diff --git a/.openpublishing.redirection.windows-configuration.json b/.openpublishing.redirection.windows-configuration.json
index b5f046f434..abeb93b128 100644
--- a/.openpublishing.redirection.windows-configuration.json
+++ b/.openpublishing.redirection.windows-configuration.json
@@ -37,7 +37,7 @@
},
{
"source_path": "windows/configuration/enhanced-diagnostic-data-windows-analytics-events-and-fields.md",
- "redirect_url": "/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields",
+ "redirect_url": "https://techcommunity.microsoft.com/t5/windows-it-pro-blog/preview-app-and-driver-compatibility-insights-in-endpoint/ba-p/3482136",
"redirect_document_id": false
},
{
diff --git a/.openpublishing.redirection.windows-privacy.json b/.openpublishing.redirection.windows-privacy.json
index 3bbff994f7..e280e5a7ba 100644
--- a/.openpublishing.redirection.windows-privacy.json
+++ b/.openpublishing.redirection.windows-privacy.json
@@ -54,6 +54,11 @@
"source_path": "windows/privacy/windows-personal-data-services-configuration.md",
"redirect_url": "/windows/privacy/windows-10-and-privacy-compliance",
"redirect_document_id": false
+ },
+ {
+ "source_path": "windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md",
+ "redirect_url": "https://techcommunity.microsoft.com/t5/windows-it-pro-blog/preview-app-and-driver-compatibility-insights-in-endpoint/ba-p/3482136",
+ "redirect_document_id": false
}
]
}
diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json
index 471c829ed5..93967da44e 100644
--- a/.openpublishing.redirection.windows-security.json
+++ b/.openpublishing.redirection.windows-security.json
@@ -52,7 +52,12 @@
},
{
"source_path": "windows/security//threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md",
- "redirect_url": "/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-browser-extension",
+ "redirect_url": "/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-browser-extension.md",
+ "redirect_url": "/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview",
"redirect_document_id": false
},
{
diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md
index 68c83b8121..dda5503d8b 100644
--- a/windows/configuration/wcd/wcd-policies.md
+++ b/windows/configuration/wcd/wcd-policies.md
@@ -455,7 +455,7 @@ ConfigureTelemetryOptInSettingsUx | This policy setting determines whether peopl
| DisableDeviceDelete | Specify whether the delete diagnostic data is enabled in the Diagnostic & Feedback Settings page. | ✅ | | | |
| DisableDataDiagnosticViewer | Configure whether users can enable and launch the Diagnostic Data Viewer from the Diagnostic & Feedback Settings page. | ✅ | | | |
| [DisableOneDriveFileSync](/windows/client-management/mdm/policy-configuration-service-provider#system-disableonedrivefilesync) | Prevent apps and features from working with files on OneDrive. | ✅ | | | |
-| [LimitEnhancedDiagnosticDataWindowsAnalytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics) | This policy setting, in combination with the System/AllowTelemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior you must enable this policy setting, and set Allow Telemetry to level 2 (Enhanced). When you configure these policy settings, a basic level of diagnostic data plus other events that are required for Windows Analytics are sent to Microsoft. These events are documented in [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields). Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus other enhanced level diagnostic data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. If you disable or don't configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. | ✅ | | | |
+| [LimitEnhancedDiagnosticDataWindowsAnalytics](/windows/client-management/mdm/policy-csp-system#limitenhanceddiagnosticdatawindowsanalytics) | This policy setting, in combination with the System/AllowTelemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior you must enable this policy setting, and set Allow Telemetry to level 2 (Enhanced). When you configure these policy settings, a basic level of diagnostic data plus other events that are required for Windows Analytics are sent to Microsoft. Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus other enhanced level diagnostic data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. If you disable or don't configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. | ✅ | | | |
## TextInput
diff --git a/windows/deployment/wds-boot-support.md b/windows/deployment/wds-boot-support.md
index 0b09a07b84..182f55c874 100644
--- a/windows/deployment/wds-boot-support.md
+++ b/windows/deployment/wds-boot-support.md
@@ -7,7 +7,7 @@ author: frankroj
ms.author: frankroj
manager: aaroncz
ms.topic: conceptual
-ms.date: 04/25/2024
+ms.date: 07/19/2024
ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
@@ -21,48 +21,56 @@ appliesto:
The operating system deployment functionality of [Windows Deployment Services](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831764(v=ws.11)) (WDS) is being partially deprecated. Starting with Windows 11, workflows that rely on **boot.wim** from installation media or on running Windows Setup in WDS mode is no longer supported.
-When you PXE-boot from a WDS server that uses the **boot.wim** file from installation media as its boot image, Windows Setup automatically launches in WDS mode. This workflow is deprecated for Windows 11 and newer boot images. The following deprecation message is displayed:
+When PXE booting from a WDS server that uses the **boot.wim** file from installation media as its boot image, Windows Setup automatically launches in WDS mode. This workflow is deprecated for Windows 11 and newer boot images. The following deprecation message is displayed:
> Windows Setup
>
-> Windows Deployment Services client functionality is being partly deprecated. Please visit https://aka.ms/WDSSupport for more details on what is deprecated and what will continue to be supported.
+> Windows Deployment Services client functionality is being partly deprecated. Please visit https://aka.ms/WDSSupport for more details on what is deprecated and what is still supported.
## Deployment scenarios affected
The following table provides support details for specific deployment scenarios. Boot.wim is the `boot.wim` file obtained from the Windows source files for each specified version of Windows.
-|Windows Version being deployed |Boot.wim from Windows 10|Boot.wim from Windows Server 2016|Boot.wim from Windows Server 2019|Boot.wim from Windows Server 2022|Boot.wim from Windows 11|
-|--- |--- |--- |--- |--- |--- |
-|**Windows 11**|Not supported, blocked.|Not supported, blocked.|Not supported, blocked.|Not supported, blocked.|Not supported, blocked.|
-|**Windows 10**|Supported, using a boot image from matching or newer version.|Supported, using a boot image from Windows 10, version 1607 or later.|Supported, using a boot image from Windows 10, version 1809 or later.|Not supported.|Not supported.|
-|**Windows Server 2022**|Deprecated, with a warning message.|Deprecated, with a warning message.|Deprecated, with a warning message.|Deprecated, with a warning message.|Not supported.|
-|**Windows Server 2019**|Supported, using a boot image from Windows 10, version 1809 or later.|Supported.|Supported.|Not supported.|Not supported.|
-|**Windows Server 2016**|Supported, using a boot image from Windows 10, version 1607 or later.|Supported.|Not supported.|Not supported.|Not supported.|
-
-## Reason for the change
-
-Alternatives to WDS, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Deployment Toolkit](/mem/configmgr/mdt/) (MDT) provide a better, more flexible, and feature-rich experience for deploying Windows images.
+| Windows Version being deployed | Boot.wim from Windows 10 | Boot.wim from Windows Server 2016 | Boot.wim from Windows Server 2019 | Boot.wim from Windows Server 2022 | Boot.wim from Windows 11 |
+| --- | --- | --- | --- | --- | --- |
+| **Windows 11** | Not supported, blocked. | Not supported, blocked. | Not supported, blocked. |Not supported, blocked. | Not supported, blocked. |
+| **Windows 10** | Supported, using a boot image from matching or newer version. | Supported, using a boot image from a [currently supported version of Windows 10](/windows/release-health/supported-versions-windows-client#windows-10-supported-versions). | Supported, using a boot image from a [currently supported version of Windows 10](/windows/release-health/supported-versions-windows-client#windows-10-supported-versions).| Not supported. | Not supported. |
+| **Windows Server 2025** | Not supported. | Not supported. | Not supported. | Not supported. | Not supported. |
+| **Windows Server 2022** | Deprecated, with a warning message. | Deprecated, with a warning message. | Deprecated, with a warning message. | Deprecated, with a warning message. | Not supported. |
+| **Windows Server 2019** | Supported, using a boot image from a [currently supported version of Windows 10](/windows/release-health/supported-versions-windows-client#windows-10-supported-versions). | Supported. | Supported. | Not supported. | Not supported. |
+| **Windows Server 2016** | Supported, using a boot image from a [currently supported version of Windows 10](/windows/release-health/supported-versions-windows-client#windows-10-supported-versions). |Supported. | Not supported. | Not supported. | Not supported. |
> [!NOTE]
>
-> [Microsoft Deployment Toolkit](/mem/configmgr/mdt/) (MDT) only supports deployment of Windows 10. It doesn't support deployment of Windows 11. For more information, see [Supported platforms](/mem/configmgr/mdt/release-notes#supported-platforms).
+> The following error message might be displayed when attempting to use **boot.wim** on WDS running on Windows Server 2025:
+>
+> `A media driver your computer needs is missing. This could be a DVD, USB or Hard disk driver. If you have a CD, DVD, or USB flash drive with the driver on it, please insert it now.`
+>
+> An error message is expected since using **boot.wim** on WDS running on Windows Server 2025 isn't supported.
+
+## Reason for the change
+
+Alternatives to WDS, such as [Microsoft Configuration Manager](/mem/configmgr/osd/understand/introduction-to-operating-system-deployment), provide a better, more flexible, and feature-rich experience for deploying Windows images.
## Not affected
-This change doesn’t affect WDS PXE boot. You can still use WDS to PXE boot devices with custom boot images, but you can't use **boot.wim** as the boot image and run Windows Setup in WDS mode.
+This change doesn't affect WDS PXE boot. WDS can still be used to PXE boot devices with custom boot images, but **boot.wim** can't be used as the boot image and run Windows Setup in WDS mode.
-You can still run Windows Setup from a network share. This change doesn't change Workflows that use a custom boot.wim, such as MDT or Configuration Manager.
+Windows Setup can still run from a network share. This change doesn't change Workflows that use a custom boot.wim, such as Microsoft Deployment Toolkit (MDT) or Microsoft Configuration Manager.
## Summary
-- Windows 11 workflows that rely on **boot.wim** from installation media are blocked. You can't perform an end to end deployment of Windows 11 using only WDS.
+- Windows 11 workflows that rely on **boot.wim** from installation media are blocked. An end to end deployment of Windows 11 using only WDS can't be performed.
+
- This change doesn't affect Windows 10, Windows Server 2019, and previous operating system versions.
+
- Windows Server 2022 workflows that rely on **boot.wim** from installation media show a non-blocking deprecation notice. The notice can be dismissed, and currently the workflow isn't blocked.
+
- Windows Server workflows after Windows Server 2022 that rely on **boot.wim** from installation media are blocked.
-If you currently use WDS with **boot.wim** from installation media for end-to-end operating system deployment, and your OS version isn't supported, deprecated, or blocked, it's recommended that you use deployment tools such as MDT, Configuration Manager, or a non-Microsoft solution with a custom boot.wim image.
+If WDS is being used with **boot.wim** from installation media for end-to-end operating system deployment, and the OS version isn't supported, deprecated, or blocked, Microsoft recommends using deployment tools such as Microsoft Configuration Manager, or a non-Microsoft solution that uses a custom boot.wim image.
-## Also see
+## Related content
-- [Features removed or no longer developed starting with Windows Server 2022](/windows-server/get-started/removed-deprecated-features-windows-server-2022#features-were-no-longer-developing)
-- [Create a custom Windows PE boot image with Configuration Manager](deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+- [Features removed or no longer developed starting with Windows Server 2022](/windows-server/get-started/removed-deprecated-features-windows-server-2022#features-were-no-longer-developing).
+- [Customize boot images with Configuration Manager](/mem/configmgr/osd/get-started/customize-boot-images).
diff --git a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
deleted file mode 100644
index c31afd7cdc..0000000000
--- a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
+++ /dev/null
@@ -1,424 +0,0 @@
----
-title: Enhanced diagnostic data required by Windows Analytics (Windows 10)
-description: Use this article to learn more about the limit enhanced diagnostic data events policy used by Desktop Analytics
-ms.service: windows-client
-ms.subservice: itpro-privacy
-ms.localizationpriority: high
-author: DHB-MSFT
-ms.author: danbrown
-manager: laurawi
-ms.date: 10/12/2017
-ms.topic: reference
----
-
-
-# Windows 10 diagnostic data events and fields collected through the limit enhanced diagnostic data policy
-
- **Applies to**
-
-- Windows 10, version 1709 and newer
-
-> [!IMPORTANT]
-> - The Upgrade Readiness and Device Health solutions of Windows Analytics were retired on January 31, 2020.
-> - Desktop Analytics is deprecated and was retired on November 30, 2022.
-
-Desktop Analytics reports are powered by diagnostic data not included in the Basic level.
-
-In Windows 10, version 1709, we introduced a new feature: "Limit Enhanced diagnostic data to the minimum required by Windows Analytics". When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to only the events described below. The Enhanced level also includes limited crash reports, which are not described below. For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
-
-With the retirement of Windows Analytics, this policy will continue to be supported by Desktop Analytics, but will not include Office related diagnostic data.
-
-## KernelProcess.AppStateChangeSummary
-This event summarizes application usage and performance characteristics to help Microsoft improve performance and reliability. Organizations can use this event with Desktop Analytics to gain insights into application reliability.
-
-The following fields are available:
-
-- **CommitChargeAtExit_Sum:** Total memory commit charge for a process when it exits
-- **CommitChargePeakAtExit_Sum**: Total peak memory commit charge for a process when it exits
-- **ContainerId:** Server Silo Container ID
-- **CrashCount:** Number of crashes for a process instance
-- **CycleCountAtExit_Sum:** Total processor cycles for a process when it exited
-- **ExtraInfoFlags:** Flags indicating internal states of the logging
-- **GhostCount_Sum:** Total number of instances where the application stopped responding
-- **HandleCountAtExit_Sum:** Total handle count for a process when it exits
-- **HangCount_Max:** Maximum number of hangs detected
-- **HangCount_Sum:** Total number of application hangs that are detected
-- **HardFaultCountAtExit_Sum:** Total number of hard page faults detected for a process when it exits
-- **HeartbeatCount:** Heartbeats logged for this summary
-- **HeartbeatSuspendedCount:** Heartbeats logged for this summary where the process was suspended
-- **LaunchCount:** Number of process instances started
-- **LicenseType:** Reserved for future use
-- **ProcessDurationMS_Sum:** Total duration of wall clock process instances
-- **ReadCountAtExit_Sum:** Total IO reads for a process when it exited
-- **ReadSizeInKBAtExit_Sum:** Total IO read size for a process when it exited
-- **ResumeCount:** Number of times a process instance has resumed
-- **RunningDurationMS_Sum:** Total uptime
-- **SuspendCount:** Number of times a process instance was suspended
-- **TargetAppId:** Application identifier
-- **TargetAppType:** Application type
-- **TargetAppVer:** Application version
-- **TerminateCount:** Number of times a process terminated
-- **WriteCountAtExit_Sum:** Total number of IO writes for a process when it exited
-- **WriteSizeInKBAtExit_Sum:** Total size of IO writes for a process when it exited
-
-## Microsoft.Office.TelemetryEngine.IsPreLaunch
-Applicable for Office UWP applications. This event is fired when an Office application is initiated for the first-time post upgrade/install from the store. It's part of basic diagnostic data. It's used to track whether a particular session is a launch session or not.
-
-- **appVersionBuild:** Third part of the version *.*.XXXXX.*
-- **appVersionMajor:** First part of the version X.*.*.*
-- **appVersionMinor:** Second part of the version *.X.*.*
-- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **SessionID:** ID of the session
-
-## Microsoft.Office.SessionIdProvider.OfficeProcessSessionStart
-This event sends basic information upon the start of a new Office session. It's used to count the number of unique sessions seen on a given device. The event is used as a heartbeat event to ensure that the application is running on a device. In addition, it serves as a critical signal for overall application reliability.
-
-- **AppSessionGuid:** ID of the session that maps to the process of the application
-- **processSessionId:** ID of the session that maps to the process of the application
-
-## Microsoft.Office.TelemetryEngine.SessionHandOff
-Applicable to Win32 Office applications. This event helps us understand whether there was a new session created to handle a user-initiated file open event. It is a critical diagnostic information that is used to derive reliability signal and ensure that the application is working as expected.
-
-- **appVersionBuild:** Third part Build version of the application *.*.XXXXX.*
-- **appVersionMajor:** First part of the version X.*.*.*
-- **appVersionMinor:** Second part of the version *.X.*.*
-- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **childSessionID:** ID of the session that was created to handle the user initiated file open
-- **parentSessionId:** ID of the session that was already running
-
-## Microsoft.Office.CorrelationMetadata.UTCCorrelationMetadata
-Collects Office metadata through UTC to compare with equivalent data collected through the Office telemetry pipeline to check correctness and completeness of data.
-
-- **abConfigs:** List of features enabled for this session
-- **abFlights:** List of features enabled for this session
-- **AppSessionGuid:** ID of the session
-- **appVersionBuild:** Third part Build version of the application *.*.XXXXX.*
-- **appVersionMajor:** First part of the version X.*.*.*
-- **appVersionMinor:** Second part of the version *.X.*.*
-- **appVersionRevision:** Fourth part of the version *.*.*.XXXXX
-- **audienceGroup:** Is this group part of the insiders or production?
-- **audienceId:** ID of the audience setting
-- **channel:** Are you part of Semi annual channel or Semi annual channel-Targeted?
-- **deviceClass:** Is this device a desktop device or a mobile device?
-- **impressionId:** What features were available to you in this session
-- **languageTag:** Language of the app
-- **officeUserID:** A unique identifier tied to the office installation on a particular device.
-- **osArchitecture:** Is the machine 32 bit or 64 bit?
-- **osEnvironment:** Is this app a win32 app or a UWP app?
-- **osVersionString:** Version of the OS
-- **sessionID:** ID of the session
-
-## Microsoft.Office.ClickToRun.UpdateStatus
-Applicable to all Win32 applications. Helps us understand the status of the update process of the office suite (Success or failure with error details).
-
-- **build:** App version
-- **channel:** Is this part of GA Channel?
-- **errorCode:** What error occurred during the upgrade process?
-- **errorMessage:** what was the error message during the upgrade process?
-- **status:** Was the upgrade successful or not?
-- **targetBuild:** What app version were we trying to upgrade to?
-
-## Microsoft.Office.TelemetryEngine.FirstIdle
-This event is fired when the telemetry engine within an office application is ready to send telemetry. Used for understanding whether there are issues in telemetry.
-
-- **appVersionBuild:** Third part of the version *.*.XXXXX.*
-- **appVersionMajor:** First part of the version X.*.*.*
-- **appVersionMinor:** Second part of the version *.X.*.*
-- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
-- **SessionID:** ID of the session
-
-## Microsoft.Office.TelemetryEngine.FirstProcessed
-This event is fired when the telemetry engine within an office application has processed the rules or the list of events that we need to collect. Used for understanding whether there are issues in telemetry.
-
-- **appVersionBuild:** Third part of the version *.*.XXXXX.*
-- **appVersionMajor:** First part of the version X.*.*.*
-- **appVersionMinor:** Second part of the version *.X.*.*
-- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
-- **SessionID:** ID of the session
-
-## Microsoft.Office.TelemetryEngine.FirstRuleRequest
-This event is fired when the telemetry engine within an office application has received the first rule or list of events that need to be sent by the app. Used for understanding whether there are issues in telemetry.
-
-- **appVersionBuild:** Third part of the version *.*.XXXXX.*
-- **appVersionMajor:** First part of the version X.*.*.*
-- **appVersionMinor:** Second part of the version *.X.*.*
-- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
-- **SessionID:** ID of the session
-
-## Microsoft.Office.TelemetryEngine.Init
-This event is fired when the telemetry engine within an office application has been initialized or not. Used for understanding whether there are issues in telemetry.
-
-- **appVersionBuild:** Third part of the version *.*.XXXXX.*
-- **appVersionMajor:** First part of the version X.*.*.*
-- **appVersionMinor:** Second part of the version *.X.*.*
-- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
-- **SessionID:** ID of the session
-
-## Microsoft.Office.TelemetryEngine.Resume
-This event is fired when the application resumes from sleep state. Used for understanding whether there are issues in the application life cycle.
-
-- **appVersionBuild:** Third part of the version *.*.XXXXX.*
-- **appVersionMajor:** First part of the version X.*.*.*
-- **appVersionMinor:** Second part of the version *.X.*.*
-- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **maxSequenceIdSeen:** How many events from this session have seen so far?
-- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
-- **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed?
-- **SessionID:** ID of the session
-
-## Microsoft.Office.TelemetryEngine.RuleRequestFailed
-This event is fired when the telemetry engine within an office application fails to retrieve the rules containing the list of telemetry events. Used for understanding whether there are issues in telemetry.
-
-- **appVersionBuild:** Third part of the version *.*.XXXXX.*
-- **appVersionMajor:** First part of the version X.*.*.*
-- **appVersionMinor:** Second part of the version *.X.*.*
-- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
-- **SessionID:** ID of the session
-
-## Microsoft.Office.TelemetryEngine.RuleRequestFailedDueToClientOffline
-This event is fired when the telemetry engine within an office application fails to retrieve the rules containing the list of telemetry events, when the device is offline. Used for understanding whether there are issues in telemetry.
-
-- **appVersionBuild:** Third part of the version *.*.XXXXX.*
-- **appVersionMajor:** First part of the version X.*.*.*
-- **appVersionMinor:** Second part of the version *.X.*.*
-- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
-- **SessionID:** ID of the session
-
-## Microsoft.Office.TelemetryEngine.ShutdownComplete
-This event is fired when the telemetry engine within an office application has processed the rules or the list of events that we need to collect. Useful for understanding whether a particular crash is happening during an app-shutdown, and could potentially lead in data loss or not.
-
-- **appVersionBuild:** Third part of the version *.*.XXXXX.*
-- **appVersionMajor:** First part of the version X.*.*.*
-- **appVersionMinor:** Second part of the version *.X.*.*
-- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **maxSequenceIdSeen:** How many events from this session have seen so far?
-- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
-- **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed?
-- **SessionID:** ID of the session
-
-## Microsoft.Office.TelemetryEngine.ShutdownStart
-This event is fired when the telemetry engine within an office application has been uninitialized, and the application is shutting down. Useful for understanding whether a particular crash is happening during an app-shutdown, and could potentially lead in data loss or not.
-
-- **appVersionBuild:** Third part of the version *.*.XXXXX.*
-- **appVersionMajor:** First part of the version X.*.*.*
-- **appVersionMinor:** Second part of the version *.X.*.*
-- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
-- **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed?
-- **SessionID:** ID of the session
-
-## Microsoft.Office.TelemetryEngine.SuspendComplete
-This event is fired when the telemetry engine within an office application has processed the rules or the list of events that we need to collect. Used for understanding whether there are issues in telemetry.
-
-- **appVersionBuild:** Third part of the version *.*.XXXXX.*
-- **appVersionMajor:** First part of the version X.*.*.*
-- **appVersionMinor:** Second part of the version *.X.*.*
-- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **maxSequenceIdSeen:** How many events from this session have seen so far?
-- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
-- **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed?
-- **SessionID:** ID of the session
-- **SuspendType:** Type of suspend
-
-## Microsoft.Office.TelemetryEngine.SuspendStart
-This event is fired when the office application suspends as per app life-cycle change. Used for understanding whether there are issues in the application life cycle.
-
-- **appVersionBuild:** Third part of the version *.*.XXXXX.*
-- **appVersionMajor:** First part of the version X.*.*.*
-- **appVersionMinor:** Second part of the version *.X.*.*
-- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **maxSequenceIdSeen:** How many events from this session have seen so far?
-- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
-- **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed?
-- **SessionID:** ID of the session
-- **SuspendType:** Type of suspend
-
-## Microsoft.OSG.OSS.CredProvFramework.ReportResultStop
-This event indicates the result of an attempt to authenticate a user with a credential provider. It helps Microsoft to improve sign-in reliability. Using this event with Desktop Analytics can help organizations monitor and improve sign-in success for different methods (for example, biometric) on managed devices.
-
-The following fields are available:
-
-- **CredTileProviderId:** ID of the Credential Provider
-- **IsConnectedUser:** Flag indicating whether a user is connected or not
-- **IsPLAPTile:** Flag indicating whether this credential tile is a pre-logon access provider or not
-- **IsRemoteSession:** Flag indicating whether the session is remote or not
-- **IsV2CredProv:** Flag indicating whether the credential provider of V2 or not
-- **OpitonalStatusText:** Status text
-- **ProcessImage:** Image path to the process
-- **ProviderId:** Credential provider ID
-- **ProviderStatusIcon:** Indicates which status icon should be displayed
-- **ReturnCode:** Output of the ReportResult function
-- **SessionId:** Session identifier
-- **Sign-in error status:** The sign-in error status
-- **SubStatus:** Sign-in error substatus
-- **UserTag:** Count of the number of times a user has selected a provider
-
-## Microsoft.Windows.Kernel.Power.OSStateChange
-This event denotes the transition between operating system states (On, Off, Sleep, etc.). By using this event with Desktop Analytics, organizations can monitor reliability and performance of managed devices.
-
-The following fields are available:
-
-- **AcPowerOnline:** If "TRUE," the device is using AC power. If "FALSE," the device is using battery power.
-- **ActualTransitions:** The number of transitions between operating system states since the last system boot
-- **BatteryCapacity:** Maximum battery capacity in mWh
-- **BatteryCharge:** Current battery charge as a percentage of total capacity
-- **BatteryDischarging:** Flag indicating whether the battery is discharging or charging
-- **BootId:** Total boot count since the operating system was installed
-- **BootTimeUTC:** Date and time of a particular boot event (identified by BootId)
-- **EnergyChangeV2:** A snapshot value in mWh reflecting a change in power usage
-- **EnergyChangeV2Flags:** Flags for disambiguating EnergyChangeV2 context
-- **EventSequence:** A sequential number used to evaluate the completeness of the data
-- **LastStateTransition:** ID of the last operating system state transition
-- **LastStateTransitionSub:** ID of the last operating system substate transition
-- **StateDurationMS:** Number of milliseconds spent in the last operating system state
-- **StateTransition:** ID of the operating system state the system is transitioning to
-- **StateTransitionSub:** ID of the operating system substate the system is transitioning to
-- **TotalDurationMS:** Total time (in milliseconds) spent in all states since the last boot
-- **TotalUptimeMS:** Total time (in milliseconds) the device was in Up or Running states since the last boot
-- **TransitionsToOn:** Number of transitions to the Powered On state since the last boot
-- **UptimeDeltaMS:** Total time (in milliseconds) added to Uptime since the last event
-
-## Microsoft.Windows.LogonController.LogonAndUnlockSubmit
-Sends details of the user attempting to sign into or unlock the device.
-
-The following fields are available:
-
-- **isSystemManagedAccount:** Indicates if the user's account is System Managed
-- **isUnlockScenario:** Flag indicating whether the event is a Logon or an Unlock
-- **userType:** Indicates the user type: 0 = unknown; 1 = local; 2 = Active Directory domain user; 3 = Microsoft Account; 4 = Azure Active Directory user
-
-## Microsoft.Windows.LogonController.SignInFailure
-Sends details about any error codes detected during a failed sign-in.
-
-The following fields are available:
-
-- **ntsStatus:** The NTSTATUS error code status returned from an attempted sign-in
-- **ntsSubstatus:** The NTSTATUS error code substatus returned from an attempted sign-in
-
-## Microsoft.Windows.Security.Biometrics.Service.BioServiceActivityCapture
-Indicates that a biometric capture was compared to known templates
-
-The following fields are available:
-
-- **captureDetail:** Result of biometric capture, either matched to an enrollment or an error
-- **captureSuccessful:** Indicates whether a biometric capture was successfully matched or not
-- **hardwareId:** ID of the sensor that collected the biometric capture
-- **isSecureSensor:** Flag indicating whether a biometric sensor was in enhanced security mode
-- **isTrustletRunning:** Indicates whether an enhanced security component is currently running
-- **isVsmCfg:** Flag indicating whether virtual secure mode is configured or not
-
-## Microsoft.Windows.Security.Winlogon.SystemBootStop
-System boot has completed.
-
-The following field is available:
-
-- **ticksSinceBoot:** Duration of boot event (milliseconds)
-
-## Microsoft.Windows.Shell.Desktop.LogonFramework.AllLogonTasks
-This event summarizes the logon procedure to help Microsoft improve performance and reliability. By using this event with Desktop Analytics, organizations can help identify logon problems on managed devices.
-
-The following fields are available:
-
-- **isAadUser:** Indicates whether the current logon is for an Azure Active Directory account
-- **isDomainUser:** Indicates whether the current logon is for a domain account
-- **isMSA:** Indicates whether the current logon is for a Microsoft Account
-- **logonOptimizationFlags:** Flags indicating optimization settings for this logon session
-- **logonTypeFlags:** Flags indicating logon type (first logon vs. a later logon)
-- **systemManufacturer:** Device manufacturer
-- **systemProductName:** Device product name
-- **wilActivity:** Indicates errors in the task to help Microsoft improve reliability.
-
-## Microsoft.Windows.Shell.Desktop.LogonFramework.LogonTask
-This event describes system tasks that are part of the user logon sequence and helps Microsoft to improve reliability.
-
-The following fields are available:
-
-- **isStartWaitTask:** Flag indicating whether the task starts a background task
-- **isWaitMethod:** Flag indicating the task is waiting on a background task
-- **logonTask:** Indicates which logon step is currently occurring
-- **wilActivity:** Indicates errors in the task to help Microsoft improve reliability.
-
-## Microsoft.Windows.Shell.Explorer.DesktopReady
-Initialization of Explorer is complete.
-
-## Microsoft-Windows-Security-EFS-EDPAudit-ApplicationLearning.EdpAuditLogApplicationLearning
-For a device subject to Windows Information Protection policy, learning events are generated when an app encounters a policy boundary (for example, trying to open a work document from a personal app). These events help the Windows Information Protection administrator tune policy rules and prevent unnecessary user disruption.
-
-The following fields are available:
-
-- **actiontype:** Indicates what type of resource access the app was attempting (for example, opening a local document vs. a network resource) when it encountered a policy boundary. Useful for Windows Information Protection administrators to tune policy rules.
-- **appIdType:** Based on the type of application, this field indicates what type of app rule a Windows Information Protection administrator would need to create for this app.
-- **appname:** App that triggered the event
-- **status:** Indicates whether errors occurred during Windows Information Protection learning events
-
-## Win32kTraceLogging.AppInteractivitySummary
-Summarizes which app windows are being used (for example, have focus) to help Microsoft improve compatibility and user experience. Also helps organizations (by using Desktop Analytics) to understand and improve application reliability on managed devices.
-
-The following fields are available:
-
-- **AggregationDurationMS:** Actual duration of aggregation period (in milliseconds)
-- **AggregationFlags:** Flags denoting aggregation settings
-- **AggregationPeriodMS:** Intended duration of aggregation period (in milliseconds)
-- **AggregationStartTime:** Start date and time of AppInteractivity aggregation
-- **AppId:** Application ID for usage
-- **AppSessionId:** GUID identifying the application's usage session
-- **AppVersion:** Version of the application that produced this event
-- **AudioInMS:** Audio capture duration (in milliseconds)
-- **AudioOutMS:** Audio playback duration (in milliseconds)
-- **BackgroundMouseSec:** Indicates that there was a mouse hover event while the app was in the background
-- **BitPeriodMS:** Length of the period represented by InFocusBitmap
-- **CommandLineHash:** A hash of the command line
-- **CompositionDirtyGeneratedSec:** Represents the amount of time (in seconds) during which the active app reported that it had an update
-- **CompositionDirtyPropagatedSec:** Total time (in seconds) that a separate process with visuals hosted in an app signaled updates
-- **CompositionRenderedSec:** Time (in seconds) that an app's contents were rendered
-- **EventSequence:** [need more info]
-- **FocusLostCount:** Number of times that an app lost focus during the aggregation period
-- **GameInputSec:** Time (in seconds) there was user input using a game controller
-- **HidInputSec:** Time (in seconds) there was user input using devices other than a game controller
-- **InFocusBitmap:** Series of bits representing application having and losing focus
-- **InFocusDurationMS:** Total time (in milliseconds) the application had focus
-- **InputSec:** Total number of seconds during which there was any user input
-- **InteractiveTimeoutPeriodMS:** Total time (in milliseconds) that inactivity expired interactivity sessions
-- **KeyboardInputSec:** Total number of seconds during which there was keyboard input
-- **MonitorFlags:** Flags indicating app use of individual monitor(s)
-- **MonitorHeight:** Number of vertical pixels in the application host monitor resolution
-- **MonitorWidth:** Number of horizontal pixels in the application host monitor resolution
-- **MouseInputSec:** Total number of seconds during which there was mouse input
-- **NewProcessCount:** Number of new processes contributing to the aggregate
-- **PartATransform_AppSessionGuidToUserSid:** Flag that influences how other parts of the event are constructed
-- **PenInputSec:** Total number of seconds during which there was pen input
-- **SpeechRecognitionSec:** Total number of seconds of speech recognition
-- **SummaryRound:** Incrementing number indicating the round (batch) being summarized
-- **TargetAsId:** Flag that influences how other parts of the event are constructed
-- **TotalUserOrDisplayActiveDurationMS:** Total time the user or the display was active (in milliseconds)
-- **TouchInputSec:** Total number of seconds during which there was touch input
-- **UserActiveDurationMS:** Total time that the user was active including all input methods
-- **UserActiveTransitionCount:** Number of transitions in and out of user activity
-- **UserOrDisplayActiveDurationMS:** Total time the user was using the display
-- **ViewFlags:** Flags denoting properties of an app view (for example, special VR view or not)
-- **WindowFlags:** Flags denoting runtime properties of an app window
-- **WindowHeight:** Number of vertical pixels in the application window
-- **WindowWidth:** Number of horizontal pixels in the application window
-
-## Revisions
-
-### PartA_UserSid removed
-A previous revision of this list stated that a field named PartA_UserSid was a member of the event Microsoft.Windows.LogonController.LogonAndUnlockSubmit. This statement was incorrect. The list has been updated to reflect that no such field is present in the event.
-
-### Office events added
-In Windows 10, version 1809 (also applies to versions 1709 and 1803 starting with [KB 4462932](https://support.microsoft.com/help/4462932/windows-10-update-kb4462932) and [KB 4462933](https://support.microsoft.com/help/4462933/windows-10-update-kb4462933) respectively), 16 events were added, describing Office app launch and availability. These events were added to improve the precision of Office data in Windows Analytics.
-
-> [!NOTE]
-> Office data will no longer be provided through this policy in Desktop Analytics.
-
-### CertAnalytics events removed
-In Windows 10, version 1809 (also applies to versions 1709 and 1803 starting with [KB 4462932](https://support.microsoft.com/help/4462932/windows-10-update-kb4462932) and [KB 4462933](https://support.microsoft.com/help/4462933/windows-10-update-kb4462933) respectively), 3 "CertAnalytics" events were removed, as they are no longer required for Desktop Analytics.
-
->[!NOTE]
->You can use the Windows Diagnostic Data Viewer to observe and review events and their fields as described in this topic.
diff --git a/windows/privacy/toc.yml b/windows/privacy/toc.yml
index b6ad626c23..a90650c92d 100644
--- a/windows/privacy/toc.yml
+++ b/windows/privacy/toc.yml
@@ -37,8 +37,6 @@
href: windows-diagnostic-data.md
- name: Windows 10, version 1703 optional diagnostic data
href: windows-diagnostic-data-1703.md
- - name: Windows 10 diagnostic data events and fields collected through the limit enhanced diagnostic data policy
- href: enhanced-diagnostic-data-windows-analytics-events-and-fields.md
- name: Manage Windows connected experiences
items:
- name: Manage connections from Windows operating system components to Microsoft services
diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/TOC.yml b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/TOC.yml
index e235cf65ec..74c7012d07 100644
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/TOC.yml
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/TOC.yml
@@ -1,6 +1,6 @@
- name: Microsoft Defender Application Guard
href: md-app-guard-overview.md
- items:
+ items:
- name: System requirements
href: reqs-md-app-guard.md
- name: Install Application Guard
@@ -9,10 +9,5 @@
href: configure-md-app-guard.md
- name: Test scenarios
href: test-scenarios-md-app-guard.md
- - name: Microsoft Defender Application Guard Extension
- href: md-app-guard-browser-extension.md
- name: Application Guard FAQ
- href: faq-md-app-guard.yml
-- name: Windows security
- href: /windows/security/
-
+ href: faq-md-app-guard.yml
\ No newline at end of file
diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md
index 2a40f36ead..e5279d14fa 100644
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md
@@ -2,7 +2,7 @@
title: Configure the Group Policy settings for Microsoft Defender Application Guard
description: Learn about the available Group Policy settings for Microsoft Defender Application Guard.
ms.localizationpriority: medium
-ms.date: 12/12/2023
+ms.date: 07/11/2024
ms.topic: how-to
---
@@ -17,11 +17,11 @@ Application Guard uses both network isolation and application-specific settings.
[!INCLUDE [microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management](../../../../../includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md)]
-For more information about Microsoft Defender Application Guard (MDAG) for Edge in stand-alone mode, see [Microsoft Defender Application Guard overview](md-app-guard-overview.md).
+For more information about Microsoft Defender Application Guard (MDAG) for Microsoft Edge in stand-alone mode, see [Microsoft Defender Application Guard overview](md-app-guard-overview.md).
## Network isolation settings
-These settings, located at `Computer Configuration\Administrative Templates\Network\Network Isolation`, help you define and manage your organization's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container.
+These settings, located at `Computer Configuration\Administrative Templates\Network\Network Isolation`, help you define and manage your organization's network boundaries. Application Guard uses this information to automatically transfer any requests to access the noncorporate resources into the Application Guard container.
> [!NOTE]
> For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you don't need to configure network isolation policy to enable Application Guard for Microsoft Edge in managed mode.
@@ -33,7 +33,7 @@ These settings, located at `Computer Configuration\Administrative Templates\Netw
|-----------|------------------|-----------|
|Private network ranges for apps | At least Windows Server 2012, Windows 8, or Windows RT| A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.|
|Enterprise resource domains hosted in the cloud| At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (`|`) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.|
-|Domains categorized as both work and personal| At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment.
This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.|
+|Domains categorized as both work and personal| At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Microsoft Edge environment.
This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.|
## Network isolation settings wildcards
@@ -52,7 +52,7 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind
|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher
Windows 10 Education, 1809 or higher
Windows 11 Enterprise and Education|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** This is effective only in managed mode. Turns on the clipboard functionality and lets you choose whether to additionally:
- Disable the clipboard functionality completely when Virtualization Security is enabled.
- Enable copying of certain content from Application Guard into Microsoft Edge.
- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
**Disabled or not configured.** Completely turns off the clipboard functionality for Application Guard.|
|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher
Windows 10 Education, 1809 or higher
Windows 11 Enterprise and Education|Determines whether Application Guard can use the print functionality.|**Enabled.** This is effective only in managed mode. Turns on the print functionality and lets you choose whether to additionally:
- Enable Application Guard to print into the XPS format.
- Enable Application Guard to print into the PDF format.
- Enable Application Guard to print to locally attached printers.
- Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.
**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
|Allow Persistence|Windows 10 Enterprise, 1709 or higher
Windows 10 Education, 1809 or higher
Windows 11 Enterprise and Education|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
**Disabled or not configured.** All user data within Application Guard is reset between sessions.
**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container:**
1. Open a command-line program and navigate to `Windows/System32`.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
-|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1709 or higher
Windows 10 Education, 1809 or higher
Windows 11 Enterprise and Education|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
- Enable Microsoft Defender Application Guard only for Microsoft Edge
- Enable Microsoft Defender Application Guard only for Microsoft Office
- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office
**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.
**Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.|
+|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1709 or higher
Windows 10 Education, 1809 or higher
Windows 11 Enterprise and Education|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
- Enable Microsoft Defender Application Guard only for Microsoft Edge
- Enable Microsoft Defender Application Guard only for Microsoft Office
- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office
**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.
**Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you're no longer required to configure network isolation policy to enable Application Guard for Microsoft Edge.|
|Allow files to download to host operating system|Windows 10 Enterprise or Pro, 1803 or higher
Windows 10 Education, 1809 or higher
Windows 11 Enterprise or Pro or Education|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.
**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.|
|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1709 or higher
Windows 10 Education, 1809 or higher
Windows 11 Enterprise and Education|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** This is effective only in managed mode. Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won't load any third-party graphics drivers or interact with any connected graphics hardware.|
|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1709 or higher
Windows 10 Education, 1809 or higher
Windows 11 Enterprise and Education|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.
**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|
diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/faq-md-app-guard.yml
index 43f2f31197..b539097c6d 100644
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/faq-md-app-guard.yml
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/faq-md-app-guard.yml
@@ -4,7 +4,7 @@ metadata:
description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard.
ms.localizationpriority: medium
ms.topic: faq
- ms.date: 12/12/2023
+ ms.date: 07/11/2024
title: Frequently asked questions - Microsoft Defender Application Guard
summary: |
@@ -211,7 +211,7 @@ sections:
- question: |
What does the _Allow users to trust files that open in Microsoft Defender Application Guard_ option in the Group policy do?
answer: |
- This policy was present in Windows 10 prior to version 2004. It was removed from later versions of Windows as it doesn't enforce anything for either Edge or Office.
+ This policy was present in Windows 10 prior to version 2004. It was removed from later versions of Windows as it doesn't enforce anything for either Microsoft Edge or Office.
- question: |
How do I open a support ticket for Microsoft Defender Application Guard?
@@ -220,9 +220,9 @@ sections:
- Under the Product Family, select Windows. Select the product and the product version you need help with. For the category that best describes the issue, select, **Windows Security Technologies**. In the final option, select **Windows Defender Application Guard**.
- question: |
- Is there a way to enable or disable the behavior where the host Edge tab auto-closes when navigating to an untrusted site?
+ Is there a way to enable or disable the behavior where the host Microsoft Edge tab auto-closes when navigating to an untrusted site?
answer: |
- Yes. Use this Edge flag to enable or disable this behavior: `--disable-features="msWdagAutoCloseNavigatedTabs"`
+ Yes. Use this Microsoft Edge flag to enable or disable this behavior: `--disable-features="msWdagAutoCloseNavigatedTabs"`
additionalContent: |
diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md
index 33375dd2a1..beefaa14bb 100644
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md
@@ -1,7 +1,7 @@
---
title: Enable hardware-based isolation for Microsoft Edge
description: Learn about the Microsoft Defender Application Guard modes (Standalone or Enterprise-managed), and how to install Application Guard in your enterprise.
-ms.date: 12/12/2023
+ms.date: 07/11/2024
ms.topic: how-to
---
@@ -31,7 +31,7 @@ Standalone mode is applicable for:
## Enterprise-managed mode
-You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to add non-enterprise domain(s) in the container.
+You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to add nonenterprise domain(s) in the container.
Enterprise-managed mode is applicable for:
@@ -93,7 +93,7 @@ Application Guard functionality is turned off by default. However, you can quick
To learn more about scope tags, see [Use role-based access control (RBAC) and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags).
-1. In the **Assignments** page, select the users or groups that will receive the policy. Select **Next**.
+1. In the **Assignments** page, select the users or groups that receive the policy. Select **Next**.
To learn more about assigning policies, see [Assign policies in Microsoft Intune](/mem/intune/configuration/device-profile-assign).
diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-browser-extension.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-browser-extension.md
deleted file mode 100644
index f841705678..0000000000
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-browser-extension.md
+++ /dev/null
@@ -1,89 +0,0 @@
----
-title: Microsoft Defender Application Guard Extension
-description: Learn about the Microsoft Defender Application Guard browser extension, which extends Application Guard's protection to more web browsers.
-ms.localizationpriority: medium
-ms.date: 12/12/2023
-ms.topic: conceptual
----
-
-# Microsoft Defender Application Guard Extension
-
-[!INCLUDE [mdag-edge-deprecation-notice](../../../includes/mdag-edge-deprecation-notice.md)]
-
-[Microsoft Defender Application Guard Extension](https://www.microsoft.com/security/blog/2019/05/23/new-browser-extensions-for-integrating-microsofts-hardware-based-isolation/) is a web browser add-on available for [Chrome](https://chrome.google.com/webstore/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj/) and [Firefox](https://addons.mozilla.org/en-US/firefox/addon/application-guard-extension/).
-
-[Microsoft Defender Application Guard](md-app-guard-overview.md) provides Hyper-V isolation on Windows 10 and Windows 11, to protect users from potentially harmful content on the web. The extension helps Application Guard protect users running other web browsers.
-
-> [!TIP]
-> Application Guard, by default, offers [native support](/deployedge/microsoft-edge-security-windows-defender-application-guard) to both Microsoft Edge and Internet Explorer. These browsers do not need the extension described here for Application Guard to protect them.
-
-Microsoft Defender Application Guard Extension defends devices in your organization from advanced attacks, by redirecting untrusted websites to an isolated version of [Microsoft Edge](https://www.microsoft.com/edge). If an untrusted website turns out to be malicious, it remains within Application Guard's secure container, keeping the device protected.
-
-## Prerequisites
-
-Microsoft Defender Application Guard Extension works with the following editions of Windows 10, version 1809 or later:
-
-- Windows 10 Professional
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 11
-
-Application Guard itself is required for the extension to work. It has its own set of [requirements](reqs-md-app-guard.md). Check the Application Guard [installation guide](install-md-app-guard.md) for further steps, if you don't have it installed already.
-
-## Installing the extension
-
-Application Guard can be run under [managed mode](install-md-app-guard.md#enterprise-managed-mode) or [standalone mode](install-md-app-guard.md#standalone-mode). The main difference between the two modes is whether policies have been set to define the organization's boundaries.
-
-Enterprise administrators running Application Guard under managed mode should first define Application Guard's [network isolation settings](configure-md-app-guard.md#network-isolation-settings), so a set of enterprise sites is already in place.
-
-From there, the steps for installing the extension are similar whether Application Guard is running in managed or standalone mode.
-
-1. On the local device, download and install the Application Guard extension for Google [Chrome](https://chrome.google.com/webstore/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj/) and/or Mozilla [Firefox](https://addons.mozilla.org/en-US/firefox/addon/application-guard-extension/).
-1. Install the [Microsoft Defender Application Guard companion app](https://www.microsoft.com/p/windows-defender-application-guard-companion/9n8gnlc8z9c8#activetab=pivot:overviewtab) from the Microsoft Store. This companion app enables Application Guard to work with web browsers other than Microsoft Edge or Internet Explorer.
-1. Restart the device.
-
-### Recommended browser group policies
-
-Both Chrome and Firefox have their own browser-specific group policies. We recommend that admins use the following policy settings.
-
-#### Chrome policies
-
-These policies can be found along the filepath, `Software\Policies\Google\Chrome\`, with each policy name corresponding to the file name. For example, `IncognitoModeAvailability` is located at `Software\Policies\Google\Chrome\IncognitoModeAvailability`.
-
-Policy name | Values | Recommended setting | Reason
--|-|-|-
-[IncognitoModeAvailability](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=IncognitoModeAvailability) | `0` = Enabled
`1` = Disabled
`2` = Forces pages to only open in Incognito mode | Disabled | This policy allows users to start Chrome in Incognito mode. In this mode, all extensions are turned off by default.
-[BrowserGuestModeEnabled](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=BrowserGuestModeEnabled) | `false` or `0` = Disabled
`true`, `1`, or not configured = Enabled | Disabled | This policy allows users to sign in as *Guest*, which opens a session in Incognito mode. In this mode, all extensions are turned off by default.
-[BackgroundModeEnabled](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=BackgroundModeEnabled) | `false` or `0` = Disabled
`true` or `1` = Enabled
**Note:** If this policy isn't set, the user can enable or disable background mode through local browser settings. | Enabled | This policy keeps Chrome running in the background, ensuring that navigation is always passed to the extension.
-[ExtensionSettings](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=ExtensionSettings) | This policy accepts a dictionary that configures multiple other management settings for Chrome. See the [Google Cloud documentation](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=ExtensionSettings) for complete schema. | Include an entry for `force_installed` | This policy prevents users from manually removing the extension.
-
-#### Firefox policies
-
-These policies can be found along the filepath, `Software\Policies\Mozilla\Firefox\`, with each policy name corresponding to the file name. Foe example, `DisableSafeMode` is located at `Software\Policies\Mozilla\Firefox\DisableSafeMode`.
-
-Policy name | Values | Recommended setting | Reason
--|-|-|-
-[DisableSafeMode](https://github.com/mozilla/policy-templates/blob/master/README.md#DisableSafeMode) | `false` or `0` = Safe mode is enabled
`true` or `1` = Safe mode is disabled | The policy is enabled and Safe mode isn't allowed to run. | Safe mode can allow users to circumvent Application Guard
-[BlockAboutConfig](https://github.com/mozilla/policy-templates/blob/master/README.md#BlockAboutConfig) | `false` or `0` = User access to `about:config` is allowed
`true` or `1` = User access to `about:config` isn't allowed | The policy is enabled and access to `about:config` isn't allowed. | `About:config` is a special page within Firefox that offers control over many settings that may compromise security
-[Extensions - Locked](https://github.com/mozilla/policy-templates/blob/master/README.md#Extensions) | This setting accepts a list of UUIDs for extensions. You can find these extensions by searching `extensions.webextensions.uuids` within the `about:config` page) | Software\Policies\Mozilla\Firefox\Extensions\Locked\1 = "`ApplicationGuardRel@microsoft.com`" | This setting allows you to lock the extension, so the user can't disable or uninstall it.
-
-## Troubleshooting guide
-
-
-
-Error message | Cause | Actions
--|-|-
-Application Guard undetermined state | The extension was unable to communicate with the companion app during the last information request. | 1. Install the [companion app](https://www.microsoft.com/p/windows-defender-application-guard-companion/9n8gnlc8z9c8?activetab=pivot:overviewtab) and reboot 2. If the companion app is already installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and reinstall the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser
-ExceptionThrown | An unexpected exception was thrown. | 1. [File a bug](https://aka.ms/wdag-fb) 2. Retry the operation
-Failed to determine if Application Guard is enabled | The extension was able to communicate with the companion app, but the information request failed in the app. | 1. Restart the browser 2. Check for updates in both the Microsoft store and the respective web store for the affected browser
-Launch in WDAG failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This error can be caused by the companion app being uninstalled while Chrome was running. | 1. Make sure the companion app is installed 2. If the companion app is installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and reinstall the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser
-Main page navigation caught an unexpected error | An unexpected exception was thrown during the main page navigation. | 1. [File a bug](https://aka.ms/wdag-fb) 2. Retry the operation
-Process trust response failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This error can be caused by the companion app being uninstalled while Chrome was running.| 1. Make sure the companion app is installed. 2. If the companion app is installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and reinstall the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser
-Protocol out of sync | The extension and native app can't communicate with each other. This error is likely caused by one being updated without supporting the protocol of the other. | Check for updates in both the Microsoft store, and the web store for the affected browser
-Security patch level doesn't match | Microsoft determined that there was a security issue with either the extension or the companion app, and has issued a mandatory update. | Check for updates in both the Microsoft store, and the web store for the affected browser
-Unexpected response while processing trusted state | The extension was able to communicate with the companion app, but the API failed and a failure response code was sent back to the extension. | 1. [File a bug](https://aka.ms/wdag-fb) 2. Check if Microsoft Edge is working 3. Retry the operation
-
-## Related articles
-
-- [Microsoft Defender Application Guard overview](md-app-guard-overview.md)
-- [Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)
diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md
index 109331df35..cc5f471678 100644
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md
@@ -1,7 +1,7 @@
---
title: Microsoft Defender Application Guard
description: Learn about Microsoft Defender Application Guard and how it helps combat malicious content and malware out on the Internet.
-ms.date: 12/12/2023
+ms.date: 07/11/2024
ms.topic: conceptual
---
@@ -15,7 +15,7 @@ Microsoft Defender Application Guard (MDAG) is designed to help prevent old and
For Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container.
-For Microsoft Office, Application Guard helps prevents untrusted Word, PowerPoint and Excel files from accessing trusted resources. Application Guard opens untrusted files in an isolated Hyper-V-enabled container. The isolated Hyper-V container is separate from the host operating system. This container isolation means that if the untrusted site or file turns out to be malicious, the host device is protected, and the attacker can't get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can't get to your employee's enterprise credentials.
+For Microsoft Office, Application Guard helps prevents untrusted Word, PowerPoint, and Excel files from accessing trusted resources. Application Guard opens untrusted files in an isolated Hyper-V-enabled container. The isolated Hyper-V container is separate from the host operating system. This container isolation means that if the untrusted site or file turns out to be malicious, the host device is protected, and the attacker can't get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can't get to your employee's enterprise credentials.
@@ -33,7 +33,7 @@ Application Guard has been created to target several types of devices:
[!INCLUDE [microsoft-defender-application-guard-mdag-for-edge-standalone-mode](../../../../../includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md)]
-For more information about Microsoft Defender Application Guard (MDAG) for Edge enterprise mode, [Configure Microsoft Defender Application Guard policy settings.](configure-md-app-guard.md)
+For more information about Microsoft Defender Application Guard (MDAG) for Microsoft Edge enterprise mode, [Configure Microsoft Defender Application Guard policy settings.](configure-md-app-guard.md)
## Related articles
@@ -43,7 +43,6 @@ For more information about Microsoft Defender Application Guard (MDAG) for Edge
|[Prepare and install Microsoft Defender Application Guard](install-md-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.|
|[Configure the Group Policy settings for Microsoft Defender Application Guard](configure-md-app-guard.md) |Provides info about the available Group Policy and MDM settings.|
|[Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Application Guard in your organization.|
-| [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a troubleshooting guide |
| [Microsoft Defender Application Guard for Microsoft Office](/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide |
|[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.yml)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.|
|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.|
diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/reqs-md-app-guard.md
index ff5414fd19..f8e31a69f9 100644
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/reqs-md-app-guard.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/reqs-md-app-guard.md
@@ -3,7 +3,7 @@ title: System requirements for Microsoft Defender Application Guard
description: Learn about the system requirements for installing and running Microsoft Defender Application Guard.
ms.topic: overview
ms.localizationpriority: medium
-ms.date: 12/12/2023
+ms.date: 07/11/2024
---
# System requirements for Microsoft Defender Application Guard
@@ -24,8 +24,8 @@ Your environment must have the following hardware to run Microsoft Defender Appl
| Hardware | Description |
|--------|-----------|
-| 64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).|
-| CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_
**AND**
One of the following virtualization extensions for VBS:
VT-x (Intel)
**OR**
AMD-V |
+| 64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and Virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).|
+| CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_
**AND**
One of the following virtualization extensions for VBS:
VT-x (Intel)
**OR**
AMD-V |
| Hardware memory | Microsoft requires a minimum of 8-GB RAM |
| Hard disk | 5-GB free space, solid state disk (SSD) recommended |
| Input/Output Memory Management Unit (IOMMU) support| Not required, but recommended |
@@ -38,4 +38,4 @@ Your environment must have the following hardware to run Microsoft Defender Appl
|--------|-----------|
| Operating system | Windows 10 Enterprise or Education editions, version 1809 or later
Windows 10 Professional edition, version 1809 or later (only [standalone mode](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard#standalone-mode) is supported)
Windows 11 Education or Enterprise editions
Windows 11 Professional edition (only [Standalone mode](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard#standalone-mode) is supported) |
| Browser | Microsoft Edge |
-| Management system
(only for managed devices)| [Microsoft Intune](/intune/)
**OR**
[Microsoft Configuration Manager](/configmgr/)
**OR**
[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))
**OR**
Your current, company-wide, non-Microsoft mobile device management (MDM) solution. For info about non-Microsoft MDM solutions, see the documentation that came with your product. |
+| Management system
(only for managed devices)| [Microsoft Intune](/intune/)
**OR**
[Microsoft Configuration Manager](/configmgr/)
**OR**
[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))
**OR**
Your current, company-wide, non-Microsoft mobile device management (MDM) solution. For info about non-Microsoft MDM solutions, see the documentation that came with your product. |
diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
index f63bfb9f1f..8e457f7603 100644
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
@@ -2,7 +2,7 @@
title: Testing scenarios with Microsoft Defender Application Guard
description: Suggested testing scenarios for Microsoft Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode.
ms.localizationpriority: medium
-ms.date: 12/12/2023
+ms.date: 07/11/2024
ms.topic: conceptual
---
@@ -39,7 +39,7 @@ How to install, set up, turn on, and configure Application Guard for Enterprise-
### Install, set up, and turn on Application Guard
-Before you can use Application Guard in managed mode, you must install Windows 10 Enterprise edition, version 1709, and Windows 11 which includes the functionality. Then, you must use Group Policy to set up the required settings.
+Before you can use Application Guard in managed mode, you must install Windows 10 Enterprise edition, version 1709, and Windows 11, which includes the functionality. Then, you must use Group Policy to set up the required settings.
1. [Install Application Guard](install-md-app-guard.md#install-application-guard).
@@ -207,7 +207,7 @@ You have the option to change each of these settings to work with your enterpris
3. Sign out and back in to your device, opening Microsoft Edge in Application Guard again.
-4. Open an application with video or audio capability in Edge.
+4. Open an application with video or audio capability in Microsoft Edge.
5. Check that the camera and microphone work as expected.
@@ -223,7 +223,7 @@ You have the option to change each of these settings to work with your enterpris
## Application Guard Extension for third-party web browsers
-The [Application Guard Extension](md-app-guard-browser-extension.md) available for Chrome and Firefox allows Application Guard to protect users even when they are running a web browser other than Microsoft Edge or Internet Explorer.
+The [Application Guard Extension](md-app-guard-browser-extension.md) available for Chrome and Firefox allows Application Guard to protect users even when they're running a web browser other than Microsoft Edge or Internet Explorer.
Once a user has the extension and its companion app installed on their enterprise device, you can run through the following scenarios.
@@ -232,7 +232,7 @@ Once a user has the extension and its companion app installed on their enterpris
2. Navigate to an organizational website. In other words, an internal website maintained by your organization. You might see this evaluation page for an instant before the site is fully loaded.
-3. Navigate to a non-enterprise, external website site, such as [www.bing.com](https://www.bing.com). The site should be redirected to Microsoft Defender Application Guard Edge.
+3. Navigate to a nonenterprise, external website site, such as [www.bing.com](https://www.bing.com). The site should be redirected to Microsoft Defender Application Guard Edge.
4. Open a new Application Guard window, by selecting the Microsoft Defender Application Guard icon, then **New Application Guard Window**
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md
index adf405569f..8d8f873a38 100644
--- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md
@@ -35,8 +35,8 @@ Windows Sandbox has the following properties:
- At least two CPU cores (four cores with hyper-threading recommended)
> [!NOTE]
-> Windows Sandbox is currently not supported on Windows Home edition
-
+> Windows Sandbox is currently not supported on Windows Home edition.
+> Beginning in Windows 11, version 24H2, all inbox store apps like calculator, photos, notepad and terminal are not available inside Windows Sandbox. Ability to use these apps will be added soon.
## Installation
1. Ensure that your machine is using Windows 10 Pro or Enterprise, build version 18305 or Windows 11.
diff --git a/windows/security/includes/mdag-edge-deprecation-notice.md b/windows/security/includes/mdag-edge-deprecation-notice.md
index cf4028ac1c..150cffe43f 100644
--- a/windows/security/includes/mdag-edge-deprecation-notice.md
+++ b/windows/security/includes/mdag-edge-deprecation-notice.md
@@ -1,10 +1,10 @@
---
author: vinaypamnani-msft
ms.author: vinpa
-ms.date: 04/23/2024
+ms.date: 07/11/2024
ms.topic: include
---
> [!NOTE]
> - Microsoft Defender Application Guard, including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), will be deprecated for Microsoft Edge for Business and [will no longer be updated](/windows/whats-new/feature-lifecycle). Please download the [Microsoft Edge For Business Security Whitepaper](https://edgestatic.azureedge.net/shared/cms/pdfs/Microsoft_Edge_Security_Whitepaper_v2.pdf) to learn more about Edge for Business security capabilities.
-> - Because Application Guard is deprecated there will not be a migration to Edge Manifest V3. The corresponding extensions and associated [Windows Store app](https://apps.microsoft.com/detail/9N8GNLC8Z9C8) will not be available after May 2024. This affects the following browsers: [*Application Guard Extension - Chrome*](https://chromewebstore.google.com/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj) and [*Application Guard Extension - Firefox*](https://addons.mozilla.org/firefox/addon/application-guard-extension/). If you want to block unprotected browsers until you are ready to retire MDAG usage in your enterprise, we recommend using AppLocker policies or [Microsoft Edge management service](/deployedge/microsoft-edge-management-service). For more information, see [Microsoft Edge and Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard).
\ No newline at end of file
+> - Because Application Guard is deprecated there will not be a migration to Edge Manifest V3. The corresponding browser extensions and associated Windows Store app are no longer available. If you want to block unprotected browsers until you are ready to retire MDAG usage in your enterprise, we recommend using AppLocker policies or [Microsoft Edge management service](/deployedge/microsoft-edge-management-service). For more information, see [Microsoft Edge and Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard).
\ No newline at end of file