!NOTE]
> By configuring this policy setting, the performance of the Windows operating system will differ depending on if applications are running on 32-bit or 64-bit systems, and if they are virtualized images. Performance will also differ between earlier and later versions of the Windows operating system.
-
+
Constant: SeLockMemoryPrivilege
### Possible values
@@ -57,13 +57,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| Domain Controller Effective Default Settings | Not defined|
-| Member Server Effective Default Settings | Not defined|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| Domain Controller Effective Default Settings | Not defined|
+| Member Server Effective Default Settings | Not defined|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
index cecd34e77c..cd62546d27 100644
--- a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
+++ b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
@@ -1,8 +1,8 @@
---
-title: Log on as a batch job
+title: Log on as a batch job
description: Describes the best practices, location, values, policy management, and security considerations for the Log on as a batch job security policy setting.
ms.assetid: 4eaddb51-0a18-470e-9d3d-5e7cd7970b41
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -56,13 +56,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Administrators
Backup Operators
Performance Log Users|
-| Stand-Alone Server Default Settings | Administrators
Backup Operators
Performance Log Users|
-| Domain Controller Effective Default Settings | Administrators
Backup Operators
Performance Log Users|
-| Member Server Effective Default Settings | Administrators
Backup Operators
Performance Log Users|
-| Client Computer Effective Default Settings | Administrators|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators
Backup Operators
Performance Log Users|
+| Stand-Alone Server Default Settings | Administrators
Backup Operators
Performance Log Users|
+| Domain Controller Effective Default Settings | Administrators
Backup Operators
Performance Log Users|
+| Member Server Effective Default Settings | Administrators
Backup Operators
Performance Log Users|
+| Client Computer Effective Default Settings | Administrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md
index d1f486957c..f96d6aad98 100644
--- a/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md
+++ b/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md
@@ -1,8 +1,8 @@
---
-title: Log on as a service
+title: Log on as a service
description: Describes the best practices, location, values, policy management, and security considerations for the Log on as a service security policy setting.
ms.assetid: acc9a9e0-fd88-4cda-ab54-503120ba1f42
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default policy values. The po
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| Domain Controller Effective Default Settings | Network Service|
-| Member Server Effective Default Settings| Network Service|
-| Client Computer Effective Default Settings | Network Service|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| Domain Controller Effective Default Settings | Network Service|
+| Member Server Effective Default Settings| Network Service|
+| Client Computer Effective Default Settings | Network Service|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -84,7 +84,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-The **Log on as a service** user right allows accounts to start network services or services that run continuously on a computer, even when no one is logged on to the console. The risk is reduced because only users who have administrative privileges can install and configure services. An
+The **Log on as a service** user right allows accounts to start network services or services that run continuously on a computer, even when no one is logged on to the console. The risk is reduced because only users who have administrative privileges can install and configure services. An
attacker who has already reached that level of access could configure the service to run with the Local System account.
### Countermeasure
@@ -93,7 +93,7 @@ By definition, the Network Service account has the **Log on as a service** user
### Potential impact
-On most computers, the **Log on as a service** user right is restricted to the Local System, Local Service, and Network Service built-in accounts by default, and there's no negative impact. But if you have optional components such as ASP.NET or IIS, you might need to
+On most computers, the **Log on as a service** user right is restricted to the Local System, Local Service, and Network Service built-in accounts by default, and there's no negative impact. But if you have optional components such as ASP.NET or IIS, you might need to
assign the user right to the additional accounts that those components require. IIS requires this user right to be explicitly granted to the ASPNET user account.
## Related topics
diff --git a/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md b/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md
index a2be818c7d..180e73d52d 100644
--- a/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md
+++ b/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md
@@ -1,8 +1,8 @@
---
-title: Manage auditing and security log
+title: Manage auditing and security log
description: Describes the best practices, location, values, policy management, and security considerations for the Manage auditing and security log security policy setting.
ms.assetid: 4b946c0d-f904-43db-b2d5-7f0917575347
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Administrators|
-| Stand-Alone Server Default Settings | Administrators|
-| Domain Controller Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings| Administrators|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators|
+| Stand-Alone Server Default Settings | Administrators|
+| Domain Controller Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings| Administrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -100,7 +100,7 @@ Ensure that only the local Administrators group has the **Manage auditing and se
Restricting the **Manage auditing and security log** user right to the local Administrators group is the default configuration.
>**Warning:** If groups other than the local Administrators group have been assigned this user right, removing this user right might cause performance issues with other applications. Before removing this right from a group, investigate whether applications are dependent on this right.
-
+
## Related topics
- [User Rights Assignment](user-rights-assignment.md)
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md
index bdc180ccf0..a750dcb65c 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md
@@ -1,8 +1,8 @@
---
-title: Maximum lifetime for service ticket
+title: Maximum lifetime for service ticket
description: Describes the best practices, location, values, policy management, and security considerations for the Maximum lifetime for service ticket security policy setting.
ms.assetid: 484bf05a-3858-47fc-bc02-6599ca860247
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -51,13 +51,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server Type or GPO | Default Value |
| - | - |
-| Default Domain Policy| 600 minutes|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not applicable|
-| DC Effective Default Settings | 600 minutes|
-| Member Server Effective Default Settings | Not applicable|
-| Client Computer Effective Default Settings | Not applicable|
-
+| Default Domain Policy| 600 minutes|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not applicable|
+| DC Effective Default Settings | 600 minutes|
+| Member Server Effective Default Settings | Not applicable|
+| Client Computer Effective Default Settings | Not applicable|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md
index 43935998f5..6dc4d1607b 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md
@@ -1,8 +1,8 @@
---
-title: Maximum lifetime for user ticket renewal
+title: Maximum lifetime for user ticket renewal
description: Describes the best practices, location, values, policy management, and security considerations for the Maximum lifetime for user ticket renewal security policy setting.
ms.assetid: f88cd819-3dd1-4e38-b560-13fe6881b609
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -49,13 +49,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| 7 days|
-| Default Domain Controller Policy| Not defined|
-| Stand-Alone Server Default Settings | Not applicable|
-| Domain Controller Effective Default Settings | 7 days|
-| Member Server Effective Default Settings | Not applicable|
-| Client Computer Effective Default Settings | Not applicable|
-
+| Default Domain Policy| 7 days|
+| Default Domain Controller Policy| Not defined|
+| Stand-Alone Server Default Settings | Not applicable|
+| Domain Controller Effective Default Settings | 7 days|
+| Member Server Effective Default Settings | Not applicable|
+| Client Computer Effective Default Settings | Not applicable|
+
### Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -91,7 +91,7 @@ Configure the **Maximum lifetime for user ticket renewal** setting to 7 days.
### Potential impact
-Seven (7) days is the default configuration. Changing the default configuration is a tradeoff between user convenience and security. A shorter time period requires users to authenticate with a DC more often, but remote users who authenticate with a DC infrequently can be locked out of services until they reauthenticate.
+Seven (7) days is the default configuration. Changing the default configuration is a tradeoff between user convenience and security. A shorter time period requires users to authenticate with a DC more often, but remote users who authenticate with a DC infrequently can be locked out of services until they reauthenticate.
## Related topics
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md
index 1d6f14a767..238e860228 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md
@@ -1,8 +1,8 @@
---
-title: Maximum lifetime for user ticket
+title: Maximum lifetime for user ticket
description: Describes the best practices, location, values, policy management, and security considerations for the Maximum lifetime for user ticket policy setting.
ms.assetid: bcb4ff59-334d-4c2f-99af-eca2b64011dc
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -49,13 +49,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server Type or GPO | Default Value |
| - | - |
-| Default Domain Policy| 10 hours|
-| Default Domain Controller Policy| Not defined|
-| Stand-Alone Server Default Settings | Not applicable|
-| Domain Controller Effective Default Settings | 10 hours|
-| Member Server Effective Default Settings | Not applicable|
-| Client Computer Effective Default Settings | Not applicable|
-
+| Default Domain Policy| 10 hours|
+| Default Domain Controller Policy| Not defined|
+| Stand-Alone Server Default Settings | Not applicable|
+| Domain Controller Effective Default Settings | 10 hours|
+| Member Server Effective Default Settings | Not applicable|
+| Client Computer Effective Default Settings | Not applicable|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
index 1e3180694c..a416e4543c 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
@@ -1,8 +1,8 @@
---
-title: Maximum password age
+title: Maximum password age
description: Describes the best practices, location, values, policy management, and security considerations for the Maximum password age security policy setting.
ms.assetid: 2d6e70e7-c8b0-44fb-8113-870c6120871d
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -30,7 +30,7 @@ Describes the best practices, location, values, policy management, and security
The **Maximum password age** policy setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a certain number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If **Maximum password age** is between 1 and 999 days, the minimum password age must be less than the maximum password age. If **Maximum password age** is set to 0, [Minimum password age](minimum-password-age.md) can be any value between 0 and 998 days.
>**Note:** Setting **Maximum password age** to -1 is equivalent to 0, which means it never expires. Setting it to any other negative number is equivalent to setting it to **Not Defined**.
-
+
### Possible values
- User-specified number of days between 0 and 999
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default domain policy| 42 days|
-| Default domain controller policy| Not defined|
-| Stand-alone server default settings | 42 days|
-| Domain controller effective default settings | 42 days|
-| Member server effective default settings | 42 days|
-| Effective GPO default settings on client computers| 42 days|
-
+| Default domain policy| 42 days|
+| Default domain controller policy| Not defined|
+| Stand-alone server default settings | 42 days|
+| Domain controller effective default settings | 42 days|
+| Member server effective default settings | 42 days|
+| Effective GPO default settings on client computers| 42 days|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -74,7 +74,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-The longer a password exists, the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the **Maximum password age** policy setting to 0 so that users are never required to change their passwords allows a compromised password to be used by the malicious user for as long as the valid user is authorized access.
+The longer a password exists, the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the **Maximum password age** policy setting to 0 so that users are never required to change their passwords allows a compromised password to be used by the malicious user for as long as the valid user is authorized access.
### Considerations
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md b/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md
index 5b2ae28406..fd26c1fd58 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md
@@ -1,8 +1,8 @@
---
-title: Maximum tolerance for computer clock synchronization
+title: Maximum tolerance for computer clock synchronization
description: Best practices, location, values, policy management, and security considerations for the policy setting, Maximum tolerance for computer clock synchronization.
ms.assetid: ba2cf59e-d69d-469e-95e3-8e6a0ba643af
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -28,7 +28,7 @@ Describes the best practices, location, values, policy management, and security
This security setting determines the maximum time difference (in minutes) that Kerberos V5 tolerates between the time on the client clock and the time on the domain controller that provides Kerberos authentication.
-To prevent "replay attacks," the Kerberos v5 protocol uses time stamps as part of its protocol definition. For time stamps to work properly, the clocks of the client and the domain controller need to be in sync as much as possible. In other words, both devices must be set to the same time and date.
+To prevent "replay attacks," the Kerberos v5 protocol uses time stamps as part of its protocol definition. For time stamps to work properly, the clocks of the client and the domain controller need to be in sync as much as possible. In other words, both devices must be set to the same time and date.
Because the clocks of two computers are often out of sync, you can use this policy setting to establish the maximum acceptable difference to the Kerberos protocol between a client clock and domain controller clock. If the difference between a client computer clock and the domain controller clock is less than the maximum time difference that is specified in this policy, any timestamp that's used in a session between the two devices is considered to be authentic.
The possible values for this Group Policy setting are:
@@ -50,13 +50,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| 5 minutes|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not applicable|
-| Domain Controller Effective Default Settings| 5 minutes|
-| Member Server Effective Default Settings | Not applicable|
-| Client Computer Effective Default Settings | Not applicable|
-
+| Default Domain Policy| 5 minutes|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not applicable|
+| Domain Controller Effective Default Settings| 5 minutes|
+| Member Server Effective Default Settings | Not applicable|
+| Client Computer Effective Default Settings | Not applicable|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
index e4f7c05351..687a39281d 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
@@ -1,7 +1,7 @@
---
title: Microsoft network client Digitally sign communications (always)
description: Best practices and security considerations for the Microsoft network client Digitally sign communications (always) security policy setting.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.prod: windows-client
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
ms.date: 01/13/2023
ms.technology: itpro-security
-ms.topic: conceptual
+ms.topic: reference
---
# Microsoft network client: Digitally sign communications (always)
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
index 343e8a2eb7..a3d215db1a 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
@@ -1,8 +1,8 @@
---
-title: Microsoft network client Send unencrypted password
+title: Microsoft network client Send unencrypted password
description: Learn about best practices and more for the security policy setting, Microsoft network client Send unencrypted password to third-party SMB servers.
ms.assetid: 97a76b93-afa7-4dd9-bb52-7c9e289b6017
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -56,13 +56,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings| Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings| Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
index 72d11c51b4..e79a912300 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
@@ -1,8 +1,8 @@
---
-title: Microsoft network server Amount of idle time required before suspending session
+title: Microsoft network server Amount of idle time required before suspending session
description: Best practices, security considerations, and more for the policy setting, Microsoft network server Amount of idle time required before suspending session.
ms.assetid: 8227842a-569d-480f-b43c-43450bbaa722
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
index f8096dec04..8fcc7102c7 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
@@ -1,8 +1,8 @@
---
-title: Microsoft network server Attempt S4U2Self
+title: Microsoft network server Attempt S4U2Self
description: Learn about the security policy setting, Microsoft network server Attempt S4U2Self to obtain claim information.
ms.assetid: e4508387-35ed-4a3f-a47c-27f8396adbba
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -27,7 +27,7 @@ Describes the best practices, location, values, management, and security conside
## Reference
-This security setting supports client devices running a version of Windows prior to Windows 8 that are trying to access a file share that requires user claims. This setting determines whether the local file server will attempt to use Kerberos Service-for-User-to-Self (S4U2Self) functionality to obtain a network client principal’s claims from the client’s account domain. This setting should only be enabled if the file server is using user claims to control access to files, and if the file server will support client principals whose accounts might be in a domain that has client computers
+This security setting supports client devices running a version of Windows prior to Windows 8 that are trying to access a file share that requires user claims. This setting determines whether the local file server will attempt to use Kerberos Service-for-User-to-Self (S4U2Self) functionality to obtain a network client principal’s claims from the client’s account domain. This setting should only be enabled if the file server is using user claims to control access to files, and if the file server will support client principals whose accounts might be in a domain that has client computers
and domain controllers running a version of Windows prior to Windows 8 or Windows Server 2012.
When enabled, this security setting causes the Windows file server to examine the access token of an authenticated network client principal and determines if claim information is present. If claims aren't present, the file server will then use the Kerberos S4U2Self feature to attempt to contact a Windows Server 2012 domain controller in the client’s account domain and obtain a claims-enabled access token for the client principal. A claims-enabled token might be needed to access files or folders that have claim-based access control policy applied.
@@ -64,13 +64,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings| Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings| Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -89,7 +89,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-None. Enabling this policy setting allows you to take advantage of features in Windows Server 2012 and Windows 8 and later for specific scenarios to use claims-enabled tokens to access files or folders that have claim-based access control policy applied on Windows operating systems prior to Windows Server 2012
+None. Enabling this policy setting allows you to take advantage of features in Windows Server 2012 and Windows 8 and later for specific scenarios to use claims-enabled tokens to access files or folders that have claim-based access control policy applied on Windows operating systems prior to Windows Server 2012
and Windows 8.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
index 4685a285de..030123cf61 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
@@ -3,12 +3,12 @@ title: Microsoft network server Digitally sign communications (always)
description: Best practices, security considerations, and more for the security policy setting, Microsoft network server Digitally sign communications (always).
author: vinaypamnani-msft
ms.author: vinpa
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: reference
ms.date: 01/13/2023
---
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
index c560912610..b7f738611b 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
@@ -1,8 +1,8 @@
---
-title: Microsoft network server Disconnect clients when sign-in hours expire
+title: Microsoft network server Disconnect clients when sign-in hours expire
description: Best practices, location, values, and security considerations for the policy setting, Microsoft network server Disconnect clients when sign-in hours expire.
ms.assetid: 48b5c424-9ba8-416d-be7d-ccaabb3f49af
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -55,13 +55,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
| DC Effective Default Settings| Enabled |
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md
index b0119771b5..c10cf64969 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md
@@ -1,8 +1,8 @@
---
-title: Microsoft network server Server SPN target name validation level
+title: Microsoft network server Server SPN target name validation level
description: Best practices, security considerations, and more for the security policy setting, Microsoft network server Server SPN target name validation level.
ms.assetid: 18337f78-eb45-42fd-bdbd-f8cd02c3e154
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -54,7 +54,7 @@ The default setting is Off.
This setting affects the server SMB behavior, and its implementation should be carefully evaluated and tested to prevent disruptions to file and print serving capabilities.
>**Note:** All Windows operating systems support a client-side SMB component and a server-side SMB component.
-
+
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
@@ -65,13 +65,13 @@ The following table lists the actual and effective default values for this polic
| Server type or Group Policy object (GPO) | Default value |
| - | - |
-| Default domain policy | Off |
-| Default domain controller policy| Off|
-| Stand-alone server default settings | Off|
-| Domain controller effective default settings| Validation level check not implemented|
-| Member server effective default settings | Validation level check not implemented|
-| Effective GPO default settings on client computers | Validation level check not implemented|
-
+| Default domain policy | Off |
+| Default domain controller policy| Off|
+| Stand-alone server default settings | Off|
+| Domain controller effective default settings| Validation level check not implemented|
+| Member server effective default settings | Validation level check not implemented|
+| Effective GPO default settings on client computers | Validation level check not implemented|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
index e42c7f62fc..67cf3aac2e 100644
--- a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
@@ -1,8 +1,8 @@
---
-title: Minimum password age
+title: Minimum password age
description: Describes the best practices, location, values, policy management, and security considerations for the Minimum password age security policy setting.
ms.assetid: 91915cb2-1b3f-4fb7-afa0-d03df95e8161
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.prod: windows-client
@@ -13,7 +13,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
ms.date: 11/13/2018
ms.technology: itpro-security
-ms.topic: conceptual
+ms.topic: reference
---
# Minimum password age
@@ -35,15 +35,15 @@ The **Minimum password age** policy setting determines the period of time (in da
### Best practices
-[Windows security baselines](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) recommend setting **Minimum password age** to one day.
+[Windows security baselines](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) recommend setting **Minimum password age** to one day.
-Setting the number of days to 0 allows immediate password changes. This setting isn't recommended.
-Combining immediate password changes with password history allows someone to change a password repeatedly until the password history requirement is met and re-establish the original password again.
-For example, suppose a password is "Ra1ny day!" and the history requirement is 24.
-If the minimum password age is 0, the password can be changed 24 times in a row until finally changed back to "Ra1ny day!".
+Setting the number of days to 0 allows immediate password changes. This setting isn't recommended.
+Combining immediate password changes with password history allows someone to change a password repeatedly until the password history requirement is met and re-establish the original password again.
+For example, suppose a password is "Ra1ny day!" and the history requirement is 24.
+If the minimum password age is 0, the password can be changed 24 times in a row until finally changed back to "Ra1ny day!".
The minimum password age of 1 day prevents that.
-If you set a password for a user and you want that user to change the administrator-defined password, you must select the **User must change password at next logon** check box.
+If you set a password for a user and you want that user to change the administrator-defined password, you must select the **User must change password at next logon** check box.
Otherwise, the user won't be able to change the password until the number of days specified by **Minimum password age**.
### Location
@@ -56,13 +56,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default domain policy| 1 day|
-| Default domain controller policy| Not defined|
-| Stand-alone server default settings | 0 days|
-| Domain controller effective default settings | 1 day|
-| Member server effective default settings | 1 day|
-| Effective GPO default settings on client computers| 1 day|
-
+| Default domain policy| 1 day|
+| Default domain controller policy| Not defined|
+| Stand-alone server default settings | 0 days|
+| Domain controller effective default settings | 1 day|
+| Member server effective default settings | 1 day|
+| Effective GPO default settings on client computers| 1 day|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
index 4ef50144bc..d264ff4033 100644
--- a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
+++ b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
@@ -1,8 +1,8 @@
---
-title: Minimum password length
+title: Minimum password length
description: Describes the best practices, location, values, policy management, and security considerations for the Minimum password length security policy setting.
ms.assetid: 3d22eb9a-859a-4b6f-82f5-c270c427e17e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 03/30/2022
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md b/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md
index 0fe460d50d..e3f1d6decd 100644
--- a/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md
+++ b/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md
@@ -1,8 +1,8 @@
---
-title: Modify an object label
+title: Modify an object label
description: Describes the best practices, location, values, policy management, and security considerations for the Modify an object label security policy setting.
ms.assetid: 3e5a97dd-d363-43a8-ae80-452e866ebfd5
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -29,7 +29,7 @@ Describes the best practices, location, values, policy management, and security
This privilege determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege.
-The integrity label is used by the Windows Integrity Controls (WIC) feature, which was introduced in Windows Server 2008 and Windows Vista. WIC keeps lower integrity processes from modifying higher integrity processes by assigning one of six possible labels to objects on the system. Although
+The integrity label is used by the Windows Integrity Controls (WIC) feature, which was introduced in Windows Server 2008 and Windows Vista. WIC keeps lower integrity processes from modifying higher integrity processes by assigning one of six possible labels to objects on the system. Although
similar to NTFS file and folder permissions, which are discretionary controls on objects, the WIC integrity levels are mandatory controls that are put in place and enforced by the operating system. The following list describes the integrity levels from lowest to highest:
- **Untrusted** Default assignment for processes that are logged on anonymously.
@@ -62,13 +62,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| Domain Controller Effective Default Settings | Not defined|
-| Member Server Effective Default Settings | Not defined|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| Domain Controller Effective Default Settings | Not defined|
+| Member Server Effective Default Settings | Not defined|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -94,7 +94,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-Anyone with the **Modify an object label** user right can change the integrity level of a file or process so that it becomes elevated or decreased to a point where it can be deleted by lower integrity processes. Either of these states effectively circumvents the protection that is offered by
+Anyone with the **Modify an object label** user right can change the integrity level of a file or process so that it becomes elevated or decreased to a point where it can be deleted by lower integrity processes. Either of these states effectively circumvents the protection that is offered by
Windows Integrity Controls and makes your system vulnerable to attacks by malicious software.
If malicious software is set with an elevated integrity level such as Trusted Installer or System, administrator accounts don't have sufficient integrity levels to delete the program from the system. In that case, use of the **Modify an object label** right is mandated so that the object can be relabeled. However, the relabeling must occur by using a process that is at the same or a higher level of integrity than the object that you're attempting to relabel.
diff --git a/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md b/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md
index faff714347..5a2d90eb2c 100644
--- a/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md
+++ b/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md
@@ -1,8 +1,8 @@
---
-title: Modify firmware environment values
+title: Modify firmware environment values
description: Describes the best practices, location, values, policy management, and security considerations for the Modify firmware environment values security policy setting.
ms.assetid: 80bad5c4-d9eb-4e3a-a5dc-dcb742b83fca
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -61,13 +61,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO |Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Adminstrators|
-| Stand-Alone Server Default Settings | Adminstrators|
-| Domain Controller Effective Default Settings | Adminstrators|
-| Member Server Effective Default Settings | Adminstrators|
-| Client Computer Effective Default Settings | Adminstrators|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Adminstrators|
+| Stand-Alone Server Default Settings | Adminstrators|
+| Domain Controller Effective Default Settings | Adminstrators|
+| Member Server Effective Default Settings | Adminstrators|
+| Client Computer Effective Default Settings | Adminstrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md b/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md
index 164da34ecf..16e357e6c1 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md
@@ -1,8 +1,8 @@
---
-title: Network access Allow anonymous SID/Name translation
+title: Network access Allow anonymous SID/Name translation
description: Best practices, location, values, policy management and security considerations for the policy setting, Network access Allow anonymous SID/Name translation.
ms.assetid: 0144477f-22a6-4d06-b70a-9c9c2196e99e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -59,13 +59,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
### Operating system version differences
The default value of this setting has changed between operating systems as follows:
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
index caccbb931a..9f3219cb41 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
@@ -1,8 +1,8 @@
---
-title: Network access Do not allow anonymous enumeration
+title: Network access Do not allow anonymous enumeration
description: Learn about best practices and more for the security policy setting, Network access Do not allow anonymous enumeration of SAM accounts and shares.
ms.assetid: 3686788d-4cc7-4222-9163-cbc7c3362d73
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -51,13 +51,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
index 83888d29df..e737e440d1 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
@@ -1,8 +1,8 @@
---
-title: Network access Do not allow anonymous enumeration of SAM accounts
+title: Network access Do not allow anonymous enumeration of SAM accounts
description: Describes the best practices, location, values, and security considerations for the Network access Do not allow anonymous enumeration of SAM accounts security policy setting.
ms.assetid: 6ee25b33-ad43-4097-b031-7be680f64c7c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
index 770a44407d..07e8b5d1cb 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
@@ -1,8 +1,8 @@
---
-title: Network access Do not allow storage of passwords and credentials for network authentication
+title: Network access Do not allow storage of passwords and credentials for network authentication
description: Learn about best practices and more for the security policy setting, Network access Do not allow storage of passwords and credentials for network authentication
ms.assetid: b9b64360-36ea-40fa-b795-2d6558c46563
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 07/01/2021
ms.technology: itpro-security
---
@@ -55,13 +55,13 @@ The following table lists the actual and effective default values for this polic
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy| Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings| Disabled|
-| Member server effective default settings | Disabled|
-| Effective GPO default settings on client computers |Disabled|
-
+| Default domain policy| Not defined|
+| Default domain controller policy| Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings| Disabled|
+| Member server effective default settings | Disabled|
+| Effective GPO default settings on client computers |Disabled|
+
### Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -83,7 +83,7 @@ This section describes how an attacker might exploit a feature or its configurat
Passwords that are cached can be accessed by the user when logged on to the device. Although this information may sound obvious, a problem can arise if the user unknowingly runs malicious software that reads the passwords and forwards them to another, unauthorized user.
>**Note:** The chances of success for this exploit and others that involve malicious software are reduced significantly for organizations that effectively implement and manage an enterprise antivirus solution combined with sensible software restriction policies.
-
+
Regardless of what encryption algorithm is used to encrypt the password verifier, a password verifier can be overwritten so that an attacker can authenticate as the user to whom the verifier belongs. Therefore, the administrator's password may be overwritten. This procedure requires physical access to the device. Utilities exist that can help overwrite the cached verifier. With the help of one of these utilities, an attacker can authenticate by using the overwritten value.
Overwriting the administrator's password doesn't help the attacker access data that is encrypted by using that password. Also, overwriting the password doesn't help the attacker access any Encrypting File System (EFS) data that belongs to other users on that device. Overwriting the password doesn't help an attacker replace the verifier, because the base keying material is incorrect. Therefore, data that is encrypted by using Encrypting File System or by using the Data Protection API (DPAPI) won't decrypt.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md b/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md
index 618f7ffbc0..65f3d3d7c6 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md
@@ -1,8 +1,8 @@
---
-title: Let Everyone permissions apply to anonymous users
+title: Let Everyone permissions apply to anonymous users
description: Learn about best practices, security considerations and more for the security policy setting, Network access Let Everyone permissions apply to anonymous users.
ms.assetid: cdbc5159-9173-497e-b46b-7325f4256353
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -57,13 +57,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md b/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md
index 7a1acb165d..311f70c3ef 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md
@@ -1,8 +1,8 @@
---
-title: Network access Named Pipes that can be accessed anonymously
+title: Network access Named Pipes that can be accessed anonymously
description: Describes best practices, security considerations and more for the security policy setting, Network access Named Pipes that can be accessed anonymously.
ms.assetid: 8897d2a4-813e-4d2b-8518-fcee71e1cf2c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -50,13 +50,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined |
-| Default Domain Controller Policy | Netlogon, samr, lsarpc|
-| Stand-Alone Server Default Settings | Null|
-| DC Effective Default Settings | Netlogon, samr, lsarpc|
-| Member Server Effective Default Settings | Not defined|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy | Not defined |
+| Default Domain Controller Policy | Netlogon, samr, lsarpc|
+| Stand-Alone Server Default Settings | Null|
+| DC Effective Default Settings | Netlogon, samr, lsarpc|
+| Member Server Effective Default Settings | Not defined|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes different features and tools available to help you manage this policy.
@@ -79,15 +79,15 @@ You can restrict access over named pipes such as COMNAP and LOCATOR to help prev
| Named pipe | Purpose |
| - | - |
-| COMNAP | SNABase named pipe. Systems network Architecture (SNA) is a collection of network protocols that were originally developed for IBM mainframe computers.|
-| COMNODE| SNA Server named pipe.|
-| SQL\QUERY | Default named pipe for SQL Server.|
-| SPOOLSS | Named pipe for the Print Spooler service.|
-| EPMAPPER | End Point Mapper named pipe.|
-| LOCATOR | Remote Procedure Call Locator service named pipe.|
-| TrlWks | Distributed Link Tracking Client named pipe.|
-| TrkSvr | Distributed Link Tracking Server named pipe.|
-
+| COMNAP | SNABase named pipe. Systems network Architecture (SNA) is a collection of network protocols that were originally developed for IBM mainframe computers.|
+| COMNODE| SNA Server named pipe.|
+| SQL\QUERY | Default named pipe for SQL Server.|
+| SPOOLSS | Named pipe for the Print Spooler service.|
+| EPMAPPER | End Point Mapper named pipe.|
+| LOCATOR | Remote Procedure Call Locator service named pipe.|
+| TrlWks | Distributed Link Tracking Client named pipe.|
+| TrkSvr | Distributed Link Tracking Server named pipe.|
+
### Countermeasure
Configure the **Network access: Named Pipes that can be accessed anonymously** setting to a null value (enable the setting but don't specify named pipes in the text box).
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md
index 9c968a3f5c..12988a2e90 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md
@@ -1,8 +1,8 @@
---
-title: Network access Remotely accessible registry paths and subpaths
+title: Network access Remotely accessible registry paths and subpaths
description: Describes best practices, location, values, and security considerations for the policy setting, Network access Remotely accessible registry paths and subpaths.
ms.assetid: 3fcbbf70-a002-4f85-8e86-8dabad21928e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -29,7 +29,7 @@ Describes the best practices, location, values, and security considerations for
This policy setting determines which registry paths and subpaths are accessible when an application or process references the WinReg key to determine access permissions.
-The registry is a database for device configuration information, much of which is sensitive. A malicious user can use it to facilitate unauthorized activities. The chance of this happening is reduced by the fact that the default ACLs that are assigned throughout the registry are fairly restrictive,
+The registry is a database for device configuration information, much of which is sensitive. A malicious user can use it to facilitate unauthorized activities. The chance of this happening is reduced by the fact that the default ACLs that are assigned throughout the registry are fairly restrictive,
and they help protect it from access by unauthorized users.
To allow remote access, you must also enable the Remote Registry service.
@@ -53,13 +53,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | See the following registry key combination|
-| DC Effective Default Settings | See the following registry key combination|
-| Member Server Effective Default Settings | See the following registry key combination|
-| Client Computer Effective Default Settings | See the following registry key combination|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | See the following registry key combination|
+| DC Effective Default Settings | See the following registry key combination|
+| Member Server Effective Default Settings | See the following registry key combination|
+| Client Computer Effective Default Settings | See the following registry key combination|
+
The combination of all the following registry keys apply to the previous settings:
1. System\\CurrentControlSet\\Control\\Print\\Printers
@@ -99,7 +99,7 @@ Configure the **Network access: Remotely accessible registry paths and sub-paths
Remote management tools such as MBSA and Configuration Manager require remote access to the registry to properly monitor and manage those computers. If you remove the default registry paths from the list of accessible ones, such remote management tools could fail.
>**Note:** If you want to allow remote access, you must also enable the Remote Registry service.
-
+
## Related topics
- [Security Options](security-options.md)
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md
index dd86f8a026..3a1924da9a 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md
@@ -1,8 +1,8 @@
---
-title: Network access Remotely accessible registry paths
+title: Network access Remotely accessible registry paths
description: Best practices, location, values, policy management and security considerations for the policy setting, Network access Remotely accessible registry paths.
ms.assetid: 977f86ea-864f-4f1b-9756-22220efce0bd
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | See the following registry key combination|
-| DC Effective Default Settings | See the following registry key combination|
-| Member Server Effective Default Settings | See the following registry key combination|
-| Client Computer Effective Default Settings | See the following registry key combination|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | See the following registry key combination|
+| DC Effective Default Settings | See the following registry key combination|
+| Member Server Effective Default Settings | See the following registry key combination|
+| Client Computer Effective Default Settings | See the following registry key combination|
+
The combination of all the following registry keys apply to the previous settings:
1. System\\CurrentControlSet\\Control\\ProductOptions
@@ -90,7 +90,7 @@ Configure the **Network access: Remotely accessible registry paths** setting to
Remote management tools such as the Microsoft Baseline Security Analyzer (MBSA) and Configuration Manager require remote access to the registry to properly monitor and manage those computers. If you remove the default registry paths from the list of accessible ones, such remote management tools could fail.
>**Note:** If you want to allow remote access, you must also enable the Remote Registry service.
-
+
## Related topics
- [Security Options](security-options.md)
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
index 30cbc5b78f..e45ad66787 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
@@ -1,8 +1,8 @@
---
-title: Network access Restrict anonymous access to Named Pipes and Shares
+title: Network access Restrict anonymous access to Named Pipes and Shares
description: Best practices, security considerations, and more for the security policy setting, Network access Restrict anonymous access to Named Pipes and Shares.
ms.assetid: e66cd708-7322-4d49-9b57-1bf8ec7a4c10
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -32,7 +32,7 @@ Describes the best practices, location, values, policy management and security c
## Reference
-This policy setting enables or disables the restriction of anonymous access to only those shared folders and pipes that are named in the **Network access: Named pipes that can be accessed anonymously** and [Network access: Shares that can be accessed anonymously](network-access-shares-that-can-be-accessed-anonymously.md) settings. The setting controls null session access to shared folders on your computers by adding RestrictNullSessAccess with the value 1 in the registry key
+This policy setting enables or disables the restriction of anonymous access to only those shared folders and pipes that are named in the **Network access: Named pipes that can be accessed anonymously** and [Network access: Shares that can be accessed anonymously](network-access-shares-that-can-be-accessed-anonymously.md) settings. The setting controls null session access to shared folders on your computers by adding RestrictNullSessAccess with the value 1 in the registry key
**HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters**. This registry value toggles null session shared folders on or off to control whether the Server service restricts unauthenticated clients' access to named resources.
Null sessions are a weakness that can be exploited through the various shared folders on the devices in your environment.
@@ -57,13 +57,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings | Enabled|
-| Client Computer Effective Default Settings| Enabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings | Enabled|
+| Client Computer Effective Default Settings| Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
index 6b65885d98..587ae7e3a5 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
@@ -7,12 +7,12 @@ ms.localizationpriority: medium
ms.date: 09/17/2018
author: vinaypamnani-msft
ms.author: vinpa
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
---
# Network access: Restrict clients allowed to make remote calls to SAM
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md b/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md
index dc0a2dda77..57882060a6 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md
@@ -1,8 +1,8 @@
---
-title: Network access Shares that can be accessed anonymously
+title: Network access Shares that can be accessed anonymously
description: Learn about best practices, security considerations, and more for the security policy setting, Network access Shares that can be accessed anonymously.
ms.assetid: f3e4b919-8279-4972-b415-5f815e2f0a1a
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -48,13 +48,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| DC Effective Default Settings | Not defined|
-| Member Server Effective Default Settings | Not defined|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| DC Effective Default Settings | Not defined|
+| Member Server Effective Default Settings | Not defined|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md b/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md
index c11be07eab..9665aaaaf7 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md
@@ -1,8 +1,8 @@
---
-title: Network access Sharing and security model for local accounts
+title: Network access Sharing and security model for local accounts
description: Best practices, security considerations, and more for the security policy setting, Network access Sharing and security model for local accounts.
ms.assetid: 0b3d703c-ea27-488f-8f59-b345af75b994
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -31,7 +31,7 @@ This policy setting determines how network logons that use local accounts are au
>**Note:** This policy setting does not affect network logons that use domain accounts. Nor does this policy setting affect interactive logons that are performed remotely through services such as Telnet or Remote Desktop Services.
When the device is not joined to a domain, this policy setting also tailors the **Sharing** and **Security** tabs in Windows Explorer to correspond to the sharing and security model that is being used.
-
+
When the value of this policy setting is **Guest only - local users authenticate as Guest**, any user who can access your device over the network does so with Guest user rights. This privilege means that they'll probably be unable to write to shared folders. Although this restriction does increase security, it makes it impossible for authorized users to access shared resources on those systems. When the value is **Classic - local users authenticate as themselves**, local accounts must be password-protected; otherwise, anyone can use those user accounts to access shared system resources.
### Possible values
@@ -55,13 +55,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Classic (local users authenticate as themselves)|
-| DC Effective Default Settings | Classic (local users authenticate as themselves)|
-| Member Server Effective Default Settings | Classic (local users authenticate as themselves)|
-| Client Computer Effective Default Settings | Classic (local users authenticate as themselves)|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Classic (local users authenticate as themselves)|
+| DC Effective Default Settings | Classic (local users authenticate as themselves)|
+| Member Server Effective Default Settings | Classic (local users authenticate as themselves)|
+| Client Computer Effective Default Settings | Classic (local users authenticate as themselves)|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md b/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md
index a946a20ae9..04167671df 100644
--- a/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md
+++ b/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md
@@ -1,8 +1,8 @@
---
-title: Network List Manager policies
+title: Network List Manager policies
description: Network List Manager policies are security settings that configure different aspects of how networks are listed and displayed on one device or on many devices.
ms.assetid: bd8109d4-b07c-4beb-a9a6-affae2ba2fda
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -36,7 +36,7 @@ The following policy settings are provided for Network List Manager Policies. Th
### Unidentified Networks
-This policy setting allows you to configure the **Network Location**, including the location type and the user permissions, for networks that Windows cannot identify due to a network issue or a lack of identifiable characters in the network information received by the operating system from the
+This policy setting allows you to configure the **Network Location**, including the location type and the user permissions, for networks that Windows cannot identify due to a network issue or a lack of identifiable characters in the network information received by the operating system from the
network. A network location identifies the type of network that a computer is connected to and automatically sets the appropriate firewall settings for that location. You can configure the following items for this policy setting:
- **Location type**. For this item, the following options are available:
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
index bdd1418a71..509602f606 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
@@ -2,7 +2,7 @@
title: "Network security: Allow Local System to use computer identity for NTLM (Windows 10)"
description: Location, values, policy management, and security considerations for the policy setting, Network security Allow Local System to use computer identity for NTLM.
ms.assetid: c46a658d-b7a4-4139-b7ea-b9268c240053
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 10/04/2021
ms.technology: itpro-security
---
@@ -34,11 +34,11 @@ When a service connects with the device identity, signing and encryption are sup
### Possible values
| Setting | Windows Server 2008 and Windows Vista | At least Windows Server 2008 R2 and Windows 7 |
-| - | - | - |
+| - | - | - |
| Enabled | Services running as Local System that use Negotiate will use the computer identity. This value might cause some authentication requests between Windows operating systems to fail and log an error.| Services running as Local System that use Negotiate will use the computer identity. This behavior is the default behavior. |
| Disabled| Services running as Local System that uses Negotiate when reverting to NTLM authentication will authenticate anonymously. This behavior is the default behavior.| Services running as Local System that uses Negotiate when reverting to NTLM authentication will authenticate anonymously.|
-|Neither|Services running as Local System that uses Negotiate when reverting to NTLM authentication will authenticate anonymously. | Services running as Local System that uses Negotiate will use the computer identity. This behavior might cause some authentication requests between Windows operating systems to fail and log an error.|
-
+|Neither|Services running as Local System that uses Negotiate when reverting to NTLM authentication will authenticate anonymously. | Services running as Local System that uses Negotiate will use the computer identity. This behavior might cause some authentication requests between Windows operating systems to fail and log an error.|
+
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
@@ -48,13 +48,13 @@ The following table lists the actual and effective default values for this polic
| Server type or Group Policy object (GPO) | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | Not applicable|
-| Member server effective default settings | Not applicable|
-| Effective GPO default settings on client computers | Not defined|
-
+| Default domain policy| Not defined|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Not applicable|
+| Member server effective default settings | Not applicable|
+| Effective GPO default settings on client computers | Not defined|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md
index fd87daba06..02d157f8db 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md
@@ -1,8 +1,8 @@
---
-title: Network security Allow LocalSystem NULL session fallback
+title: Network security Allow LocalSystem NULL session fallback
description: Describes the best practices, location, values, and security considerations for the Network security Allow LocalSystem NULL session fallback security policy setting.
ms.assetid: 5b72edaa-bec7-4572-b6f0-648fc38f5395
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -27,7 +27,7 @@ Describes the best practices, location, values, and security considerations for
## Reference
-This policy affects session security during the authentication process between devices running Windows Server 2008 R2 and Windows 7 and later and those devices running earlier versions of the Windows operating system. For computers running Windows Server 2008 R2 and Windows 7 and later, services running as Local System require a service principal name (SPN) to generate the session key. However, if [Network security: Allow Local System to use computer identity for NTLM](network-security-allow-local-system-to-use-computer-identity-for-ntlm.md) is set to disabled, services running as Local
+This policy affects session security during the authentication process between devices running Windows Server 2008 R2 and Windows 7 and later and those devices running earlier versions of the Windows operating system. For computers running Windows Server 2008 R2 and Windows 7 and later, services running as Local System require a service principal name (SPN) to generate the session key. However, if [Network security: Allow Local System to use computer identity for NTLM](network-security-allow-local-system-to-use-computer-identity-for-ntlm.md) is set to disabled, services running as Local
System will fall back to using NULL session authentication when they transmit data to servers running versions of Windows earlier than Windows Vista or Windows Server 2008. NULL session doesn't establish a unique session key for each authentication; and thus, it can't provide integrity or confidentiality protection. The setting **Network security: Allow LocalSystem NULL session fallback** determines whether services that request the use of session security are allowed to perform signature or encryption functions with a well-known key for application compatibility.
### Possible values
@@ -38,7 +38,7 @@ System will fall back to using NULL session authentication when they transmit da
- **Disabled**
- When a service running as Local System connects with a NULL session, session security will be unavailable. Calls seeking encryption or signing will fail. This setting is more secure, but at the risk of degrading application incompatibility. Calls that are using the device identity instead of a
+ When a service running as Local System connects with a NULL session, session security will be unavailable. Calls seeking encryption or signing will fail. This setting is more secure, but at the risk of degrading application incompatibility. Calls that are using the device identity instead of a
NULL session will still have full use of session security.
- Not defined. When this policy isn't defined, the default takes effect. This policy is Enabled for versions of the Windows operating system earlier than Windows Server 2008 R2 and Windows 7, and it's Disabled otherwise.
@@ -57,13 +57,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | Not applicable|
+| Default domain policy| Not defined|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Not applicable|
| Member server effective default settings | Not applicable |
-| Effective GPO default settings on client computers | Not applicable|
-
+| Effective GPO default settings on client computers | Not applicable|
+
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
index abc5d527cd..202d37d4e5 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
@@ -1,8 +1,8 @@
---
-title: Network security Allow PKU2U authentication requests to this computer to use online identities
+title: Network security Allow PKU2U authentication requests to this computer to use online identities
description: Best practices for the Network Security Allow PKU2U authentication requests to this computer to use online identities security setting.
ms.assetid: e04a854e-d94d-4306-9fb3-56e9bd7bb926
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 01/03/2022
ms.technology: itpro-security
---
@@ -33,7 +33,7 @@ When devices are configured to accept authentication requests by using online ID
> [!NOTE]
> Linking online IDs can be performed by anyone who has an account that has standard user’s credentials through Credential Manager.
-
+
This policy isn't configured by default on domain-joined devices. This disablement would disallow the online identities to authenticate to domain-joined computers from Windows 7 up to Windows 10, Version 1607. This policy is enabled by default in Windows 10, Version 1607, and later.
### Possible values
@@ -61,21 +61,21 @@ The following table lists the effective default values for this policy. Default
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | Disabled|
-| Member server effective default settings | Disabled|
-| Effective GPO default settings on client computers prior to Windows 10, Version 1607 | Disabled|
-| Effective GPO default settings on client computers Windows 10, Version 1607 and later| Enabled|
-
+| Default domain policy| Not defined|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Disabled|
+| Member server effective default settings | Disabled|
+| Effective GPO default settings on client computers prior to Windows 10, Version 1607 | Disabled|
+| Effective GPO default settings on client computers Windows 10, Version 1607 and later| Enabled|
+
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of the countermeasure.
### Vulnerability
-Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft account or a Microsoft Entra account. That account can then sign in to a peer device (if the peer device is likewise configured) without the use of a Windows sign-in account (domain or local). This setup isn't only beneficial, but required for Microsoft Entra joined devices, where they're signed in with an online identity and are issued certificates by Microsoft Entra ID. This policy may not be relevant for an *on-premises only* environment and might circumvent established security policies. However, it doesn't pose any threats in a hybrid environment where Microsoft Entra ID is used as it relies on the user's online identity and Microsoft Entra ID to authenticate.
+Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft account or a Microsoft Entra account. That account can then sign in to a peer device (if the peer device is likewise configured) without the use of a Windows sign-in account (domain or local). This setup isn't only beneficial, but required for Microsoft Entra joined devices, where they're signed in with an online identity and are issued certificates by Microsoft Entra ID. This policy may not be relevant for an *on-premises only* environment and might circumvent established security policies. However, it doesn't pose any threats in a hybrid environment where Microsoft Entra ID is used as it relies on the user's online identity and Microsoft Entra ID to authenticate.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
index 465adda6a7..5e1c37d2b4 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
@@ -1,16 +1,16 @@
---
title: Network security Configure encryption types allowed for Kerberos
description: Best practices, location, values and security considerations for the policy setting, Network security Configure encryption types allowed for Kerberos Win7 only.
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -32,7 +32,7 @@ For more information, see [KDC event ID 16 or 27 is logged if DES for Kerberos i
The following table lists and explains the allowed encryption types.
-
+
| Encryption type | Description and version support |
| - | - |
| DES_CBC_CRC | Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function
Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10, Windows 11, Windows Server 2008 R2, and later operating systems don't support DES by default. |
@@ -91,7 +91,7 @@ Don't configure this policy. This disablement will force the computers running W
### Potential impact
If you don't select any of the encryption types, computers running Windows Server 2008 R2, Windows 7 and Windows 10, might have Kerberos authentication failures when connecting with computers running non-Windows versions of the Kerberos protocol.
-
+
If you do select any encryption type, you'll lower the effectiveness of encryption for Kerberos authentication but you'll improve interoperability with computers running older versions of Windows.
Contemporary non-Windows implementations of the Kerberos protocol support RC4 and AES 128-bit and AES 256-bit encryption. Most implementations, including the MIT Kerberos protocol and the Windows Kerberos protocol, are deprecating DES encryption.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md b/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
index 7402fd0df1..c708a656d1 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
@@ -1,8 +1,8 @@
---
-title: Network security Do not store LAN Manager hash value on next password change
+title: Network security Do not store LAN Manager hash value on next password change
description: Best practices, security considerations, and more for the security policy setting, Network security Do not store LAN Manager hash value on next password change.
ms.assetid: 6452b268-e5ba-4889-9d38-db28f919af51
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings|Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings|Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md b/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md
index 99826613ed..665eee915f 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md
@@ -1,8 +1,8 @@
---
-title: Network security Force logoff when logon hours expire
+title: Network security Force logoff when logon hours expire
description: Best practices, location, values, policy management, and security considerations for the policy setting, Network security Force logoff when logon hours expire.
ms.assetid: 64d5dde4-58e4-4217-b2c4-73bd554ec926
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -57,13 +57,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Disabled|
-| Default Domain Controller Policy| Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Disabled|
+| Default Domain Controller Policy| Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
index c6847770d4..57246a6f27 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
@@ -1,8 +1,8 @@
---
-title: Network security LAN Manager authentication level
+title: Network security LAN Manager authentication level
description: Best practices, location, values, policy management and security considerations for the policy setting, Network security LAN Manager authentication level.
ms.assetid: bbe1a98c-420a-41e7-9d3c-3a2fe0f1843e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -50,18 +50,18 @@ LAN Manager authentication includes the LM, NTLM, and NTLMv2 variants, and it's
- Send NTLMv2 responses only. Refuse LM & NTLM
- Not Defined
-The **Network security: LAN Manager authentication level** setting determines which challenge/response authentication protocol is used for network logons. This choice affects the authentication protocol level that clients use, the session security level that the computers negotiate, and the
+The **Network security: LAN Manager authentication level** setting determines which challenge/response authentication protocol is used for network logons. This choice affects the authentication protocol level that clients use, the session security level that the computers negotiate, and the
authentication level that servers accept. The following table identifies the policy settings, describes the setting, and identifies the security level used in the corresponding registry setting if you choose to use the registry to control this setting instead of the policy setting.
| Setting | Description | Registry security level |
| - | - | - |
-| Send LM & NTLM responses | Client devices use LM and NTLM authentication, and they never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 0|
-| Send LM & NTLM – use NTLMv2 session security if negotiated | Client devices use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 1|
-| Send NTLM response only| Client devices use NTLMv1 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 2|
-| Send NTLMv2 response only | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 3|
-| Send NTLMv2 response only. Refuse LM | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM authentication, and they'll accept only NTLM and NTLMv2 authentication.| 4|
-| Send NTLMv2 response only. Refuse LM & NTLM | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM and NTLM authentication, and they'll accept only NTLMv2 authentication.| 5|
-
+| Send LM & NTLM responses | Client devices use LM and NTLM authentication, and they never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 0|
+| Send LM & NTLM – use NTLMv2 session security if negotiated | Client devices use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 1|
+| Send NTLM response only| Client devices use NTLMv1 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 2|
+| Send NTLMv2 response only | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 3|
+| Send NTLMv2 response only. Refuse LM | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM authentication, and they'll accept only NTLM and NTLMv2 authentication.| 4|
+| Send NTLMv2 response only. Refuse LM & NTLM | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM and NTLM authentication, and they'll accept only NTLMv2 authentication.| 5|
+
### Best practices
- Best practices are dependent on your specific security and authentication requirements.
@@ -80,13 +80,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Send NTLMv2 response only|
-| DC Effective Default Settings | Send NTLMv2 response only|
-| Member Server Effective Default Settings | Send NTLMv2 response only|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Send NTLMv2 response only|
+| DC Effective Default Settings | Send NTLMv2 response only|
+| Member Server Effective Default Settings | Send NTLMv2 response only|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md
index 3232a699e0..2199e96b47 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md
@@ -1,8 +1,8 @@
---
-title: Network security LDAP client signing requirements
+title: Network security LDAP client signing requirements
description: Best practices, location, values, policy management and security considerations for the policy setting, Network security LDAP client signing requirements.
ms.assetid: 38b35489-eb5b-4035-bc87-df63de50509c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -56,13 +56,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Negotiate signing|
-| DC Effective Default Settings | Negotiate signing|
-| Member Server Effective Default Settings | Negotiate signing|
-| Client Computer Effective Default Settings | Negotiate signing|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Negotiate signing|
+| DC Effective Default Settings | Negotiate signing|
+| Member Server Effective Default Settings | Negotiate signing|
+| Client Computer Effective Default Settings | Negotiate signing|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
index cd6838a4f8..5bda79521f 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
@@ -1,8 +1,8 @@
---
-title: Network security Minimum session security for NTLM SSP based (including secure RPC) clients
+title: Network security Minimum session security for NTLM SSP based (including secure RPC) clients
description: Best practices and more for the security policy setting, Network security Minimum session security for NTLM SSP based (including secure RPC) clients.
ms.assetid: 89903de8-23d0-4e0f-9bef-c00cb7aebf00
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 07/27/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy| Not defined|
-| Stand-Alone Server Default Settings | Require 128-bit encryption|
-| DC Effective Default Settings | Require 128-bit encryption|
-| Member Server Effective Default Settings | Require 128-bit encryption|
-| Client Computer Effective Default Settings | Require 128-bit encryption|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy| Not defined|
+| Stand-Alone Server Default Settings | Require 128-bit encryption|
+| DC Effective Default Settings | Require 128-bit encryption|
+| Member Server Effective Default Settings | Require 128-bit encryption|
+| Client Computer Effective Default Settings | Require 128-bit encryption|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
index 701259d037..ebae59999d 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
@@ -1,8 +1,8 @@
---
-title: Network security Minimum session security for NTLM SSP based (including secure RPC) servers
+title: Network security Minimum session security for NTLM SSP based (including secure RPC) servers
description: Best practices and security considerations for the policy setting, Network security Minimum session security for NTLM SSP based (including secure RPC) servers.
ms.assetid: c6a60c1b-bc8d-4d02-9481-f847a411b4fc
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -51,13 +51,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy| Not defined|
-| Stand-Alone Server Default Settings | Require 128-bit encryption|
-| DC Effective Default Settings | Require 128-bit encryption|
-| Member Server Effective Default Settings | Require 128-bit encryption|
-| Client Computer Effective Default Settings | Require 128-bit encryption|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy| Not defined|
+| Stand-Alone Server Default Settings | Require 128-bit encryption|
+| DC Effective Default Settings | Require 128-bit encryption|
+| Member Server Effective Default Settings | Require 128-bit encryption|
+| Client Computer Effective Default Settings | Require 128-bit encryption|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
index 754a7cbc0e..b0e28dc0b1 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
@@ -1,8 +1,8 @@
---
-title: Network security Restrict NTLM Add remote server exceptions for NTLM authentication
+title: Network security Restrict NTLM Add remote server exceptions for NTLM authentication
description: Best practices, security considerations, and more for the policy setting, Network security Restrict NTLM Add remote server exceptions for NTLM authentication.
ms.assetid: 9b017399-0a54-4580-bfae-614c2beda3a1
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -59,13 +59,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or GPO | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | Not defined|
-| Member server effective default settings | Not defined|
-| Client computer effective default settings| Not defined|
-
+| Default domain policy| Not defined|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Not defined|
+| Member server effective default settings | Not defined|
+| Client computer effective default settings| Not defined|
+
## Policy management
This section describes the features and tools that are available to help you manage this policy.
@@ -90,14 +90,14 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-When it has been determined that the NTLM authentication protocol shouldn't be used from a client device to any remote servers because you're required to use a more secure protocol such as Kerberos, there might be some client applications that still use NTLM. If so, and you set [Network Security:
+When it has been determined that the NTLM authentication protocol shouldn't be used from a client device to any remote servers because you're required to use a more secure protocol such as Kerberos, there might be some client applications that still use NTLM. If so, and you set [Network Security:
Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) to any of the deny options, those applications will fail because the outbound NTLM authentication traffic from the client computer will be blocked.
If you define an exception list of servers to which client devices are allowed to use NTLM authentication, then NTLM authentication traffic will continue to flow between those client applications and servers. The servers then are vulnerable to any malicious attack that takes advantage of security weaknesses in NTLM.
### Countermeasure
-When you use [Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) in audit-only mode, you can determine by reviewing which client applications are making NTLM authentication requests to the remote
+When you use [Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) in audit-only mode, you can determine by reviewing which client applications are making NTLM authentication requests to the remote
servers in your environment. When assessed, you'll have to determine on a case-by-case basis if NTLM authentication still minimally meets your security requirements. If not, the client application has to be upgraded to use something other than NTLM authentication.
### Potential impact
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
index c0ebdc1ba5..b6aa571487 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
@@ -1,8 +1,8 @@
---
-title: Network security Restrict NTLM Add server exceptions in this domain
+title: Network security Restrict NTLM Add server exceptions in this domain
description: Best practices, security considerations, and more for the security policy setting, Network security Restrict NTLM Add server exceptions in this domain.
ms.assetid: 2f981b68-6aa7-4dd9-b53d-d88551277cc0
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -59,12 +59,12 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or GPO | Default value |
| - | - |
| Default domain policy| Not defined |
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | Not defined|
-| Member server effective default settings | Not defined|
-| Client computer effective default settings | Not defined|
-
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Not defined|
+| Member server effective default settings | Not defined|
+| Client computer effective default settings | Not defined|
+
## Policy management
This section describes different features and tools available to help you manage this policy.
@@ -89,10 +89,10 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-When it has been determined that the NTLM authentication protocol shouldn't be used within a domain because you're required to use a more secure protocol such as Kerberos, there might be some NTLM authentication traffic that is still present in the domain. If so, and you set Network Security:
+When it has been determined that the NTLM authentication protocol shouldn't be used within a domain because you're required to use a more secure protocol such as Kerberos, there might be some NTLM authentication traffic that is still present in the domain. If so, and you set Network Security:
[Network Security: Restrict NTLM: NTLM authentication in this domain](network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md) to any of the deny options, any NTLM authentication request will fail because the pass-through member server will block the NTLM request.
-If you define an exception list of servers in this domain to which client computers are allowed to use NTLM pass-through authentication, then NTLM authentication traffic will continue to flow between those servers, which make them vulnerable to any malicious attack that takes advantage of security
+If you define an exception list of servers in this domain to which client computers are allowed to use NTLM pass-through authentication, then NTLM authentication traffic will continue to flow between those servers, which make them vulnerable to any malicious attack that takes advantage of security
weaknesses in NTLM.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
index d5104ea5b7..c81152a791 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
@@ -1,8 +1,8 @@
---
-title: Network security Restrict NTLM Audit incoming NTLM traffic
+title: Network security Restrict NTLM Audit incoming NTLM traffic
description: Best practices, security considerations and more for the security policy setting, Network Security Restrict NTLM Audit incoming NTLM traffic.
ms.assetid: 37e380c2-22e1-44cd-9993-e12815b845cf
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -33,7 +33,7 @@ When this audit policy is enabled within Group Policy, it's enforced on any serv
When you enable this policy on a server, only authentication traffic to that server will be logged.
-When you enable this audit policy, it functions in the same way as the [Network Security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md) policy, but it doesn't actually block any traffic. Therefore, you can use it effectively to understand the
+When you enable this audit policy, it functions in the same way as the [Network Security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md) policy, but it doesn't actually block any traffic. Therefore, you can use it effectively to understand the
authentication traffic in your environment, and when you're ready to block that traffic, you can enable the Network Security: Restrict NTLM: Incoming NTLM traffic policy setting and select **Deny all accounts** or **Deny all domain accounts**.
### Possible values
@@ -66,13 +66,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or GPO | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | Not defined|
-| Member server effective default settings | Not defined|
-| Client computer effective default settings | Not defined|
-
+| Default domain policy| Not defined|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Not defined|
+| Member server effective default settings | Not defined|
+| Client computer effective default settings | Not defined|
+
## Policy management
This section describes different features and tools available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
index dbc99216c2..f79dd47f62 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
@@ -1,13 +1,13 @@
---
title: Network security Restrict NTLM Audit NTLM authentication in this domain
description: Best practices, security considerations, and more for the security policy setting, Network Security Restrict NTLM Audit NTLM authentication in this domain.
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -46,7 +46,7 @@ When you enable this audit policy, it functions in the same way as the **Network
The domain controller will log events for NTLM authentication requests to all servers in the domain when NTLM authentication would be denied because the **Network security: Restrict NTLM: NTLM authentication in this domain** policy setting is set to **Deny for domain servers**.
- **Enable all**
-
+
The domain controller on which this policy is set will log all events for incoming NTLM traffic.
### Best practices
@@ -61,13 +61,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or GPO | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | Not defined|
-| Member server effective default settings | Not defined|
-| Client computer effective default settings | Not defined|
-
+| Default domain policy| Not defined|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Not defined|
+| Member server effective default settings | Not defined|
+| Client computer effective default settings | Not defined|
+
## Policy management
This section describes different features and tools available to help you manage this policy.
@@ -90,7 +90,7 @@ There are no security audit event policies that can be configured to view output
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
-NTLM and NTLMv2 authentication is vulnerable to various malicious attacks, including SMB relay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the
+NTLM and NTLMv2 authentication is vulnerable to various malicious attacks, including SMB relay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the
Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards.
### Vulnerability
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md
index 3a547350da..5f964c33cc 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md
@@ -1,8 +1,8 @@
---
-title: Network security Restrict NTLM Incoming NTLM traffic
+title: Network security Restrict NTLM Incoming NTLM traffic
description: Best practices, security considerations, and more for the security policy setting, Network Security Restrict NTLM Incoming NTLM traffic.
ms.assetid: c0eff7d3-ed59-4004-908a-2205295fefb8
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -60,13 +60,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or GPO | Default value |
| - | - |
-| Default domain policy| Not defined|
+| Default domain policy| Not defined|
| Default domain controller policy | Not defined |
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | Not defined|
-| Member server effective default settings | Not defined|
-| Client computer effective default settings | Not defined|
-
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Not defined|
+| Member server effective default settings | Not defined|
+| Client computer effective default settings | Not defined|
+
## Policy management
This section describes different features and tools available to help you manage this policy.
@@ -101,7 +101,7 @@ When it has been determined that the NTLM authentication protocol shouldn't be u
### Potential impact
-If you configure this policy setting, numerous NTLM authentication requests could fail within your network, which could degrade productivity. Before implementing this change through this policy setting, set **Network security: Restrict NTLM: Audit Incoming NTLM traffic** to the same option so that
+If you configure this policy setting, numerous NTLM authentication requests could fail within your network, which could degrade productivity. Before implementing this change through this policy setting, set **Network security: Restrict NTLM: Audit Incoming NTLM traffic** to the same option so that
you can review the log for the potential impact, perform an analysis of servers, and create an exception list of servers to exclude from this policy setting [Network security: Restrict NTLM: Add server exceptions in this domain](network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md).
## Related topics
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
index 61092a99fc..8b9e4f8973 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
@@ -1,13 +1,13 @@
---
title: Network security Restrict NTLM in this domain
description: Learn about best practices, security considerations and more for the security policy setting, Network Security Restrict NTLM NTLM authentication in this domain.
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-ms.topic: conceptual
+ms.topic: reference
ms.technology: itpro-security
ms.date: 12/31/2017
---
@@ -63,13 +63,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or GPO | Default value |
| - | - |
-| Default domain policy| Not configured|
-| Default domain controller policy | Not configured|
+| Default domain policy| Not configured|
+| Default domain controller policy | Not configured|
| Stand-alone server default settings | Not configured|
-| Domain controller effective default settings | Not configured|
-| Member server effective default settings | Not configured |
-| Client computer effective default settings | Not configured|
-
+| Domain controller effective default settings | Not configured|
+| Member server effective default settings | Not configured |
+| Client computer effective default settings | Not configured|
+
## Policy management
This section describes different features and tools available to help you manage this policy.
@@ -100,7 +100,7 @@ Malicious attacks on NTLM authentication traffic resulting in a compromised serv
### Countermeasure
-When it has been determined that the NTLM authentication protocol shouldn't be used within a network because you're required to use a more secure protocol such as the Kerberos protocol, then you can select one of several options that this security policy setting offers to restrict NTLM usage
+When it has been determined that the NTLM authentication protocol shouldn't be used within a network because you're required to use a more secure protocol such as the Kerberos protocol, then you can select one of several options that this security policy setting offers to restrict NTLM usage
within the domain.
### Potential impact
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
index 5aedc2eb5b..4869db61ec 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
@@ -1,8 +1,8 @@
---
-title: Network security Restrict NTLM Outgoing traffic
+title: Network security Restrict NTLM Outgoing traffic
description: Learn about best practices, security considerations and more for the policy setting, Network Security Restrict NTLM Outgoing NTLM traffic to remote servers.
ms.assetid: 63437a90-764b-4f06-aed8-a4a26cf81bd1
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 06/15/2022
ms.technology: itpro-security
---
@@ -34,7 +34,7 @@ Describes the best practices, location, values, management aspects, and security
The **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** policy setting allows you to deny or audit outgoing NTLM traffic from a computer running Windows 7, Windows Server 2008, or later to any remote server running the Windows operating system.
>**Warning:** Modifying this policy setting may affect compatibility with client computers, services, and applications.
-
+
### Possible values
- **Allow all**
@@ -65,13 +65,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or GPO | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | Not defined|
-| Member server effective default settings | Not defined|
-| Client computer effective default settings | Not defined|
-
+| Default domain policy| Not defined|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Not defined|
+| Member server effective default settings | Not defined|
+| Client computer effective default settings | Not defined|
+
## Policy management
This section describes different features and tools available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
index 34f17b6527..a00661af55 100644
--- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
@@ -8,7 +8,7 @@ manager: aaroncz
ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 06/07/2023
---
diff --git a/windows/security/threat-protection/security-policy-settings/password-policy.md b/windows/security/threat-protection/security-policy-settings/password-policy.md
index 70396092e7..1d6e578b5c 100644
--- a/windows/security/threat-protection/security-policy-settings/password-policy.md
+++ b/windows/security/threat-protection/security-policy-settings/password-policy.md
@@ -1,8 +1,8 @@
---
-title: Password Policy
+title: Password Policy
description: An overview of password policies for Windows and links to information for each policy setting.
ms.assetid: aec1220d-a875-4575-9050-f02f9c54a3b6
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -50,14 +50,14 @@ The following topics provide a discussion of password policy implementation and
| Topic | Description |
| - | - |
-| [Enforce password history](enforce-password-history.md)| Describes the best practices, location, values, policy management, and security considerations for the **Enforce password history** security policy setting.|
-| [Maximum password age](maximum-password-age.md) | Describes the best practices, location, values, policy management, and security considerations for the **Maximum password age** security policy setting.|
-| [Minimum password age](minimum-password-age.md) | Describes the best practices, location, values, policy management, and security considerations for the **Minimum password age** security policy setting.|
-| [Minimum password length](minimum-password-length.md) | Describes the best practices, location, values, policy management, and security considerations for the **Minimum password length** security policy setting.|
+| [Enforce password history](enforce-password-history.md)| Describes the best practices, location, values, policy management, and security considerations for the **Enforce password history** security policy setting.|
+| [Maximum password age](maximum-password-age.md) | Describes the best practices, location, values, policy management, and security considerations for the **Maximum password age** security policy setting.|
+| [Minimum password age](minimum-password-age.md) | Describes the best practices, location, values, policy management, and security considerations for the **Minimum password age** security policy setting.|
+| [Minimum password length](minimum-password-length.md) | Describes the best practices, location, values, policy management, and security considerations for the **Minimum password length** security policy setting.|
| [Password must meet complexity requirements](password-must-meet-complexity-requirements.md) | Describes the best practices, location, values, and security considerations for the **Password must meet complexity requirements** security policy setting.|
-| [Store passwords using reversible encryption](store-passwords-using-reversible-encryption.md) | Describes the best practices, location, values, and security considerations for the **Store passwords using reversible encryption** security policy setting.|
-
+| [Store passwords using reversible encryption](store-passwords-using-reversible-encryption.md) | Describes the best practices, location, values, and security considerations for the **Store passwords using reversible encryption** security policy setting.|
+
## Related topics
- [Configure security policy settings](how-to-configure-security-policy-settings.md)
-
+
diff --git a/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md b/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md
index e74ff5c974..15ffdec99c 100644
--- a/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md
+++ b/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md
@@ -1,8 +1,8 @@
---
-title: Perform volume maintenance tasks
+title: Perform volume maintenance tasks
description: Describes the best practices, location, values, policy management, and security considerations for the Perform volume maintenance tasks security policy setting.
ms.assetid: b6990813-3898-43e2-8221-c9c06d893244
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -54,13 +54,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Administrators|
-| Stand-Alone Server Default Settings | Administrators|
-| DC Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Administrators|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators|
+| Stand-Alone Server Default Settings | Administrators|
+| DC Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Administrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/profile-single-process.md b/windows/security/threat-protection/security-policy-settings/profile-single-process.md
index f77e48438c..2bdc87455f 100644
--- a/windows/security/threat-protection/security-policy-settings/profile-single-process.md
+++ b/windows/security/threat-protection/security-policy-settings/profile-single-process.md
@@ -1,8 +1,8 @@
---
-title: Profile single process
+title: Profile single process
description: Describes the best practices, location, values, policy management, and security considerations for the Profile single process security policy setting.
ms.assetid: c0963de4-4f5e-430e-bfcd-dfd68e66a075
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Administrators|
-| Stand-Alone Server Default Settings | Administrators|
-| Domain Controller Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings| Administrators|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators|
+| Stand-Alone Server Default Settings | Administrators|
+| Domain Controller Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings| Administrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md
index 9c7b9de8c4..6be8f9269b 100644
--- a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md
+++ b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md
@@ -1,8 +1,8 @@
---
-title: Profile system performance
+title: Profile system performance
description: Best practices, location, values, policy management, and security considerations for the security policy setting, Profile system performance.
ms.assetid: ffabc3c5-9206-4105-94ea-84f597a54b2e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Administrators|
-| Stand-Alone Server Default Settings | Administrators|
-| Domain Controller Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Administrators|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators|
+| Stand-Alone Server Default Settings | Administrators|
+| Domain Controller Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Administrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
index 34e5e2b851..590b49f09b 100644
--- a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
+++ b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
@@ -1,8 +1,8 @@
---
-title: Recovery console Allow automatic administrative logon
+title: Recovery console Allow automatic administrative logon
description: Best practices, location, values, policy management, and security considerations for the policy setting, Recovery console Allow automatic administrative logon.
ms.assetid: be2498fc-48f4-43f3-ad09-74664e45e596
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -59,13 +59,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy| Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy| Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
index fdb56ca78e..08ca6beb3f 100644
--- a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
+++ b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
@@ -1,8 +1,8 @@
---
-title: Recovery console Allow floppy copy and access to all drives and folders
+title: Recovery console Allow floppy copy and access to all drives and folders
description: Best practices, security considerations, and more for the policy setting, Recovery console Allow floppy copy and access to all drives and folders.
ms.assetid: a5b4ac0c-f33d-42b5-a866-72afa7cbd0bd
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -56,13 +56,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md b/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md
index c0f395231c..253213f2c1 100644
--- a/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md
+++ b/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md
@@ -1,8 +1,8 @@
---
-title: Remove computer from docking station - security policy setting
+title: Remove computer from docking station - security policy setting
description: Describes the best practices, location, values, policy management, and security considerations for the Remove computer from docking station security policy setting.
ms.assetid: 229a385a-a862-4973-899a-413b1b5b6c30
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -54,13 +54,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Administrators|
-| Stand-Alone Server Default Settings | Administrators|
-| Domain Controller Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Administrators|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators|
+| Stand-Alone Server Default Settings | Administrators|
+| Domain Controller Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Administrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md b/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md
index 5079dab92d..d180d2acea 100644
--- a/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md
+++ b/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md
@@ -1,8 +1,8 @@
---
-title: Replace a process level token
+title: Replace a process level token
description: Describes the best practices, location, values, policy management, and security considerations for the Replace a process level token security policy setting.
ms.assetid: 5add02db-6339-489e-ba21-ccc3ccbe8745
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -57,13 +57,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
+| Default Domain Policy| Not defined|
| Default Domain Controller Policy | Network Service
Local Service |
-| Stand-Alone Server Default Settings | Network Service
Local Service|
-| Domain Controller Effective Default Settings | Network Service
Local Service|
-| Member Server Effective Default Settings | Network Service
Local Service|
-| Client Computer Effective Default Settings | Network Service
Local Service|
-
+| Stand-Alone Server Default Settings | Network Service
Local Service|
+| Domain Controller Effective Default Settings | Network Service
Local Service|
+| Member Server Effective Default Settings | Network Service
Local Service|
+| Client Computer Effective Default Settings | Network Service
Local Service|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md
index ec962f77e0..44c6716d50 100644
--- a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md
+++ b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md
@@ -1,8 +1,8 @@
---
-title: Reset account lockout counter after
+title: Reset account lockout counter after
description: Describes the best practices, location, values, and security considerations for the Reset account lockout counter after security policy setting.
ms.assetid: d5ccf6dd-5ba7-44a9-8e0b-c478d8b1442c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 11/02/2018
ms.technology: itpro-security
---
@@ -38,7 +38,7 @@ The disadvantage of a high setting is that users lock themselves out for an inco
### Best practices
-Determine the threat level for your organization and balance that against the cost of your Help Desk support for password resets. Each organization will have specific requirements.
+Determine the threat level for your organization and balance that against the cost of your Help Desk support for password resets. Each organization will have specific requirements.
[Windows security baselines](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) recommend configuring the **Reset account lockout counter after** policy setting to 15, but as with other account lockout settings, this value is more of a guideline than a rule or best practice because there's no "one size fits all." For more information, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout).
@@ -52,13 +52,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not applicable|
-| Domain controller effective default settings | Not defined|
-| Member server effective default settings | Not defined|
-| Client computer effective default settings | Not applicable|
-
+| Default domain policy| Not defined|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not applicable|
+| Domain controller effective default settings | Not defined|
+| Member server effective default settings | Not defined|
+| Client computer effective default settings | Not applicable|
+
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
diff --git a/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md b/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md
index ca2b72c717..f970ac8154 100644
--- a/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md
+++ b/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md
@@ -1,8 +1,8 @@
---
-title: Restore files and directories - security policy setting
+title: Restore files and directories - security policy setting
description: Describes the best practices, location, values, policy management, and security considerations for the Restore files and directories security policy setting.
ms.assetid: c673c0fa-6f49-4edd-8c1f-c5e8513f701d
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -58,13 +58,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-|Default Domain Policy | |
-| Default Domain Controller Policy| Administrators
Backup Operators
Server Operators|
-| Stand-Alone Server Default Settings | Administrators
Backup Operators|
-| Domain Controller Effective Default Settings | Administrators
Backup Operators
Server Operators|
-| Member Server Effective Default Settings | Administrators
Backup Operators|
-| Client Computer Effective Default Settings | Administrators
Backup Operators|
-
+|Default Domain Policy | |
+| Default Domain Controller Policy| Administrators
Backup Operators
Server Operators|
+| Stand-Alone Server Default Settings | Administrators
Backup Operators|
+| Domain Controller Effective Default Settings | Administrators
Backup Operators
Server Operators|
+| Member Server Effective Default Settings | Administrators
Backup Operators|
+| Client Computer Effective Default Settings | Administrators
Backup Operators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -93,7 +93,7 @@ This section describes how an attacker might exploit a feature or its configurat
An attacker with the **Restore files and directories** user right could restore sensitive data to a computer and overwrite data that is more recent, which could lead to loss of important data, data corruption, or a denial-of-service condition. Attackers could overwrite executable files that are used by legitimate administrators or system services with versions that include malicious software to grant themselves elevated privileges, compromise data, or install programs that provide continued access to the device
>**Note:** Even if the following countermeasure is configured, an attacker could restore data to a computer in a domain that is controlled by the attacker. Therefore, it is critical that organizations carefully protect the media that are used to back up data.
-
+
### Countermeasure
Ensure that only the local Administrators group is assigned the **Restore files and directories** user right unless your organization has clearly defined roles for backup and for restore personnel.
diff --git a/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md b/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md
index 7efca79530..78ea3fcb09 100644
--- a/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md
@@ -1,8 +1,8 @@
---
-title: Advanced security audit policy settings in brief
+title: Advanced security audit policy settings in brief
description: Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate.
ms.assetid: 6BF9A642-DBC3-4101-94A3-B2316C553CE3
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/security-options.md b/windows/security/threat-protection/security-policy-settings/security-options.md
index 39d6b0489e..de522cb6d3 100644
--- a/windows/security/threat-protection/security-policy-settings/security-options.md
+++ b/windows/security/threat-protection/security-policy-settings/security-options.md
@@ -1,7 +1,7 @@
---
title: Security options
description: Introduction to the Security Options settings of the local security policies plus links to more information.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.prod: windows-client
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
ms.date: 01/13/2023
ms.technology: itpro-security
-ms.topic: conceptual
+ms.topic: reference
---
# Security Options
diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md
index 259ebfec01..9db7d59a20 100644
--- a/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md
+++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md
@@ -1,8 +1,8 @@
---
-title: Security policy settings reference
+title: Security policy settings reference
description: This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations.
ms.assetid: ef5a4579-15a8-4507-9a43-b7ccddcb0ed1
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -33,10 +33,10 @@ Each policy setting described contains referential content such as a detailed ex
| Topic | Description |
| - | - |
-| [Account Policies](account-policies.md) | An overview of account policies in Windows and provides links to policy descriptions.|
-| [Audit Policy](audit-policy.md) | Provides information about basic audit policies that are available in Windows and links to information about each setting.|
-| [Security Options](security-options.md) | Provides an introduction to the settings under **Security Options** of the local security policies and links to information about each setting.|
-| [Advanced security audit policy settings](secpol-advanced-security-audit-policy-settings.md) | Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate.|
+| [Account Policies](account-policies.md) | An overview of account policies in Windows and provides links to policy descriptions.|
+| [Audit Policy](audit-policy.md) | Provides information about basic audit policies that are available in Windows and links to information about each setting.|
+| [Security Options](security-options.md) | Provides an introduction to the settings under **Security Options** of the local security policies and links to information about each setting.|
+| [Advanced security audit policy settings](secpol-advanced-security-audit-policy-settings.md) | Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate.|
| [User Rights Assignment](user-rights-assignment.md) | Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows. |
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
index 397c3a1138..062aa06d3d 100644
--- a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
@@ -1,8 +1,8 @@
---
-title: Security policy settings
+title: Security policy settings
description: This reference topic describes the common scenarios, architecture, and processes for security settings.
ms.assetid: e7ac5204-7f6c-4708-a9f6-6af712ca43b9
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md b/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md
index f6a3fe8228..def26ab7ef 100644
--- a/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md
+++ b/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md
@@ -1,8 +1,8 @@
---
-title: Shut down the system - security policy setting
+title: Shut down the system - security policy setting
description: Describes the best practices, location, values, policy management, and security considerations for the Shut down the system security policy setting.
ms.assetid: c8e8f890-153a-401e-a957-ba6a130304bf
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -58,13 +58,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Administrators
Backup Operators
Server Operators
Print Operators|
-| Stand-Alone Server Default Settings | Administrators
Backup Operators|
-| Domain Controller Effective Default Settings | Administrators
Backup Operators
Server Operators
Print Operators|
-| Member Server Effective Default Settings | Administrators
Backup Operators|
-| Client Computer Effective Default Settings | Administrators
Backup Operators
Users|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Administrators
Backup Operators
Server Operators
Print Operators|
+| Stand-Alone Server Default Settings | Administrators
Backup Operators|
+| Domain Controller Effective Default Settings | Administrators
Backup Operators
Server Operators
Print Operators|
+| Member Server Effective Default Settings | Administrators
Backup Operators|
+| Client Computer Effective Default Settings | Administrators
Backup Operators
Users|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md b/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
index a21dde7fda..672e91297b 100644
--- a/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
@@ -1,8 +1,8 @@
---
-title: Shutdown Allow system to be shut down without having to log on
+title: Shutdown Allow system to be shut down without having to log on
description: Best practices, security considerations, and more for the security policy setting Shutdown Allow system to be shut down without having to log on.
ms.assetid: f3964767-5377-4416-8eb3-e14d553a7315
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -29,7 +29,7 @@ Describes the best practices, location, values, policy management, and security
This policy setting determines whether you can shut down a device without having to sign in to Windows. When you enable it, the **Shut Down** option is available on the sign-in screen in Windows. If you disable this setting, the **Shut Down** option is removed from the screen. To use the option, the user must sign in on the device successfully and have the **Shut down the system** user right.
-Users who access the console locally can shut down the system. Attackers or misguided users can connect to the server by using Remote Desktop Services, and then shut it down or restart it without having to identify themselves. A malicious user might also cause a temporary denial-of-service
+Users who access the console locally can shut down the system. Attackers or misguided users can connect to the server by using Remote Desktop Services, and then shut it down or restart it without having to identify themselves. A malicious user might also cause a temporary denial-of-service
condition from a local console by restarting or shutting down the server.
### Possible values
@@ -59,13 +59,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
index 7c6df9fb82..b40140dc0f 100644
--- a/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
+++ b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
@@ -1,8 +1,8 @@
---
-title: Shutdown Clear virtual memory pagefile
+title: Shutdown Clear virtual memory pagefile
description: Describes the best practices, location, values, policy management and security considerations for the Shutdown Clear virtual memory pagefile security policy setting.
ms.assetid: 31400078-6c56-4891-a6df-6dfb403c4bc9
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,12 +12,12 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 08/01/2017
ms.technology: itpro-security
---
-# Shutdown: Clear virtual memory pagefile
+# Shutdown: Clear virtual memory pagefile
**Applies to**
- Windows 11
@@ -54,13 +54,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -78,7 +78,7 @@ This section describes how an attacker might exploit a feature or its configurat
Important information that is kept in real memory may be written periodically to the paging file to help Windows handle multitasking functions. An attacker who has physical access to a server that has been shut down could view the contents of the paging file. The attacker could move the system volume into a different device and then analyze the contents of the paging file. Although this process is time consuming, it could expose data that is cached from random access memory (RAM) to the paging file.
>**Caution:** An attacker who has physical access to the device could bypass this countermeasure by unplugging the computer from its power source.
-
+
### Countermeasure
Enable the **Shutdown: Clear virtual memory page file** setting. This configuration causes the operating system to clear the paging file when the device is shut down. The amount of time that is required to complete this process depends on the size of the page file. Because the process overwrites the storage area that is used by the page file several times, it could be several minutes before the device completely shuts down.
diff --git a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md
index adb43f0fea..6b4584688f 100644
--- a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md
+++ b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md
@@ -1,8 +1,8 @@
---
-title: Store passwords using reversible encryption
+title: Store passwords using reversible encryption
description: Describes the best practices, location, values, and security considerations for the Store passwords using reversible encryption security policy setting.
ms.assetid: 57f958c2-f1e9-48bf-871b-0a9b3299e238
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -29,7 +29,7 @@ Describes the best practices, location, values, and security considerations for
The **Store password using reversible encryption** policy setting provides support for applications that use protocols that require the user's password for authentication. Storing encrypted passwords in a way that is reversible means that the encrypted passwords can be decrypted. A knowledgeable attacker who is able to break this encryption can then sign in to network resources by using the compromised account. For this reason, never enable **Store password using reversible encryption** for all users in the domain unless application requirements outweigh the need to protect password information.
-If you use the Challenge Handshake Authentication Protocol (CHAP) through remote access or Internet Authentication Services (IAS), you must enable this policy setting. CHAP is an authentication protocol that is used by remote access and network connections. Digest Authentication in Internet
+If you use the Challenge Handshake Authentication Protocol (CHAP) through remote access or Internet Authentication Services (IAS), you must enable this policy setting. CHAP is an authentication protocol that is used by remote access and network connections. Digest Authentication in Internet
Information Services (IIS) also requires that you enable this policy setting.
### Possible values
@@ -42,7 +42,7 @@ Information Services (IIS) also requires that you enable this policy setting.
Set the value for **Store password using reversible encryption** to Disabled. If you use CHAP through remote access or IAS, or Digest Authentication in IIS, you must set this value to **Enabled**. This setting presents a security risk when you apply the setting by using Group Policy on a user-by-user basis because it requires opening the appropriate user account object in Active Directory Users and Computers.
>**Note:** Do not enable this policy setting unless business requirements outweigh the need to protect password information.
-
+
### Location
**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\**
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default domain policy| Disabled|
-| Default domain controller policy| Disabled|
-| Stand-alone server default settings | Disabled|
-| Domain controller effective default settings | Disabled|
-| Member server effective default settings | Disabled|
-| Effective GPO default settings on client computers | Disabled|
-
+| Default domain policy| Disabled|
+| Default domain controller policy| Disabled|
+| Stand-alone server default settings | Disabled|
+| Domain controller effective default settings | Disabled|
+| Member server effective default settings | Disabled|
+| Effective GPO default settings on client computers | Disabled|
+
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
diff --git a/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md b/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md
index 3949729b08..6744567fe3 100644
--- a/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md
+++ b/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md
@@ -1,8 +1,8 @@
---
-title: Synchronize directory service data
+title: Synchronize directory service data
description: Describes the best practices, location, values, policy management, and security considerations for the Synchronize directory service data security policy setting.
ms.assetid: 97b0aaa4-674f-40f4-8974-b4bfb12c232c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| Domain Controller Effective Default Settings | Enabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| Domain Controller Effective Default Settings | Enabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
index ce8f451033..597b9027a0 100644
--- a/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
+++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
@@ -1,8 +1,8 @@
---
-title: System cryptography Force strong key protection for user keys stored on the computer
+title: System cryptography Force strong key protection for user keys stored on the computer
description: Best practices, security considerations, and more for the policy setting, System cryptography Force strong key protection for user keys stored on the computer.
ms.assetid: 8cbff267-881e-4bf6-920d-b583a5ff7de0
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| DC Effective Default Settings | Not defined|
-| Member Server Effective Default Settings | Not defined|
-| Client Computer Effective Default Settings| Not defined|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| DC Effective Default Settings | Not defined|
+| Member Server Effective Default Settings | Not defined|
+| Client Computer Effective Default Settings| Not defined|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
index 2d223e79b3..d660ac1952 100644
--- a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
+++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
@@ -1,8 +1,8 @@
---
-title: System cryptography Use FIPS compliant algorithms for encryption, hashing, and signing
+title: System cryptography Use FIPS compliant algorithms for encryption, hashing, and signing
description: Best practices, security considerations, and more for the policy setting System cryptography Use FIPS compliant algorithms for encryption, hashing, and signing
ms.assetid: 83988865-dc0f-45eb-90d1-ee33495eb045
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 11/16/2018
ms.technology: itpro-security
---
@@ -27,12 +27,12 @@ This security policy reference topic for the IT professional describes the best
## Reference
-The Federal Information Processing Standard (FIPS) 140 is a security implementation that is designed for certifying cryptographic software. Windows implements these certified algorithms to meet the requirements and standards for cryptographic modules for use by departments and agencies of the
+The Federal Information Processing Standard (FIPS) 140 is a security implementation that is designed for certifying cryptographic software. Windows implements these certified algorithms to meet the requirements and standards for cryptographic modules for use by departments and agencies of the
United States federal government.
**TLS/SSL**
-This policy setting determines whether the TLS/SSL security provider supports only the FIPS-compliant strong cipher suite known as TLS\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA, which means that the provider only supports the TLS protocol as a client computer and as a server, if applicable. It uses only the
+This policy setting determines whether the TLS/SSL security provider supports only the FIPS-compliant strong cipher suite known as TLS\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA, which means that the provider only supports the TLS protocol as a client computer and as a server, if applicable. It uses only the
Triple Data Encryption Standard (3DES) encryption algorithm for the TLS traffic encryption, only the Rivest-Shamir-Adleman (RSA) public key algorithm for the TLS key exchange and authentication, and only the Secure Hash Algorithm version 1 (SHA-1) hashing algorithm for the TLS hashing requirements.
**Encrypting File System (EFS)**
@@ -71,13 +71,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
### Operating system version differences
When this setting is enabled, the Encrypting File System (EFS) service supports only the Triple DES encryption algorithm for encrypting file data. By default, the Windows Vista and the Windows Server 2003 implementation of EFS uses the Advanced Encryption Standard (AES) with a 256-bit key. The Windows XP implementation uses DESX.
@@ -86,11 +86,11 @@ When this setting is enabled, BitLocker generates recovery password or recovery
| Operating systems | Applicability |
| - | - |
-| Windows 10, Windows 8.1, and Windows Server 2012 R2| When created on these operating systems, the recovery password can't be used on other systems listed in this table.|
-| Windows Server 2012 and Windows 8 | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.|
-| Windows Server 2008 R2 and Windows 7 | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.|
-| Windows Server 2008 and Windows Vista | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.|
-
+| Windows 10, Windows 8.1, and Windows Server 2012 R2| When created on these operating systems, the recovery password can't be used on other systems listed in this table.|
+| Windows Server 2012 and Windows 8 | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.|
+| Windows Server 2008 R2 and Windows 7 | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.|
+| Windows Server 2008 and Windows Vista | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -117,7 +117,7 @@ Enable the **System cryptography: Use FIPS compliant algorithms for encryption,
### Potential impact
-Client devices that have this policy setting enabled can't communicate through digitally encrypted or signed protocols with servers that don't support these algorithms. Network clients that don't support these algorithms can't use servers that require them for network communications. For example, many Apache-based Web servers aren't configured to support TLS. If you enable this setting, you must also configure Internet Explorer® to use TLS. This policy setting also affects the encryption level that is used for the Remote Desktop Protocol (RDP). The Remote Desktop Connection tool
+Client devices that have this policy setting enabled can't communicate through digitally encrypted or signed protocols with servers that don't support these algorithms. Network clients that don't support these algorithms can't use servers that require them for network communications. For example, many Apache-based Web servers aren't configured to support TLS. If you enable this setting, you must also configure Internet Explorer® to use TLS. This policy setting also affects the encryption level that is used for the Remote Desktop Protocol (RDP). The Remote Desktop Connection tool
uses the RDP protocol to communicate with servers that run Terminal Services and client computers that are configured for remote control; RDP connections fail if both devices aren't configured to use the same encryption algorithms.
## Related topics
diff --git a/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md b/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
index ae93fe4482..3694fe2434 100644
--- a/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
+++ b/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
@@ -1,8 +1,8 @@
---
-title: System objects Require case insensitivity for non-Windows subsystems
+title: System objects Require case insensitivity for non-Windows subsystems
description: Best practices, security considerations and more for the security policy setting, System objects Require case insensitivity for non-Windows subsystems.
ms.assetid: 340d6769-8f33-4067-8470-1458978d1522
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -57,13 +57,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
index 74bf9dee10..8358279b2d 100644
--- a/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
@@ -1,8 +1,8 @@
---
-title: System objects Strengthen default permissions of internal system objects (for example, Symbolic Links)
+title: System objects Strengthen default permissions of internal system objects (for example, Symbolic Links)
description: Best practices and more for the security policy setting, System objects Strengthen default permissions of internal system objects (for example, Symbolic Links).
ms.assetid: 3a592097-9cf5-4fd0-a504-7cbfab050bb6
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -49,13 +49,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
| Stand-Alone Server Default Settings | Enabled |
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md b/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md
index af54bf48ab..ef7ca4315a 100644
--- a/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md
+++ b/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md
@@ -1,8 +1,8 @@
---
-title: System settings Optional subsystems
+title: System settings Optional subsystems
description: Describes the best practices, location, values, policy management, and security considerations for the System settings Optional subsystems security policy setting.
ms.assetid: 5cb6519a-4f84-4b45-8072-e2aa8a72fb78
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -50,13 +50,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | POSIX|
-| DC Effective Default Settings | POSIX|
-| Member Server Effective Default Settings| POSIX|
-| Client Computer Effective Default Settings | POSIX|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | POSIX|
+| DC Effective Default Settings | POSIX|
+| Member Server Effective Default Settings| POSIX|
+| Client Computer Effective Default Settings | POSIX|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md b/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
index 81fce5ee99..fee999b57a 100644
--- a/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
+++ b/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
@@ -1,8 +1,8 @@
---
-title: System settings Use certificate rules on Windows executables for Software Restriction Policies
+title: System settings Use certificate rules on Windows executables for Software Restriction Policies
description: Best practices and more for the security policy setting, System settings Use certificate rules on Windows executables for Software Restriction Policies.
ms.assetid: 2380d93b-b553-4e56-a0c0-d1ef740d089c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -37,7 +37,7 @@ This policy setting determines whether digital certificates are processed when s
### Best practices
-- Set this policy to **Enabled**. Enabling certificate rules results in software restriction policies checking a certificate revocation list (CRL) to make sure that the software's certificate and signature are valid. When you start signed programs, this setting can decrease system performance.
+- Set this policy to **Enabled**. Enabling certificate rules results in software restriction policies checking a certificate revocation list (CRL) to make sure that the software's certificate and signature are valid. When you start signed programs, this setting can decrease system performance.
You can disable CRLs by editing the software restriction policies in the desired GPO. In the **Trusted Publishers Properties** dialog box, clear the **Publisher** and **Timestamp** check boxes.
### Location
@@ -50,13 +50,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
| Stand-Alone Server Default Settings | Disabled |
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md b/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md
index 179d04747b..39152767a9 100644
--- a/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md
@@ -1,8 +1,8 @@
---
-title: Take ownership of files or other objects
+title: Take ownership of files or other objects
description: Describes the best practices, location, values, policy management, and security considerations for the Take ownership of files or other objects security policy setting.
ms.assetid: cb8595d1-74cc-4176-bb15-d97663eebb2d
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -56,13 +56,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Administrators|
-| Stand-Alone Server Default Settings | Administrators|
-| Domain Controller Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Administrators|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators|
+| Stand-Alone Server Default Settings | Administrators|
+| Domain Controller Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Administrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -100,7 +100,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-Any users with the **Take ownership of files or other objects user right** can take control of any object, regardless of the permissions on that object, and then make any changes that they want to make to that object. Such changes could result in exposure of data, corruption of data, or a
+Any users with the **Take ownership of files or other objects user right** can take control of any object, regardless of the permissions on that object, and then make any changes that they want to make to that object. Such changes could result in exposure of data, corruption of data, or a
denial-of-service condition.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md b/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
index d4b0a95f6a..58989112e3 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
@@ -1,8 +1,8 @@
---
-title: User Account Control Admin Approval Mode for the Built-in Administrator account
+title: User Account Control Admin Approval Mode for the Built-in Administrator account
description: Best practices, security considerations, and more for the policy setting, User Account Control Admin Approval Mode for the Built-in Administrator account.
ms.assetid: d465fc27-1cd2-498b-9cf6-7ad2276e5998
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/08/2017
ms.technology: itpro-security
---
@@ -31,7 +31,7 @@ When the Admin Approval Mode is enabled, the local administrator account functio
> [!NOTE]
> If a computer is upgraded from a previous version of the Windows operating system, and the administrator account is the only account on the computer, the built-in administrator account remains enabled, and this setting is also enabled.
-
+
### Possible values
- Enabled
@@ -49,7 +49,7 @@ When the Admin Approval Mode is enabled, the local administrator account functio
To enable Admin Approval Mode, you must also configure the local security policy setting: [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](/windows/device-security/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) to **Prompt for consent on the secure desktop** and then click OK.
> [!NOTE]
-> After enabling Admin Approval Mode, to activate the setting, you must first log in and out. Alternatively, You may perform **gpupdate /force** from an elevated command prompt.
+> After enabling Admin Approval Mode, to activate the setting, you must first log in and out. Alternatively, You may perform **gpupdate /force** from an elevated command prompt.
### Location
@@ -62,12 +62,12 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md b/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
index 4d0f0eac5b..eb9a42ffeb 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
@@ -1,8 +1,8 @@
---
-title: User Account Control Allow UIAccess applications to prompt for elevation without using the secure desktop
+title: User Account Control Allow UIAccess applications to prompt for elevation without using the secure desktop
description: Best practices and more for the policy setting, User Account Control Allow UIAccess applications to prompt for elevation without using the secure desktop.
ms.assetid: fce20472-3c93-449d-b520-13c4c74a9892
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -30,7 +30,7 @@ Describes the best practices, location, values, and security considerations for
This security setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
>**Note:** This setting does not change the behavior of the UAC elevation prompt for administrators.
-
+
**Background**
User Interface Privilege Isolation (UIPI) implements restrictions in the Windows subsystem that prevent lower-privilege applications from sending messages or installing hooks in higher-privilege processes. Higher-privilege applications are permitted to send messages to lower-privilege processes. UIPI doesn't interfere with or change the behavior of messages between applications at the same privilege (or integrity) level.
@@ -39,7 +39,7 @@ Microsoft UI Automation is the current model to support accessibility requiremen
However, there might be times when an administrative user runs an application with elevated privilege based on UAC in Admin Approval Mode. Microsoft UI Automation can't drive the UI graphics of elevated applications on the desktop without the ability to bypass the restrictions that UIPI implements. The ability to bypass UIPI restrictions across privilege levels is available for UI automation programs by using UIAccess.
-If an application presents a UIAccess attribute when it requests privileges, the application is stating a requirement to bypass UIPI restrictions for sending messages across privilege levels. Devices implement the following policy
+If an application presents a UIAccess attribute when it requests privileges, the application is stating a requirement to bypass UIPI restrictions for sending messages across privilege levels. Devices implement the following policy
checks before starting an application with UIAccess privilege.
1. The application must have a digital signature that can be verified by using a digital certificate that is associated with the Trusted Root Certification Authorities store on the local computer.
@@ -78,13 +78,13 @@ The following table lists the actual and effective default values for this polic
Server type or GPO| Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
index b5175062ac..8acd28314d 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
@@ -1,8 +1,8 @@
---
-title: User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode
+title: User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode
description: Best practices and more for the security policy setting, User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode.
ms.assetid: 46a3c3a2-1d2e-4a6f-b5e6-29f9592f535d
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/08/2017
ms.technology: itpro-security
---
@@ -36,7 +36,7 @@ This policy setting determines the behavior of the elevation prompt for accounts
Assumes that the administrator will permit an operation that requires elevation, and more consent or credentials aren't required.
**Note** Selecting **Elevate without prompting** minimizes the protection that is provided by UAC. We don't recommend selecting this value unless administrator accounts are tightly controlled and the operating environment is highly secure.
-
+
- **Prompt for credentials on the secure desktop**
When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
@@ -60,7 +60,7 @@ This policy setting determines the behavior of the elevation prompt for accounts
\*If you've enabled the built-in Administrator account and have configured Admin Approval Mode, you must also configure the option **Prompt for consent on the secure desktop**. You can also configure this option from User Account Control, by typing **UAC** in the search box. From the User Account Control Settings dialog box, set the slider control to **Notify me only when apps try to make changes to my computer (default)**.
> [!NOTE]
-> After enabling Admin Approval Mode, to activate the setting, you must first log in and out. Alternatively, You may perform **gpupdate /force** from an elevated command prompt.
+> After enabling Admin Approval Mode, to activate the setting, you must first log in and out. Alternatively, You may perform **gpupdate /force** from an elevated command prompt.
### Best practices
@@ -77,13 +77,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
+| Default Domain Policy | Not defined|
| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings | Prompt for consent for non-Windows binaries|
-| DC Effective Default Settings | Prompt for consent for non-Windows binaries|
-| Member Server Effective Default Settings | Prompt for consent for non-Windows binaries|
-| Client Computer Effective Default Settings | Prompt for consent for non-Windows binaries|
-
+| Stand-Alone Server Default Settings | Prompt for consent for non-Windows binaries|
+| DC Effective Default Settings | Prompt for consent for non-Windows binaries|
+| Member Server Effective Default Settings | Prompt for consent for non-Windows binaries|
+| Client Computer Effective Default Settings | Prompt for consent for non-Windows binaries|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
index 1d3ea2ed65..6a471c51bb 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
@@ -5,7 +5,7 @@ ms.author: vinpa
ms.prod: windows-client
author: vinaypamnani-msft
manager: aaroncz
-ms.topic: conceptual
+ms.topic: reference
ms.date: 01/18/2023
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md b/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md
index b18e302adf..ea22f7f177 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md
@@ -1,8 +1,8 @@
---
-title: User Account Control Detect application installations and prompt for elevation
+title: User Account Control Detect application installations and prompt for elevation
description: Learn about best practices and more for the security policy setting, User Account Control Detect application installations and prompt for elevation.
ms.assetid: 3f8cb170-ba77-4c9f-abb3-c3ed1ef264fc
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -55,13 +55,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
index e7e8643f8e..92d124a4f7 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
@@ -1,8 +1,8 @@
---
-title: User Account Control Only elevate executables that are signed and validated
+title: User Account Control Only elevate executables that are signed and validated
description: Best practices, security considerations, and more for the security policy setting, User Account Control Only elevate executables that are signed and validated.
ms.assetid: 64950a95-6985-4db6-9905-1db18557352d
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -58,13 +58,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
index 564d86f514..4aad366985 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
@@ -1,8 +1,8 @@
---
-title: Only elevate UIAccess app installed in secure location
+title: Only elevate UIAccess app installed in secure location
description: Learn about best practices and more for the policy setting, User Account Control Only elevate UIAccess applications that are installed in secure locations.
ms.assetid: 4333409e-a5be-4f2f-8808-618f53abd22c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -34,7 +34,7 @@ This policy setting enforces the requirement that apps that request running with
- \\Program Files (x86)\\ including subdirectories for 64-bit versions of Windows
>**Note:** Windows enforces a PKI signature check on any interactive application that requests running with a UIAccess integrity level, regardless of the state of this security setting.
-
+
**Background**
User Interface Privilege Isolation (UIPI) implements restrictions in the Windows subsystem that prevent lower-privilege applications from sending messages or installing hooks in higher-privilege processes. Higher-privilege applications are permitted to send messages to lower-privilege processes. UIPI doesn't interfere with or change the behavior of messages between applications at the same privilege (or integrity) level.
@@ -75,13 +75,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
index 8502ded0f0..97d8752204 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md b/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
index 90d853997d..9059607fe2 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
@@ -1,8 +1,8 @@
---
-title: User Account Control Switch to the secure desktop when prompting for elevation
+title: User Account Control Switch to the secure desktop when prompting for elevation
description: Best practices, security considerations, and more for the policy setting, User Account Control Switch to the secure desktop when prompting for elevation.
ms.assetid: 77a067db-c70d-4b02-9861-027503311b8b
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -45,7 +45,7 @@ The secure desktop’s primary difference from the user desktop is that only tru
### Best practices
-- Enable the **User Account Control: Switch to the secure desktop when prompting for elevation setting**. The secure desktop helps protect against input and output spoofing by presenting the credentials dialog box in a protected section of memory that is accessible only by trusted system
+- Enable the **User Account Control: Switch to the secure desktop when prompting for elevation setting**. The secure desktop helps protect against input and output spoofing by presenting the credentials dialog box in a protected section of memory that is accessible only by trusted system
processes.
### Location
@@ -58,13 +58,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md b/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
index e7bf8758a8..adb9f83c7e 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
@@ -1,8 +1,8 @@
---
-title: User Account Control Virtualize file and registry write failures to per-user locations
+title: User Account Control Virtualize file and registry write failures to per-user locations
description: Best practices, security considerations and more for the policy setting, User Account Control Virtualize file and registry write failures to per-user locations.
ms.assetid: a7b47420-cc41-4b1c-b03e-f67a05221261
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -56,13 +56,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value|
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
index 17f39e5b1f..3ca31c4fe8 100644
--- a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
+++ b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
@@ -1,8 +1,8 @@
---
-title: User Rights Assignment
+title: User Rights Assignment
description: Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows.
ms.assetid: 99340252-60be-4c79-b0a5-56fbe1a9b0c5
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 12/16/2021
ms.technology: itpro-security
---
@@ -29,7 +29,7 @@ ms.technology: itpro-security
Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows.
User rights govern the methods by which a user can log on to a system. User rights are applied at the local device level, and they allow users to perform tasks on a device or in a domain. User rights include logon rights and permissions. Logon rights control who is authorized to log on to a device and how they can log on. User rights permissions control access to computer and domain resources, and they can override permissions that have been set on specific objects. User rights are managed in Group Policy under the **User Rights Assignment** item.
-Each user right has a constant name and a Group Policy name associated with it. The constant names are used when referring to the user right in log events. You can configure the user rights assignment settings in the following location within the Group Policy Management Console (GPMC) under
+Each user right has a constant name and a Group Policy name associated with it. The constant names are used when referring to the user right in log events. You can configure the user rights assignment settings in the following location within the Group Policy Management Console (GPMC) under
**Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment**, or on the local device by using the Local Group Policy Editor (gpedit.msc).
For information about setting security policies, see [Configure security policy settings](how-to-configure-security-policy-settings.md).
@@ -38,53 +38,53 @@ The following table links to each security policy setting and provides the const
| Group Policy Setting | Constant Name |
| - | - |
-| [Access Credential Manager as a trusted caller](access-credential-manager-as-a-trusted-caller.md) | SeTrustedCredManAccessPrivilege|
-| [Access this computer from the network](access-this-computer-from-the-network.md) | SeNetworkLogonRight|
-| [Act as part of the operating system](act-as-part-of-the-operating-system.md) | SeTcbPrivilege|
-| [Add workstations to domain](add-workstations-to-domain.md) | SeMachineAccountPrivilege|
-| [Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md) | SeIncreaseQuotaPrivilege|
-| [Allow log on locally](allow-log-on-locally.md) | SeInteractiveLogonRight|
+| [Access Credential Manager as a trusted caller](access-credential-manager-as-a-trusted-caller.md) | SeTrustedCredManAccessPrivilege|
+| [Access this computer from the network](access-this-computer-from-the-network.md) | SeNetworkLogonRight|
+| [Act as part of the operating system](act-as-part-of-the-operating-system.md) | SeTcbPrivilege|
+| [Add workstations to domain](add-workstations-to-domain.md) | SeMachineAccountPrivilege|
+| [Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md) | SeIncreaseQuotaPrivilege|
+| [Allow log on locally](allow-log-on-locally.md) | SeInteractiveLogonRight|
| [Allow log on through Remote Desktop Services](allow-log-on-through-remote-desktop-services.md)| SeRemoteInteractiveLogonRight|
-| [Back up files and directories](back-up-files-and-directories.md) | SeBackupPrivilege|
-| [Bypass traverse checking](bypass-traverse-checking.md) | SeChangeNotifyPrivilege|
-| [Change the system time](change-the-system-time.md) | SeSystemtimePrivilege|
-| [Change the time zone](change-the-time-zone.md) | SeTimeZonePrivilege|
-| [Create a pagefile](create-a-pagefile.md) | SeCreatePagefilePrivilege|
-| [Create a token object](create-a-token-object.md) | SeCreateTokenPrivilege|
-| [Create global objects](create-global-objects.md) | SeCreateGlobalPrivilege|
-| [Create permanent shared objects](create-permanent-shared-objects.md) | SeCreatePermanentPrivilege|
-| [Create symbolic links](create-symbolic-links.md) | SeCreateSymbolicLinkPrivilege|
-| [Debug programs](debug-programs.md) | SeDebugPrivilege|
+| [Back up files and directories](back-up-files-and-directories.md) | SeBackupPrivilege|
+| [Bypass traverse checking](bypass-traverse-checking.md) | SeChangeNotifyPrivilege|
+| [Change the system time](change-the-system-time.md) | SeSystemtimePrivilege|
+| [Change the time zone](change-the-time-zone.md) | SeTimeZonePrivilege|
+| [Create a pagefile](create-a-pagefile.md) | SeCreatePagefilePrivilege|
+| [Create a token object](create-a-token-object.md) | SeCreateTokenPrivilege|
+| [Create global objects](create-global-objects.md) | SeCreateGlobalPrivilege|
+| [Create permanent shared objects](create-permanent-shared-objects.md) | SeCreatePermanentPrivilege|
+| [Create symbolic links](create-symbolic-links.md) | SeCreateSymbolicLinkPrivilege|
+| [Debug programs](debug-programs.md) | SeDebugPrivilege|
| [Deny access to this computer from the network](deny-access-to-this-computer-from-the-network.md)| SeDenyNetworkLogonRight |
-| [Deny log on as a batch job](deny-log-on-as-a-batch-job.md) | SeDenyBatchLogonRight|
+| [Deny log on as a batch job](deny-log-on-as-a-batch-job.md) | SeDenyBatchLogonRight|
| [Deny log on as a service](deny-log-on-as-a-service.md) | SeDenyServiceLogonRight |
-| [Deny log on locally](deny-log-on-locally.md) | SeDenyInteractiveLogonRight|
-| [Deny log on through Remote Desktop Services](deny-log-on-through-remote-desktop-services.md)| SeDenyRemoteInteractiveLogonRight|
-| [Enable computer and user accounts to be trusted for delegation](enable-computer-and-user-accounts-to-be-trusted-for-delegation.md)| SeEnableDelegationPrivilege|
-| [Force shutdown from a remote system](force-shutdown-from-a-remote-system.md) | SeRemoteShutdownPrivilege|
-| [Generate security audits](generate-security-audits.md) | SeAuditPrivilege|
-| [Impersonate a client after authentication](impersonate-a-client-after-authentication.md)| SeImpersonatePrivilege|
-| [Increase a process working set](increase-a-process-working-set.md) | SeIncreaseWorkingSetPrivilege|
-| [Increase scheduling priority](increase-scheduling-priority.md) | SeIncreaseBasePriorityPrivilege|
-| [Load and unload device drivers](load-and-unload-device-drivers.md) | SeLoadDriverPrivilege|
-| [Lock pages in memory](lock-pages-in-memory.md) | SeLockMemoryPrivilege|
-| [Log on as a batch job](log-on-as-a-batch-job.md) | SeBatchLogonRight|
-| [Log on as a service](log-on-as-a-service.md) | SeServiceLogonRight|
-| [Manage auditing and security log](manage-auditing-and-security-log.md)| SeSecurityPrivilege|
-| [Modify an object label](modify-an-object-label.md) | SeRelabelPrivilege|
-| [Modify firmware environment values](modify-firmware-environment-values.md)| SeSystemEnvironmentPrivilege|
+| [Deny log on locally](deny-log-on-locally.md) | SeDenyInteractiveLogonRight|
+| [Deny log on through Remote Desktop Services](deny-log-on-through-remote-desktop-services.md)| SeDenyRemoteInteractiveLogonRight|
+| [Enable computer and user accounts to be trusted for delegation](enable-computer-and-user-accounts-to-be-trusted-for-delegation.md)| SeEnableDelegationPrivilege|
+| [Force shutdown from a remote system](force-shutdown-from-a-remote-system.md) | SeRemoteShutdownPrivilege|
+| [Generate security audits](generate-security-audits.md) | SeAuditPrivilege|
+| [Impersonate a client after authentication](impersonate-a-client-after-authentication.md)| SeImpersonatePrivilege|
+| [Increase a process working set](increase-a-process-working-set.md) | SeIncreaseWorkingSetPrivilege|
+| [Increase scheduling priority](increase-scheduling-priority.md) | SeIncreaseBasePriorityPrivilege|
+| [Load and unload device drivers](load-and-unload-device-drivers.md) | SeLoadDriverPrivilege|
+| [Lock pages in memory](lock-pages-in-memory.md) | SeLockMemoryPrivilege|
+| [Log on as a batch job](log-on-as-a-batch-job.md) | SeBatchLogonRight|
+| [Log on as a service](log-on-as-a-service.md) | SeServiceLogonRight|
+| [Manage auditing and security log](manage-auditing-and-security-log.md)| SeSecurityPrivilege|
+| [Modify an object label](modify-an-object-label.md) | SeRelabelPrivilege|
+| [Modify firmware environment values](modify-firmware-environment-values.md)| SeSystemEnvironmentPrivilege|
| [Obtain an impersonation token for another user in the same session](impersonate-a-client-after-authentication.md) | SeDelegateSessionUserImpersonatePrivilege|
-| [Perform volume maintenance tasks](perform-volume-maintenance-tasks.md) | SeManageVolumePrivilege|
-| [Profile single process](profile-single-process.md) | SeProfileSingleProcessPrivilege|
-| [Profile system performance](profile-system-performance.md) | SeSystemProfilePrivilege|
-| [Remove computer from docking station](remove-computer-from-docking-station.md) | SeUndockPrivilege|
-| [Replace a process level token](replace-a-process-level-token.md) | SeAssignPrimaryTokenPrivilege|
+| [Perform volume maintenance tasks](perform-volume-maintenance-tasks.md) | SeManageVolumePrivilege|
+| [Profile single process](profile-single-process.md) | SeProfileSingleProcessPrivilege|
+| [Profile system performance](profile-system-performance.md) | SeSystemProfilePrivilege|
+| [Remove computer from docking station](remove-computer-from-docking-station.md) | SeUndockPrivilege|
+| [Replace a process level token](replace-a-process-level-token.md) | SeAssignPrimaryTokenPrivilege|
| [Restore files and directories](restore-files-and-directories.md) | SeRestorePrivilege |
-| [Shut down the system](shut-down-the-system.md) | SeShutdownPrivilege|
-| [Synchronize directory service data](synchronize-directory-service-data.md)| SeSyncAgentPrivilege|
-| [Take ownership of files or other objects](take-ownership-of-files-or-other-objects.md) | SeTakeOwnershipPrivilege|
+| [Shut down the system](shut-down-the-system.md) | SeShutdownPrivilege|
+| [Synchronize directory service data](synchronize-directory-service-data.md)| SeSyncAgentPrivilege|
+| [Take ownership of files or other objects](take-ownership-of-files-or-other-objects.md) | SeTakeOwnershipPrivilege|
+
-
## Related topics
- [Security policy settings reference](security-policy-settings-reference.md)
diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml
index 2bd556b46f..c40a04c723 100644
--- a/windows/whats-new/TOC.yml
+++ b/windows/whats-new/TOC.yml
@@ -12,12 +12,16 @@
- name: Prepare for Windows 11
href: windows-11-prepare.md
- name: Windows 11 enterprise feature control
- href: temporary-enterprise-feature-control.md
+ href: temporary-enterprise-feature-control.md
+ - name: What's new in Windows 11, version 23H2
+ href: whats-new-windows-11-version-23h2.md
- name: What's new in Windows 11, version 22H2
href: whats-new-windows-11-version-22h2.md
- name: Windows 10
expanded: true
items:
+ - name: Extended Security Updates (ESU) program for Windows 10
+ href: extended-security-updates.md
- name: What's new in Windows 10, version 22H2
href: whats-new-windows-10-version-22H2.md
- name: What's new in Windows 10, version 21H2
@@ -36,6 +40,6 @@
- name: Deprecated Windows features
href: deprecated-features.md
- name: Resources for deprecated features
- href: deprecated-features-resources.md
+ href: deprecated-features-resources.md
- name: Removed Windows features
href: removed-features.md
\ No newline at end of file
diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md
index 75c9ea7697..f24e8b23a2 100644
--- a/windows/whats-new/deprecated-features.md
+++ b/windows/whats-new/deprecated-features.md
@@ -1,7 +1,7 @@
---
title: Deprecated features in the Windows client
description: Review the list of features that Microsoft is no longer actively developing in Windows 10 and Windows 11.
-ms.date: 10/18/2023
+ms.date: 12/07/2023
ms.prod: windows-client
ms.technology: itpro-fundamentals
ms.localizationpriority: medium
@@ -35,15 +35,22 @@ The features in this article are no longer being actively developed, and might b
> If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332).
|Feature | Details and mitigation | Deprecation announced |
-| ----------- | --------------------- | ---- |
+|---|---|---|
+| Windows speech recognition | [Windows speech recognition](https://support.microsoft.com/windows/83ff75bd-63eb-0b6c-18d4-6fae94050571) is being deprecated and will no longer being developed. This feature is being replaced with [voice access](https://support.microsoft.com/en-us/topic/4dcd23ee-f1b9-4fd1-bacc-862ab611f55d). Voice access is available for Windows 11, version 22H2, or later devices. Currently, voice access supports five English locales: English - US, English - UK, English - India, English - New Zealand, English - Canada, and English - Australia. For more information, see [Setup voice access](https://support.microsoft.com/en-us/topic/set-up-voice-access-9fc44e29-12bf-4d86-bc4e-e9bb69df9a0e). | December 2023 |
+| Microsoft Defender Application Guard for Office | [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/app-guard-for-office-install) is being deprecated and is no longer being updated. This deprecation also includes the [Windows.Security.Isolation APIs](/uwp/api/windows.security.isolation) that are used for Microsoft Defender Application Guard for Office. We recommend transitioning to Microsoft Defender for Endpoint [attack surface reduction rules](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction) along with [Protected View](/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365#global-settings-for-safe-attachments) and [Windows Defender Application Control](/windows/security/application-security/application-control/windows-defender-application-control/wdac). | November 2023 |
+| Steps Recorder (psr.exe) | Steps Recorder is no longer being updated and will be removed in a future release of Windows. For screen recording, we recommend the Snipping Tool, Xbox Game Bar, or Microsoft Clipchamp. | November 2023 |
+| Tips | The Tips app is deprecated and will be removed in a future release of Windows. Content in the app will continue to be updated with information about new Windows features until the app is removed. | November 2023 |
+| Computer Browser | The Computer Browser driver and service are deprecated. The browser (browser protocol and service) is a dated and insecure device location protocol. This protocol, service, and driver were first disabled by default in Windows 10 with the removal of the SMB1 service. For more information on Computer Browser, see [MS-BRWS Common Internet File System](/openspecs/windows_protocols/ms-brws/3cfbad92-09b3-4abc-808f-c6f6347d5677). | November 2023 |
+| Webclient (WebDAV) Service | The Webclient (WebDAV) service is deprecated. The Webclient service isn't started by default in Windows. For more information on WebDAV, see [WebDAV - Win32 apps](/windows/win32/webdav/webdav-portal). | November 2023 |
+| Remote Mailslots | Remote Mailslots are deprecated. The Remote Mailslot protocol is a dated, simple, unreliable, insecure IPC method first introduced in MS DOS. This protocol was first disabled by default in [Windows 11 Insider Preview Build ](https://blogs.windows.com/windows-insider/2023/03/08/announcing-windows-11-insider-preview-build-25314/). For more information on Remote Mailslots, see [About Mailslots](/windows/win32/ipc/about-mailslots) and [[MS-MAIL]: Remote Mailslot Protocol](/openspecs/windows_protocols/ms-mail/8ea19aa4-6e5a-4aed-b628-0b5cd75a1ab9).| November 2023 |
| Timeline for Microsoft Entra accounts | Cross-device syncing of Microsoft Entra user activity history will stop starting in January 2024. Microsoft will stop storing this data in the cloud, aligning with [the previous change for Microsoft accounts (MSA)](https://blogs.windows.com/windows-insider/2021/04/14/announcing-windows-10-insider-preview-build-21359) in 2021. The timeline user experience was retired in Windows 11, although it remains in Windows 10. The timeline user experience and all your local activity history still remains on Windows 10 devices. Users can access web history using their browser and access recent files through OneDrive and Office. | October 2023 |
-| VBScript | VBScript is being deprecated. In future releases of Windows, VBScript will be available as a feature on demand before its removal from the operating system. For more information, see [Resources for deprecated features](deprecated-features-resources.md#vbscript). | October 2023 |
+| VBScript | VBScript is deprecated. In future releases of Windows, VBScript will be available as a feature on demand before its removal from the operating system. For more information, see [Resources for deprecated features](deprecated-features-resources.md#vbscript). | October 2023 |
| WordPad | WordPad is no longer being updated and will be removed in a future release of Windows. We recommend Microsoft Word for rich text documents like .doc and .rtf and Windows Notepad for plain text documents like .txt. | September 1, 2023 |
-| AllJoyn | Microsoft's implementation of AllJoyn which included the [Windows.Devices.AllJoyn API namespace](/uwp/api/windows.devices.alljoyn), a [Win32 API](/windows/win32/api/_alljoyn/), a [management configuration service provider (CSP)](/windows/client-management/mdm/alljoynmanagement-csp), and an [Alljoyn Router Service](/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#alljoyn-router-service) has been deprecated. [AllJoyn](https://openconnectivity.org/technology/reference-implementation/alljoyn/), sponsored by AllSeen Alliance, was an open source discovery and communication protocol for Internet of Things scenarios such as turning on/off lights or reading temperatures.AllSeen Alliance promoted the AllJoyn project from 2013 until 2016 when it merged with the Open Connectivity Foundation (OCF), the sponsors of [Iotivity.org](https://iotivity.org/), another protocol for Internet of Things scenarios. Customers should refer to the [Iotivity.org](https://iotivity.org/) website for alternatives such as [Iotivity Lite](https://github.com/iotivity/iotivity-lite) or [Iotivity](https://github.com/iotivity/iotivity). | August 17, 2023 |
+| AllJoyn | Microsoft's implementation of AllJoyn, which included the [Windows.Devices.AllJoyn API namespace](/uwp/api/windows.devices.alljoyn), a [Win32 API](/windows/win32/api/_alljoyn/), a [management configuration service provider (CSP)](/windows/client-management/mdm/alljoynmanagement-csp), and an [Alljoyn Router Service](/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#alljoyn-router-service) has been deprecated. [AllJoyn](https://openconnectivity.org/technology/reference-implementation/alljoyn/), sponsored by AllSeen Alliance, was an open source discovery and communication protocol for Internet of Things scenarios such as turning on/off lights or reading temperatures.AllSeen Alliance promoted the AllJoyn project from 2013 until 2016 when it merged with the Open Connectivity Foundation (OCF), the sponsors of [Iotivity.org](https://iotivity.org/), another protocol for Internet of Things scenarios. Customers should refer to the [Iotivity.org](https://iotivity.org/) website for alternatives such as [Iotivity Lite](https://github.com/iotivity/iotivity-lite) or [Iotivity](https://github.com/iotivity/iotivity). | August 17, 2023 |
| TLS 1.0 and 1.1 | Over the past several years, internet standards and regulatory bodies have [deprecated or disallowed](https://www.ietf.org/rfc/rfc8996.html) TLS versions 1.0 and 1.1 due to various security issues. Starting in Windows 11 Insider Preview builds for September 2023 and continuing in future Windows OS releases, TLS 1.0 and 1.1 will be disabled by default. This change increases the security posture of Windows customers and encourages modern protocol adoption. For organizations that need to use these versions, there's an option to re-enable TLS 1.0 or TLS 1.1. For more information, see [Resources for deprecated features](deprecated-features-resources.md). | August 1, 2023|
| Cortana in Windows | Cortana in Windows as a standalone app is deprecated. This change only impacts Cortana in Windows, and your productivity assistant, Cortana, will continue to be available in Outlook mobile, Teams mobile, Microsoft Teams display, and Microsoft Teams rooms. | June 2023 |
| Microsoft Support Diagnostic Tool (MSDT) | [MSDT](/windows-server/administration/windows-commands/msdt) is deprecated and will be removed in a future release of Windows. MSDT is used to gather diagnostic data for analysis by support professionals. For more information, see [Resources for deprecated features](deprecated-features-resources.md) | January 2023 |
-| Universal Windows Platform (UWP) Applications for 32-bit Arm | This change is applicable only to devices with an Arm processor, for example Snapdragon processors from Qualcomm. If you have a PC built with a processor from Intel or AMD, this content is not applicable. If you are not sure which type of processor you have, check **Settings** > **System** > **About**. Support for 32-bit Arm versions of applications will be removed in a future release of Windows 11. After this change, for the small number of applications affected, app features might be different and you might notice a difference in performance. For more technical details about this change, see [Update app architecture from Arm32 to Arm64](/windows/arm/arm32-to-arm64). | January 2023 |
+| Universal Windows Platform (UWP) Applications for 32-bit Arm | This change is applicable only to devices with an Arm processor, for example Snapdragon processors from Qualcomm. If you have a PC built with a processor from Intel or AMD, this content isn't applicable. If you aren't sure which type of processor you have, check **Settings** > **System** > **About**. Support for 32-bit Arm versions of applications will be removed in a future release of Windows 11. After this change, for the small number of applications affected, app features might be different and you might notice a difference in performance. For more technical details about this change, see [Update app architecture from Arm32 to Arm64](/windows/arm/arm32-to-arm64). | January 2023 |
| Update Compliance | [Update Compliance](/windows/deployment/update/update-compliance-monitor), a cloud-based service for the Windows client, is no longer being developed. This service has been replaced with [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview), which provides reporting on client compliance with Microsoft updates from the Azure portal. | November 2022|
| Windows Information Protection | [Windows Information Protection](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) will no longer be developed in future versions of Windows. For more information, see [Announcing sunset of Windows Information Protection (WIP)](https://go.microsoft.com/fwlink/?linkid=2202124).
For your data protection needs, Microsoft recommends that you use [Microsoft Purview Information Protection](/microsoft-365/compliance/information-protection) and [Microsoft Purview Data Loss Prevention](/microsoft-365/compliance/dlp-learn-about-dlp). | July 2022 |
| BitLocker To Go Reader | **Note: BitLocker to Go as a feature is still supported.**
Reading of BitLocker-protected removable drives ([BitLocker To Go](/windows/security/information-protection/bitlocker/bitlocker-to-go-faq)) from Windows XP or Windows Vista in later operating systems is deprecated and might be removed in a future release of Windows client.
The following items might not be available in a future release of Windows client:
- ADMX policy: **Allow access to BitLocker-protected removable data drives from earlier versions of Windows**
- Command line parameter: [`manage-bde -DiscoveryVolumeType`](/windows-server/administration/windows-commands/manage-bde-on) (-dv)
- Catalog file: **c:\windows\BitLockerDiscoveryVolumeContents**
- BitLocker 2 Go Reader app: **bitlockertogo.exe** and associated files | 21H1 |
@@ -78,7 +85,7 @@ The features in this article are no longer being actively developed, and might b
|RSA/AES Encryption for IIS | We recommend that users use CNG encryption provider. | 1709 |
|Screen saver functionality in Themes | Disabled in Themes. Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lock screen features and policies are preferred. | 1709 |
|Sync your settings (updated: August 17, 2017) | Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. The **Sync your settings** options and the Enterprise State Roaming feature will continue to work. | 1709 |
-|System Image Backup (SIB) Solution|This feature is also known as the **Backup and Restore (Windows 7)** legacy control panel. For full-disk backup solutions, look for a third-party product from another software vendor. You can also use [OneDrive](/onedrive/) to sync data files with Microsoft 365.| 1709 |
+|System Image Backup (SIB) Solution|This feature is also known as the **Backup and Restore (Windows 7)** legacy control panel. For full-disk backup solutions, look for a third-party product from another software publisher. You can also use [OneDrive](/onedrive/) to sync data files with Microsoft 365.| 1709 |
|TLS RC4 Ciphers |To be disabled by default. For more information, see [TLS (Schannel SSP) changes in Windows 10 and Windows Server 2016](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server)| 1709 |
|Trusted Platform Module (TPM) Owner Password Management |This functionality within TPM.msc will be migrated to a new user interface.| 1709 |
|Trusted Platform Module (TPM): TPM.msc and TPM Remote Management | To be replaced by a new user interface in a future release. | 1709 |
diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json
index ec64e498bc..21719523a0 100644
--- a/windows/whats-new/docfx.json
+++ b/windows/whats-new/docfx.json
@@ -38,12 +38,12 @@
"ms.collection": [
"tier2"
],
+ "zone_pivot_group_filename": "resources/zone-pivot-groups.json",
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-Windows",
"ms.topic": "article",
- "feedback_system": "GitHub",
- "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
- "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
+ "feedback_system": "Standard",
+ "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.win-whats-new",
diff --git a/windows/whats-new/extended-security-updates.md b/windows/whats-new/extended-security-updates.md
new file mode 100644
index 0000000000..01fdfd6394
--- /dev/null
+++ b/windows/whats-new/extended-security-updates.md
@@ -0,0 +1,74 @@
+---
+title: Extended Security Updates (ESU) program for Windows 10
+description: Learn about the Extended Security Updates (ESU) program for Windows 10. The ESU program gives customers the option to receive security updates for Windows 10.
+ms.prod: windows-client
+ms.technology: itpro-fundamentals
+ms.author: mstewart
+author: mestew
+manager: aaroncz
+ms.localizationpriority: medium
+ms.topic: conceptual
+ms.date: 11/01/2023
+ms.collection:
+ - highpri
+ - tier2
+appliesto:
+ - ✅ Windows 10
+---
+
+# Extended Security Updates (ESU) program for Windows 10
+
+
+The Windows 10 Extended Security Updates (ESU) program gives customers the option to receive security updates for PCs enrolled in the program. ESU is a paid program that provides individuals and organizations of all sizes with the option to extend the use of Windows 10 devices past the end of support date in a more secure manner. For more information about the Windows 10 lifecycle, see the [Windows Lifecycle FAQ](/lifecycle/faq/windows).
+
+Individuals or organizations who elect to continue using Windows 10 after support ends on October 14, 2025, will have the option of enrolling their PCs into a paid ESU subscription. The ESU program enables PCs to continue to receive critical and important security updates through an annual subscription service after support ends. The [Microsoft Security Response Center](https://msrc.microsoft.com/) defines the [severity rating for security updates](https://www.microsoft.com/msrc/security-update-severity-rating-system).
+
+
+## Device prerequisites
+
+To be eligible to install updates from the ESU program, devices must be running Windows 10, version 22H2.
+
+## Limitations
+
+ESUs doesn't include the following items:
+
+- New features
+- Customer-requested nonsecurity updates
+- Design change requests
+- General support won't be provided for Windows versions past the end of support date. Support will be available only to those organizations that purchase ESU for specific situations concerning the security updates. To get technical support, organizations must have an active [support plan](https://www.microsoft.com/enterprise/services/unified-support-solutions) in place.
+
+## Frequently asked questions
+
+The following are frequently asked questions about the ESU program for Windows 10:
+
+### How much does ESU cost?
+
+Final pricing and enrollment conditions will be made available closer to the October 2025 date for end of support, approximately one year before the end of support for Windows 10. ESU will be free for all Windows 365 customers. For more information about Windows 365, see [What is Windows 365?](/windows-365/overview).
+
+### Is there a minimum license purchase requirement for Windows 10 ESU?
+
+There are no minimum license purchase requirements for Windows 10 ESU.
+
+### Can ESUs be purchased for a specific duration?
+
+Customers can't buy partial periods, for instance, only six months. Extended Security Updates are transacted per year (12-month period), starting with the end of support date.
+
+### When will the ESU offer be available for licensing?
+
+Windows 10 ESU will be available in volume licensing starting about 12 months before the end of support date of Windows 10, or late 2024.
+
+### How long can I get security updates for?
+
+Enrolled PCs belonging to a commercial or educational organization can receive security updates for a maximum of three years after end of support for Windows 10.
+
+### Is technical support included in ESU?
+
+No, technical support isn't included in the ESU program. Microsoft will provide support for customers that encounter challenges related to the ESU.
+
+### Will Windows 10 PCs stop working without the ESU offering?
+
+Windows 10 PCs will continue to work, but we recommend customers upgrade eligible PCs to Windows 11 using Windows Autopatch, Microsoft Intune, or transition to a new Windows 11 PC for the best, most secure computing experience. Customers also have the option to migrate to the cloud and subscribe to Windows 365 to make Windows 11 available to users on any device with a Cloud PC. Beginning October 14, 2025, Microsoft will no longer provide the following for versions of Windows 10 that reach end of support on that date:
+
+- Technical support
+- Feature updates or new features
+- Quality updates (including security and reliability fixes)
diff --git a/windows/whats-new/feature-lifecycle.md b/windows/whats-new/feature-lifecycle.md
index ffbc2050c9..dd03e924a0 100644
--- a/windows/whats-new/feature-lifecycle.md
+++ b/windows/whats-new/feature-lifecycle.md
@@ -6,9 +6,9 @@ ms.localizationpriority: medium
author: mestew
manager: aaroncz
ms.author: mstewart
-ms.topic: article
+ms.topic: conceptual
ms.technology: itpro-fundamentals
-ms.date: 10/28/2022
+ms.date: 12/05/2023
ms.collection:
- highpri
- tier2
@@ -18,7 +18,7 @@ appliesto:
---
# Windows client features lifecycle
-Each release of Windows 10 and Windows 11 contains many new and improved features. Occasionally we also remove features and functionality, usually because there is a better option.
+Each release of Windows 10 and Windows 11 contains many new and improved features. Occasionally we also remove features and functionality, usually because there's a better option.
## Windows 11 features
@@ -26,13 +26,13 @@ For information about features that are impacted when you upgrade from Windows 1
## Features no longer being developed
-The following topic lists features that are no longer being developed. These features might be removed in a future release.
+The following article lists features that are no longer being developed. These features might be removed in a future release.
[Deprecated Windows features](deprecated-features.md)
## Features removed
-The following topics have details about features that have been removed from Windows 10 or Windows 11. This includes features that are present in Windows 10, but are removed in Windows 11.
+The following article has details about features that have been removed from Windows 10 or Windows 11. This includes features that are present in Windows 10, but are removed in Windows 11.
[Removed Windows features](removed-features.md)
@@ -42,7 +42,7 @@ The following terms can be used to describe the status that might be assigned to
- **Deprecation**: The stage of the product lifecycle when a feature or functionality is no longer in active development and may be removed in future releases of a product or online service.
- **End of support**: The stage of the product lifecycle when support and servicing are no longer available for a product.
-- **Retirement**: The stage of the product lifecycle when an service is shut down so that it is no longer available for use.
+- **Retirement**: The stage of the product lifecycle when a service is shut down so that it's no longer available for use.
- **Remove or retire a feature**: The stage of the product lifecycle when a feature or functionality is removed from a service after it has been deprecated.
- **Replace a feature**: The stage of the product lifecycle when a feature or functionality in a service is replaced with a different feature or functionality.
diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml
index 193ffc24a8..c34ac91e0d 100644
--- a/windows/whats-new/index.yml
+++ b/windows/whats-new/index.yml
@@ -15,12 +15,12 @@ metadata:
author: aczechowski
ms.author: aaroncz
manager: aaroncz
- ms.date: 11/14/2022
+ ms.date: 10/31/2023
localization_priority: medium
landingContent:
- - title: Windows 11
+ - title: Windows 11 planning
linkLists:
- linkListType: overview
links:
@@ -35,16 +35,26 @@ landingContent:
- text: Windows commercial licensing overview
url: windows-licensing.md
+ - title: Windows 11
+ linkLists:
+ - linkListType: whats-new
+ links:
+ - text: What's new in Windows 11, version 23H2
+ url: whats-new-windows-11-version-23h2.md
+ - text: What's new in Windows 11, version 22H2
+ url: whats-new-windows-11-version-22h2.md
+
- title: Windows 10
linkLists:
- - linkListType: overview
+ - linkListType: whats-new
links:
+ - text: Extended Security Updates (ESU) program for Windows 10
+ url: extended-security-updates.md
- text: What's new in Windows 10, version 22H2
url: whats-new-windows-10-version-22h2.md
- text: What's new in Windows 10, version 21H2
url: whats-new-windows-10-version-21h2.md
- - text: What's new in Windows 10, version 21H1
- url: whats-new-windows-10-version-21h1.md
+
- title: Learn more
linkLists:
diff --git a/windows/whats-new/temporary-enterprise-feature-control.md b/windows/whats-new/temporary-enterprise-feature-control.md
index 65ebf38755..ba0ca795c1 100644
--- a/windows/whats-new/temporary-enterprise-feature-control.md
+++ b/windows/whats-new/temporary-enterprise-feature-control.md
@@ -8,7 +8,7 @@ author: mestew
manager: aaroncz
ms.localizationpriority: medium
ms.topic: reference
-ms.date: 09/26/2023
+ms.date: 11/01/2023
ms.collection:
- highpri
- tier2
@@ -39,7 +39,7 @@ Features that are behind temporary enterprise control will be enabled when one o
### Policy settings for temporary enterprise feature control
-You can use a policy to enable features that are behind temporary enterprise feature control. When this policy is enabled, all features that were disabled behind temporary enterprise feature control are turned on when the device next reboots. The following polices apply to Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later:
+You can use a policy to enable features that are behind temporary enterprise feature control. When this policy is enabled, all features that were disabled behind temporary enterprise feature control are turned on when the device next reboots. The following polices apply to Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/kb/5022845) and later:
- **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage end user experience\\**Enable features introduced via servicing that are off by default**
@@ -52,12 +52,12 @@ The following features are behind temporary enterprise control in Windows 11:
| Feature | KB article where the feature was introduced | Feature update that ends temporary control | Notes |
|---|---|---|---|
-| Touch-optimized taskbar for 2-in-1 devices | [February 28, 2023 - KB5022913](https://support.microsoft.com/topic/february-28-2023-kb5022913-os-build-22621-1344-preview-3e38c0d9-924d-4f3f-b0b6-3bd49b2657b9) | 2023 annual feature update | |
-| Selecting **Uninstall** for a Win32 app from the right-click menu uses the **Installed Apps** page in **Settings** rather than **Programs and Features** under the **Control Panel** | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | 2023 annual feature update | |
-| Windows Spotlight provides a minimized experience, opportunities to learn more about each image, and allows users to preview images at full screen.| [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | 2023 annual feature update | This feature also has a permanent control: **CSP**: ./User/Vendor/MSFT/Policy/Config/Experience/[AllowWindowsSpotlight](/windows/client-management/mdm/policy-csp-experience#allowwindowsspotlight) **Group Policy**: User Configuration\Administrative Templates\Windows Components\Cloud Content\\**Turn off all Windows spotlight features**|
-| Copilot in Windows | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | 2023 annual feature update | This feature has a permanent control. For more information, see the [Windows 11 features with permanent enterprise feature control](#windows-11-features-with-permanent-enterprise-feature-control) section. |
-| Dev Home | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | 2023 annual feature update | `Get-AppxPackage -Name Microsoft.Windows.DevHome` |
-|Dev Drive | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | 2023 annual feature update | This feature has multiple permanent controls. For more information, see the [Windows 11 features with permanent enterprise feature control](#windows-11-features-with-permanent-enterprise-feature-control) section |
+| Touch-optimized taskbar for 2-in-1 devices | [February 28, 2023 - KB5022913](https://support.microsoft.com/kb/5022913) | [Feature Update to Windows 11, version 23H2](https://support.microsoft.com/kb/5027397) | |
+| Selecting **Uninstall** for a Win32 app from the right-click menu uses the **Installed Apps** page in **Settings** rather than **Programs and Features** under the **Control Panel** | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | [Feature Update to Windows 11, version 23H2](https://support.microsoft.com/kb/5027397) | |
+| Windows Spotlight provides a minimized experience, opportunities to learn more about each image, and allows users to preview images at full screen.| [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | [Feature Update to Windows 11, version 23H2](https://support.microsoft.com/kb/5027397) | This feature also has a permanent control: **CSP**: ./User/Vendor/MSFT/Policy/Config/Experience/[AllowWindowsSpotlight](/windows/client-management/mdm/policy-csp-experience#allowwindowsspotlight) **Group Policy**: User Configuration\Administrative Templates\Windows Components\Cloud Content\\**Turn off all Windows spotlight features**|
+| Copilot in Windows | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | [Feature Update to Windows 11, version 23H2](https://support.microsoft.com/kb/5027397) | This feature has a permanent control. For more information, see the [Windows 11 features with permanent enterprise feature control](#windows-11-features-with-permanent-enterprise-feature-control) section. |
+| Dev Home | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | [Feature Update to Windows 11, version 23H2](https://support.microsoft.com/kb/5027397) | `Get-AppxPackage -Name Microsoft.Windows.DevHome` |
+| Dev Drive | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | [Feature Update to Windows 11, version 23H2](https://support.microsoft.com/kb/5027397) | This feature has multiple permanent controls. For more information, see the [Windows 11 features with permanent enterprise feature control](#windows-11-features-with-permanent-enterprise-feature-control) section |
## Permanent enterprise feature control
@@ -69,9 +69,9 @@ The following features introduced through the monthly cumulative updates allow p
| Feature | KB article where the feature was introduced | Feature enabled by default | CSP and Group Policy |
|---|---|---|---|
-| Configure search on the taskbar | [February 28, 2023 - KB5022913](https://support.microsoft.com/topic/february-28-2023-kb5022913-os-build-22621-1344-preview-3e38c0d9-924d-4f3f-b0b6-3bd49b2657b9)| Yes | **CSP**: ./Device/Vendor/MSFT/Policy/Config/Search/[ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode) **Group Policy**: Computer Configuration\Administrative Templates\Windows Components\Search\\**Configures search on the taskbar**|
+| Configure search on the taskbar | [February 28, 2023 - KB5022913](https://support.microsoft.com/kb/5022913) | Yes | **CSP**: ./Device/Vendor/MSFT/Policy/Config/Search/[ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode) **Group Policy**: Computer Configuration\Administrative Templates\Windows Components\Search\\**Configures search on the taskbar**|
| The **Recommended** section of the **Start Menu** displays personalized website recommendations |[September 2023 - KB5030310](https://support.microsoft.com/kb/5030310)| No |**CSP**: ./Device/Vendor/MSFT/Policy/Config/Start/[HideRecoPersonalizedSites](/windows/client-management/mdm/policy-csp-start) **Group Policy**: Computer Configuration\Administrative Templates\Start Menu and Taskbar\\**Remove Personalized Website Recommendations from the Recommended section in the Start Menu**|
| **Recommended** section added to File Explorer Home for users signed into Windows with an Azure AD account. | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes | **CSP**:./Device/Vendor/MSFT/Policy/Config/FileExplorer/[DisableGraphRecentItems](/windows/client-management/mdm/policy-csp-fileexplorer#disablegraphrecentitems) **Group Policy**: Computer Configuration\Administrative Templates\Windows Components\File Explorer\\**Turn off files from Office.com in Quick Access View** **Note**: This control disables additional items beyond the **Recommended** items. Review the policy before implementing this control. |
| Transfer files to another PC using WiFi direct|[September 2023 - KB5030310](https://support.microsoft.com/kb/5030310)|Yes|**CSP**: ./Device/Vendor/MSFT/Policy/Config/Wifi/[AllowWiFiDirect](/windows/client-management/mdm/policy-csp-wifi#allowwifidirect)|
-| Copilot in Windows | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes |**CSP**: ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot**|
+| Copilot in Windows | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes |**CSP**: ./User/Vendor/MSFT/Policy/Config/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot**|
|Dev Drive | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes |**CSPs**: - ./Device/Vendor/MSFT/Policy/Config/FileSystem/[EnableDevDrive](/windows/client-management/mdm/policy-csp-filesystem#enableeeverive) - ./Device/Vendor/MSFT/Policy/Config/FileSystem/[DevDriveAttachPolicy](/windows/client-management/mdm/policy-csp-filesystem#devdriveattachpolicy) **Group Policies**: - Computer Configuration\Administrative Templates\System\FileSystem\\**Enable dev drive** - Computer Configuration\Administrative Templates\System\FileSystem\\**Dev drive filter attach policy**|
diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md
index f4005118e9..c593f3baae 100644
--- a/windows/whats-new/whats-new-windows-10-version-1903.md
+++ b/windows/whats-new/whats-new-windows-10-version-1903.md
@@ -9,18 +9,19 @@ ms.localizationpriority: medium
ms.topic: article
ROBOTS: NOINDEX
ms.technology: itpro-fundamentals
-ms.date: 12/31/2017
+ms.date: 11/17/2023
---
# What's new in Windows 10, version 1903 for IT Pros
**Applies to**
-- Windows 10, version 1903
+- Windows 10, version 1903.
-This article lists new and updated features and content that are of interest to IT Pros for Windows 10 version 1903, also known as the Windows 10 May 2019 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1809.
+This article lists new and updated features and content that are of interest to IT Pros for Windows 10 version 1903, also known as the Windows 10 May 2019 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1809.
>[!NOTE]
->New disk space requirement for Windows 10, version 1903 applies only to OEMs for the manufacture of new PCs. This new requirement does not apply to existing devices. PCs that don’t meet new device disk space requirements will continue to receive updates and the 1903 update will require about the same amount of free disk space as previous updates. For more information, see [Reserved storage](#reserved-storage).
+>
+>New disk space requirement for Windows 10, version 1903 applies only to OEMs for the manufacture of new PCs. This new requirement does not apply to existing devices. PCs that don't meet new device disk space requirements will continue to receive updates and the 1903 update will require about the same amount of free disk space as previous updates. For more information, see [Reserved storage](#reserved-storage).
## Deployment
@@ -28,36 +29,36 @@ This article lists new and updated features and content that are of interest to
[Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. The following Windows Autopilot features are available in Windows 10, version 1903 and later:
-- [Windows Autopilot for white glove deployment](/windows/deployment/windows-autopilot/white-glove) is new in this version of Windows. "White glove" deployment enables partners or IT staff to pre-provision devices so they're fully configured and business ready for your users.
-- The Intune [enrollment status page](/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions.
+- [Windows Autopilot for pre-provisioned deployment](/autopilot/pre-provision) is new in this version of Windows. Pre-provisioned deployment enables partners or IT staff to pre-provision devices so they're fully configured and business ready for your users.
+- The Intune [enrollment status page](/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions.
- [Cortana voiceover](/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
-- Windows Autopilot is self-updating during OOBE. From Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
-- Windows Autopilot will set the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
+- Windows Autopilot is self-updating during OOBE. From Windows 10, version 1903 Autopilot functional and critical updates begin downloading automatically during OOBE.
+- Windows Autopilot sets the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
### SetupDiag
-[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available.
+[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the `rules.xml` file, which is extracted when SetupDiag is run. The `rules.xml` file are updated as new versions of SetupDiag are made available.
### Reserved storage
-[**Reserved storage**](https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Windows-10-and-reserved-storage/ba-p/428327): Reserved storage sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space. Reserved storage will be enabled automatically on new PCs with Windows 10, version 1903 or later pre-installed, and for clean installs. It will not be enabled when updating from a previous version of Windows 10.
+[**Reserved storage**](https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Windows-10-and-reserved-storage/ba-p/428327) sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space. Reserved storage is enabled automatically on new PCs with Windows 10, version 1903 or later pre-installed, and for clean installs. It isn't enabled when updating from a previous version of Windows 10.
## Servicing
- [**Delivery Optimization**](/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with [new policies](/windows/client-management/mdm/policy-csp-deliveryoptimization). These new policies now support Microsoft 365 Apps for enterprise updates and Intune content.
-- [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows will automatically sign in as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
-- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
+- [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows automatically signs in as the user and lock their device in order to complete the update. This automatic sign-in ensures that when the user returns and unlocks the device, the update is completed.
+- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There's now a single, common start date for phased deployments (no more SAC-T designation). In addition, there's a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device backed up and run normally.
-- **Pause updates**: We've extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you'll need to update your device before pausing again.
-- **Improved update notifications**: When there’s an update requiring you to restart your device, you’ll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar.
-- **Intelligent active hours**: To further enhance active hours, users will now be able to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns.
-- **Improved update orchestration to improve system responsiveness**: This feature will improve system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions.
+- **Pause updates**: The ability to pause updates for both feature and monthly updates is extended. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, the device needs to be updated before pausing again.
+- **Improved update notifications**: When there's an update requiring you to restart your device, a colored dot appears on the Power button in the Start menu and on the Windows icon in your taskbar.
+- **Intelligent active hours**: To further enhance active hours, users are now able to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns.
+- **Improved update orchestration to improve system responsiveness**: This feature improves system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions.
## Security
### Windows Information Protection
-With this release, Microsoft Defender for Endpoint extends discovery and protection of sensitive information with [Auto Labeling](/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels#how-wip-protects-automatically-classified-files).
+With this release, Microsoft Defender for Endpoint extends discovery and protection of sensitive information with [Auto Labeling](/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels#how-wip-protects-automatically-classified-files).
### Security configuration framework
@@ -73,72 +74,75 @@ The draft release of the [security configuration baseline settings](/archive/blo
### Microsoft Defender for Endpoint
-- [Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allowlists and blocklists for specific URL’s and IP addresses.
-- [Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
- - Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform.
- - Tamper-proofing capabilities – Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers.
-- [Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) – In addition to Windows 10, Microsoft Defender for Endpoint’s functionality has been extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities.
+- [Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) - IT admins can configure devices with advanced web protection that enables them to define allowlists and blocklists for specific URLs and IP addresses.
+- [Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) - Controls are extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
+ - Integrity enforcement capabilities - Enable remote runtime attestation of Windows 10 platform.
+ - Tamper-proofing capabilities - Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers.
+- [Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) - In addition to Windows 10, Microsoft Defender for Endpoint's functionality are extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities.
-### Microsoft Defender for Endpoint next-gen protection technologies:
+### Microsoft Defender for Endpoint next-gen protection technologies
- **Advanced machine learning**: Improved with advanced machine learning and AI models that enable it to protect against apex attackers using innovative vulnerability exploit techniques, tools and malware.
-- **Emergency outbreak protection**: Provides emergency outbreak protection that will automatically update devices with new intelligence when a new outbreak has been detected.
-- **Certified ISO 27001 compliance**: Ensures that the cloud service has analyzed for threats, vulnerabilities and impacts, and that risk management and security controls are in place.
+- **Emergency outbreak protection**: Provides emergency outbreak protection that automatically updates devices with new intelligence when a new outbreak is detected.
+- **Certified ISO 27001 compliance**: Ensures that the cloud service is analyzed for threats, vulnerabilities and impacts, and that risk management and security controls are in place.
- **Geolocation support**: Support geolocation and sovereignty of sample data and configurable retention policies.
### Threat Protection
- [Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849): Isolated desktop environment where you can run untrusted software without the fear of lasting impact to your device.
-- [Microphone privacy settings](https://support.microsoft.com/en-us/help/4468232/windows-10-camera-microphone-and-privacy-microsoft-privacy): A microphone icon appears in the notification area letting you see which apps are using your microphone.
+- [Microphone privacy settings](https://support.microsoft.com/windows/windows-camera-microphone-and-privacy-a83257bc-e990-d54a-d212-b5e41beba857): A microphone icon appears in the notification area letting you see which apps are using your microphone.
-- [Windows Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements:
+- [Windows Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements:
- Standalone users can install and configure their Windows Defender Application Guard settings without needing to change Registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior.
- WDAG is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend WDAG’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the WDAG extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigation to the WDAG Edge browser. There's also a companion app to enable this feature in the Microsoft Store. Users can quickly launch WDAG from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
- To try this extension:
+ To try this extension:
1. Configure WDAG policies on your device.
2. Go to the Chrome Web Store or Firefox Add-ons and search for Application Guard. Install the extension.
3. Follow any of the other configuration steps on the extension setup page.
4. Reboot the device.
5. Navigate to an untrusted site in Chrome and Firefox.
- - WDAG allows dynamic navigation: Application Guard now allows users to navigate back to their default host browser from the WDAG Microsoft Edge. Previously, users browsing in WDAG Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users will automatically be redirected to their host default browser when they enter or click on a trusted site in WDAG Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates.
+ - WDAG allows dynamic navigation: Application Guard now allows users to navigate back to their default host browser from the WDAG Microsoft Edge. Previously, users browsing in WDAG Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users are automatically redirected to their host default browser when they enter or select on a trusted site in WDAG Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates.
- [Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903, Windows Defender Application Control has many new features that light up key scenarios and provide feature parity with AppLocker.
- - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): Windows Defender Application Control now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side-by-side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy.
- - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, Windows Defender Application Control has an option that allows admins to enforce at runtime that only code from paths that aren't user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it's authorized by something other than a path rule like a signer or hash rule.
- This functionality brings WDAC to parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that isn't available with AppLocker.
- - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, Windows Defender Application Control enforced a built-in allowlist for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where more COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
+ - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): Windows Defender Application Control now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios:
+ 1. Enforce and audit side-by-side.
+ 1. Simpler targeting for policies with different scope/intent.
+ 1. expanding a policy using a new supplemental policy.
+ - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, Windows Defender Application Control has an option that allows admins to enforce at runtime that only code from paths that aren't user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files are checked for write permissions for unknown admins. If a file is found to be user writeable, the system blocks the executable from running unless it receives authorization from a source other than a path rule, such as a signer or hash rule.
+ - This functionality brings WDAC to parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time. This capability isn't available with AppLocker.
+ - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, Windows Defender Application Control enforced a built-in allowlist for COM object registration. While this mechanism works for most common application usage scenarios, customers provided feedback that there are cases where more COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
#### System Guard
-[System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) has added a new feature in this version of Windows called **SMM Firmware Measurement**. This feature is built on top of [System Guard Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to check that the System Management Mode (SMM) firmware on the device is operating in a healthy manner - specifically, OS memory and secrets are protected from SMM. There are currently no devices out there with compatible hardware, but they'll be coming out in the next few months.
+[System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) has a new feature in this version of Windows called **SMM Firmware Measurement**. This feature is built on top of [System Guard Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to check that the System Management Mode (SMM) firmware on the device is operating in a healthy manner. Specifically, OS memory and secrets are protected from SMM.
-This new feature is displayed under the Device Security page with the string “Your device exceeds the requirements for enhanced hardware security” if configured properly:
+This new feature is displayed under the Device Security page with the string `Your device exceeds the requirements for enhanced hardware security` if configured properly:
### Identity Protection
-- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less sign-in for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD.
+- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less sign-in for websites supporting FIDO2 authentication, such as Microsoft account and Microsoft Entra ID.
- [Streamlined Windows Hello PIN reset experience](/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web.
-- Sign-in with [Password-less](/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience!
-- [Remote Desktop with Biometrics](/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop#remote-desktop-with-biometrics): Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
+- Sign-in with [Password-less](/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience.
+- [Remote Desktop with Biometrics](/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop#remote-desktop-with-biometrics): Microsoft Entra ID and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
### Security management
-- [Windows Defender Firewall now supports Windows Subsystem for Linux (WSL)](https://blogs.windows.com/windowsexperience/2018/04/19/announcing-windows-10-insider-preview-build-17650-for-skip-ahead/#II14f7VlSBcZ0Gs4.97): Lets you add rules for WSL process, just like for Windows processes.
-- [Windows Security app](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center) improvements now include Protection history, including detailed and easier to understand information about threats and available actions, Controlled Folder Access blocks are now in the Protection history, Windows Defender Offline Scanning tool actions, and any pending recommendations.
+- [Windows Defender Firewall now supports Windows Subsystem for Linux (WSL)](https://blogs.windows.com/windowsexperience/2018/04/19/announcing-windows-10-insider-preview-build-17650-for-skip-ahead/#II14f7VlSBcZ0Gs4.97): Lets you add rules for WSL process, just like for Windows processes.
+- [Windows Security app](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center) improvements now include Protection history, including detailed and easier to understand information about threats and available actions, Controlled Folder Access blocks are now in the Protection history, Windows Defender Offline Scanning tool actions, and any pending recommendations.
- [Tamper Protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) lets you prevent others from tampering with important security features.
## Microsoft Edge
-Several new features are coming in the next version of Edge. For more information, see the [news from Build 2019](https://blogs.windows.com/msedgedev/2019/05/06/edge-chromium-build-2019-pwa-ie-mode-devtools/#2QJF4u970WjQ2Sv7.97).
+Several new features are coming in the next version of Microsoft Edge. For more information, see the [news from Build 2019](https://blogs.windows.com/msedgedev/2019/05/06/edge-chromium-build-2019-pwa-ie-mode-devtools/#2QJF4u970WjQ2Sv7.97).
## See Also
-[What's New in Windows Server, version 1903](/windows-server/get-started/whats-new-in-windows-server-1903-1909): New and updated features in Windows Server.
-[Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features.
-[What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.
-[What's new in Windows 10](/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
-[What's new in Windows 10 for developers](https://blogs.windows.com/buildingapps/2019/04/18/start-developing-on-windows-10-may-2019-update-today/#2Lp8FUFQ3Jm8KVcq.97): New and updated features in Windows 10 that are of interest to developers.
+- [What's New in Windows Server, version 1903](/windows-server/get-started/whats-new-in-windows-server-1903-1909): New and updated features in Windows Server.
+- [Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features.
+- [What's New in Windows 10](./index.yml): See what's new in other versions of Windows 10.
+- [What's new in Windows 10](/windows-hardware/get-started/what-s-new-in-windows): See what's new in Windows 10 hardware.
+- [What's new in Windows 10 for developers](https://blogs.windows.com/buildingapps/2019/04/18/start-developing-on-windows-10-may-2019-update-today/#2Lp8FUFQ3Jm8KVcq.97): New and updated features in Windows 10 that are of interest to developers.
diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md
index d40de13c9d..5ab89168fd 100644
--- a/windows/whats-new/whats-new-windows-10-version-1909.md
+++ b/windows/whats-new/whats-new-windows-10-version-1909.md
@@ -55,7 +55,7 @@ Windows 10, version 1909 also includes two new features called **Key-rolling** a
### Transport Layer Security (TLS)
-An experimental implementation of TLS 1.3 is included in Windows 10, version 1909. TLS 1.3 is disabled by default system wide. If you enable TLS 1.3 on a device for testing, then it can also be enabled in Internet Explorer 11.0 and Microsoft Edge by using Internet Options. For beta versions of Microsoft Edge on Chromium, TLS 1.3 isn't built on the Windows TLS stack, and is instead configured independently, using the **Edge://flags** dialog. Also see [Microsoft Edge platform status](https://developer.microsoft.com/microsoft-edge/status/tls13/)
+An experimental implementation of TLS 1.3 is included in Windows 10, version 1909. TLS 1.3 is disabled by default system wide. If you enable TLS 1.3 on a device for testing, then it can also be enabled in Internet Explorer 11.0 and Microsoft Edge by using Internet Options. For beta versions of Microsoft Edge on Chromium, TLS 1.3 isn't built on the Windows TLS stack, and is instead configured independently, using the **Edge://flags** dialog.
>[!NOTE]
>The experiental implementation of TLS 1.3 isn't supported. TLS 1.3 is only supported on Windows 11 and Server 2022. For more information, see [Protocols in TLS/SSL (Schannel SSP)](/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-).
diff --git a/windows/whats-new/whats-new-windows-10-version-21H1.md b/windows/whats-new/whats-new-windows-10-version-21H1.md
index 3b134e5092..4f1f8db731 100644
--- a/windows/whats-new/whats-new-windows-10-version-21H1.md
+++ b/windows/whats-new/whats-new-windows-10-version-21H1.md
@@ -6,7 +6,7 @@ author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: high
-ms.topic: article
+ms.topic: conceptual
ms.collection:
- highpri
- tier2
diff --git a/windows/whats-new/whats-new-windows-10-version-21H2.md b/windows/whats-new/whats-new-windows-10-version-21H2.md
index 8b06af0956..56b194f450 100644
--- a/windows/whats-new/whats-new-windows-10-version-21H2.md
+++ b/windows/whats-new/whats-new-windows-10-version-21H2.md
@@ -6,7 +6,7 @@ ms.prod: windows-client
ms.author: mstewart
author: mestew
ms.localizationpriority: medium
-ms.topic: article
+ms.topic: conceptual
ms.collection:
- highpri
- tier2
diff --git a/windows/whats-new/whats-new-windows-11-version-23h2.md b/windows/whats-new/whats-new-windows-11-version-23h2.md
new file mode 100644
index 0000000000..7a178b1852
--- /dev/null
+++ b/windows/whats-new/whats-new-windows-11-version-23h2.md
@@ -0,0 +1,125 @@
+---
+title: What's new in Windows 11, version 23H2 for IT pros
+description: Learn more about what's new in Windows 11 version 23H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more.
+manager: aaroncz
+ms.prod: windows-client
+ms.author: mstewart
+author: mestew
+ms.localizationpriority: medium
+ms.topic: conceptual
+ms.collection:
+ - highpri
+ - tier2
+ms.technology: itpro-fundamentals
+ms.date: 10/31/2023
+appliesto:
+ - ✅ Windows 11, version 23H2
+---
+
+# What's new in Windows 11, version 23H2
+
+Windows 11, version 23H2 is a feature update for Windows 11. It includes all features and fixes in previous cumulative updates to Windows 11, version 22H2. This article lists the new and updated features IT Pros should know.
+
+Windows 11, version 23H2 follows the [Windows 11 servicing timeline](/lifecycle/faq/windows#windows-11):
+
+- **Windows 11 Pro**: Serviced for 24 months from the release date.
+- **Windows 11 Enterprise**: Serviced for 36 months from the release date.
+
+Devices updating from Windows 11, version 22H2 use an enablement package. Most the files for the 23H2 update already exist on Windows 11, version 22H2 devices that have installed a recent monthly security update. Many of the new features have already been enabled on Windows 11, version 22H2 clients. However, some features are just in an inactive and dormant state because they are under [temporary enterprise feature control](temporary-enterprise-feature-control.md). These new features remain dormant until they're turned on through the enablement package, a small, quick-to-install switch that activates all of the Windows 11, version 23H2 features.
+
+Windows 11, version 23H2 is available through Windows Server Update Services (including Configuration Manager), Windows Update for Business, and the Volume Licensing Service Center (VLSC). For more information, see [How to get the Windows 11, version 23H2 update](https://blogs.windows.com/windowsexperience/?p=178531). Review the [Windows 11, version 23H2 Windows IT Pro blog post](https://aka.ms/new-in-23H2) to discover information about available deployment resources such as the [Windows Deployment Kit (Windows ADK)](/windows-hardware/get-started/adk-install).
+
+
+To learn more about the status of the update rollout, known issues, and new information, see [Windows release health](/windows/release-health/).
+
+## Features no longer under temporary enterprise control
+
+[Temporary enterprise feature control](temporary-enterprise-feature-control.md) temporarily turns off certain features that were introduced during monthly cumulative updates for managed Windows 11, version 22H2 devices. For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business.
+
+When a managed Windows 11, version 22H2 device installs [version 23H2](https://support.microsoft.com/kb/5027397), the following features will no longer be under temporary enterprise feature control:
+
+| Feature | KB article where the feature was introduced |
+|---|---|
+| Touch-optimized taskbar for 2-in-1 devices | [February 28, 2023 - KB5022913](https://support.microsoft.com/kb/5022913) |
+| Selecting **Uninstall** for a Win32 app from the right-click menu uses the **Installed Apps** page in **Settings** rather than **Programs and Features** under the **Control Panel** | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) |
+| Windows Spotlight provides a minimized experience, opportunities to learn more about each image, and allows users to preview images at full screen.| [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) |
+| Copilot in Windows | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) |
+| [Dev Home](/windows/dev-home/) | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) |
+| [Dev Drive](/windows/dev-drive/) | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) |
+
+## Features added to Windows 11 since version 22H2
+
+Starting with Windows 11, version 22H2, new features and enhancements were introduced periodically to provide continuous innovation for Windows 11. These features and enhancements use the normal update servicing channels you're already familiar with. At first, new features are introduced with an optional nonsecurity preview release and gradually rolled out to clients. These new features are released later as part of a monthly security update release. For more information about continuous innovation, see [Update release cycle for Windows clients](/windows/deployment/update/release-cycle#continuous-innovation-for-windows-11) Some of the features were released within the past year's continuous innovation updates and carry forward into the 23H2 annual feature update include:
+
+
+### Passkeys in Windows
+
+Windows provides a native experience for passkey management. You can use the Settings app to view and manage passkeys saved for apps or websites. For more information, see [Support for passkeys in Windows](/windows/security/identity-protection/passkeys).
+
+### Windows passwordless experience
+
+Windows passwordless experience is a security policy that promotes a user experience without passwords on Microsoft Entra joined devices.
+When the policy is enabled, certain Windows authentication scenarios don't offer users the option to use a password, helping organizations and preparing users to gradually move away from passwords. For more information, see [Windows passwordless experience](/windows/security/identity-protection/passwordless-experience/).
+
+### Web sign-in for Windows
+
+You can enable a web-based sign-in experience on Microsoft Entra joined devices, unlocking new sign-in options and capabilities. For more information, see [Web sign-in for Windows](/windows/security/identity-protection/web-sign-in).
+
+### Declared configuration protocol
+
+**Declared configuration protocol** is a new protocol for device configuration management that's based on a desired state model and uses OMA-DM SyncML protocol. It allows the server to provide the device with a collection of settings for a specific scenario, and the device to handle the configuration request and maintain its state. For more information, see [What is the declared configuration protocol](/windows/client-management/declared-configuration).
+
+### Education themes
+
+You can deploy education themes to your devices. The education themes are designed for students using devices in a school. For more information, see [Configure education themes for Windows 11](/education/windows/edu-themes).
+
+### Temporary enterprise feature control
+
+Controls were added to temporarily turn off certain features that were introduced during monthly cumulative updates for managed Windows 11, version 22H2 devices. For more information, see [Temporary enterprise feature control](temporary-enterprise-feature-control.md).
+
+### Multi-app kiosk
+
+
+You can configure a multi-app kiosk, which displays a customized start menu of allowed apps. For more information, see [Set up a multi-app kiosk on Windows 11 devices](/windows/configuration/lock-down-windows-11-to-specific-apps).
+
+### Copilot in Windows
+
+Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. For more information, see [Manage Copilot in Windows](/windows/client-management/manage-windows-copilot).
+
+### Windows Hello for Business authentication improvement
+
+Peripheral face and fingerprint sensors can be used for Windows Hello for Business authentication on devices where Enhanced Sign-in Security (Secure Biometrics) has been enabled at the factory. Previously this functionality was blocked. For more information, see [Common questions about Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-faq).
+
+### LAPS native integration
+
+Use Windows Local Administrator Password Solution (LAPS) to regularly rotate and manage local administrator account passwords. For more information, see [Local Administrator Password Solution (LAPS)](/windows-server/identity/laps/laps-overview)
+
+### Federated sign-in
+
+You can sign into Windows using a federated identity, which simplifies the experience for students. For example, students and educators can use QR code badges to sign-in. This feature is designed specifically for Education editions of Windows. For more information, see [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in).
+
+### Customize Windows 11 taskbar buttons
+
+[Policies to customize Windows 11 taskbar buttons](/windows/configuration/supported-csp-taskbar-windows#csp-policies-to-customize-windows-11-taskbar-buttons) were added to provide you with more control over the taskbar search experience across your organization.
+
+### Braille displays
+
+The compatibility of braille displays was expanded. Braille displays work seamlessly and reliably across multiple screen readers, improving the end user experience. We also added support for new braille displays and new braille input and output languages in Narrator. For more information, see [Accessibility information for IT professionals](/windows/configuration/windows-accessibility-for-ITPros).
+
+### Dev Drive
+
+Dev Drive is a new form of storage volume available to improve performance for key developer workloads. For more information, see [Set up a Dev Drive on Windows 11](/windows/dev-drive/).
+
+### Additional features
+
+
+- **Tabs for File Explorer**: File Explorer includes tabs to help you organize your File Explorer sessions.
+- **Taskbar overflow menu**: The taskbar offers an entry point to a menu that shows all of your overflowed apps in one spot.
+- **Suggested actions**: Copied text in certain formats, such as phone numbers or dates, offer suggested actions such as calling the number or adding the event to your calendar.
+- **Task Manager enhancements**: Process filtering, theme settings, and the ability to opt out of efficiency mode notification were added to Task Manager.
+- **Narrator improvements**: Scripting functionality was added to Narrator. Narrator includes more natural voices.
+
+### In-box apps
+
+- **Microsoft Teams**: Chat is being removed from the Microsoft Teams in-box app. Teams will no longer be pinned to the taskbar for enterprise editions of Windows 11, version 23H2 or later. To identify the appx package: `Get-AppxPackage -Name MicrosoftTeams`
+- **Dev Home**: Dev Home is a new app that provides a central location for developers to start building, testing, and deploying Windows apps. For more information, see [Dev Home](/windows/dev-home/). To identify the appx package: `Get-AppxPackage -Name Microsoft.Windows.DevHome`