Merge pull request #8153 from vinaypamnani-msft/vp-collapse

Remove collapsible sections 😭
2025-05-12 13:27:23 +00:00 · 2023-04-18 13:16:18 -04:00 · 2023-04-18 13:16:18 -04:00 · d21f739865
commit d21f739865
parent 920f692c9c dcdb1770c8
4 changed files with 1140 additions and 1268 deletions
--- a/windows/client-management/mdm/assignedaccess-csp.md
+++ b/windows/client-management/mdm/assignedaccess-csp.md
@ -95,9 +95,7 @@ In **Windows 10, version 1909**, Microsoft Edge kiosk mode support was added. Th
 For more examples, see [AssignedAccessConfiguration examples](#assignedaccessconfiguration-examples).
-<br>
+- Get Configuration
 <details>
  <summary>Get Configuration</summary>
    ```xml
    <SyncML xmlns='SYNCML:SYNCML1.2'>
@ -115,11 +113,7 @@ For more examples, see [AssignedAccessConfiguration examples](#assignedaccesscon
    </SyncML>
    ```
-</details>
+- Delete Configuration
 <br>
 <details>
  <summary>Delete Configuration</summary>
    ```xml
    <SyncML xmlns='SYNCML:SYNCML1.2'>
@ -136,8 +130,6 @@ For more examples, see [AssignedAccessConfiguration examples](#assignedaccesscon
       </SyncBody>
    </SyncML>
    ```
 </details>
 <!-- Device-Configuration-Examples-End -->
 <!-- Device-Configuration-End -->
@ -201,9 +193,7 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 **Examples**:
-<br>
+- Add KioskModeApp
 <details>
  <summary>Add KioskModeApp</summary>
    ```xml
    <SyncML xmlns='SYNCML:SYNCML1.2'>
@ -225,11 +215,7 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu
    </SyncML>
    ```
-</details>
+- Delete KioskModeApp
 <br>
 <details>
  <summary>Delete KioskModeApp</summary>
    ```xml
    <SyncML xmlns='SYNCML:SYNCML1.2'>
@ -247,11 +233,7 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu
    </SyncML>
    ```
-</details>
+- Get KioskModeApp
 <br>
 <details>
  <summary>Get KioskModeApp</summary>
    ```xml
    <SyncML xmlns='SYNCML:SYNCML1.2'>
@ -269,11 +251,7 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu
    </SyncML>
    ```
-</details>
+- Replace KioskModeApp
 <br>
 <details>
  <summary>Replace KioskModeApp</summary>
    ```xml
    <SyncML xmlns='SYNCML:SYNCML1.2'>
@ -294,8 +272,6 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu
        </SyncBody>
    </SyncML>
    ```
 </details>
 <!-- Device-KioskModeApp-Examples-End -->
 <!-- Device-KioskModeApp-End -->
@ -351,9 +327,7 @@ For more information, see [Shell Launcher](/windows/configuration/kiosk-shelllau
 > [!NOTE]
 > Shell Launcher V2 uses a separate XSD and namespace for backward compatibility. The original V1 XSD has a reference to the V2 XSD.
-<br>
+- Shell Launcher V1 XSD
 <details>
  <summary>Shell Launcher V1 XSD</summary>
    ```xml
    <?xml version="1.0" encoding="utf-8"?>
@ -510,11 +484,7 @@ For more information, see [Shell Launcher](/windows/configuration/kiosk-shelllau
    </xs:schema>
    ```
-</details>
+- Shell Launcher V2 XSD
 <br>
 <details>
  <summary>Shell Launcher V2 XSD</summary>
    ```xml
    <?xml version="1.0" encoding="utf-8"?>
@ -540,13 +510,9 @@ For more information, see [Shell Launcher](/windows/configuration/kiosk-shelllau
    </xs:schema>
    ```
 </details><br>
 **Examples**:
-<br>
+- Add
 <details>
  <summary>Add</summary>
    ```xml
    <SyncML xmlns='SYNCML:SYNCML1.2'>
@ -616,11 +582,7 @@ For more information, see [Shell Launcher](/windows/configuration/kiosk-shelllau
    </SyncML>
    ```
-</details>
+- Add AutoLogon
 <br>
 <details>
  <summary>Add AutoLogon</summary>
    This function creates an auto-logon account on your behalf. It's a standard user with no password. The auto-logon account is managed by AssignedAccessCSP, so the account name isn't exposed.
@ -674,11 +636,7 @@ This function creates an auto-logon account on your behalf. It's a standard user
    </SyncML>
    ```
-</details>
+- V2 Add
 <br>
 <details>
  <summary>V2 Add</summary>
    ```xml
    <SyncML xmlns='SYNCML:SYNCML1.2'>
@ -731,14 +689,9 @@ xmlns:V2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
        <Final />
      </SyncBody>
    </SyncML>
    ```
-</details>
+- Get
 <br>
 <details>
  <summary>Get</summary>
    ```xml
    <SyncML xmlns='SYNCML:SYNCML1.2'>
@ -755,8 +708,6 @@ xmlns:V2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
      </SyncBody>
    </SyncML>
    ```
 </details>
 <!-- Device-ShellLauncher-Examples-End -->
 <!-- Device-ShellLauncher-End -->
@ -814,10 +765,6 @@ Additionally, the Status payload includes the following fields:
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 **AssignedAccessAlert XSD**:
 <br>
 <details>
  <summary>Expand this section to see the schema XML</summary>
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
 <xs:schema
@ -878,8 +825,6 @@ Additionally, the Status payload includes the following fields:
 </xs:schema>
 ```
 </details><br>
 **Example**:
 ```xml
@ -954,10 +899,6 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 **StatusConfiguration XSD**:
 <br>
 <details>
  <summary>Expand this section to see the schema XML</summary>
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
 <xs:schema
@ -987,13 +928,9 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
 </xs:schema>
 ```
 </details><br>
 **Examples**:
-<br>
+- Add StatusConfiguration with StatusEnabled set to OnWithAlerts
 <details>
  <summary>Add StatusConfiguration with StatusEnabled set to OnWithAlerts</summary>
    ```xml
    <SyncML xmlns='SYNCML:SYNCML1.2'>
@ -1022,11 +959,7 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
    </SyncML>
    ```
-</details>
+- Delete StatusConfiguration
 <br>
 <details>
  <summary>Delete StatusConfiguration</summary>
    ```xml
    <SyncML xmlns='SYNCML:SYNCML1.2'>
@ -1044,11 +977,7 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
    </SyncML>
    ```
-</details>
+- Get StatusConfiguration
 <br>
 <details>
  <summary>Get StatusConfiguration</summary>
    ```xml
    <SyncML xmlns='SYNCML:SYNCML1.2'>
@ -1066,11 +995,7 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
    </SyncML>
    ```
-</details>
+- Replace StatusEnabled value with On
 <br>
 <details>
  <summary>Replace StatusEnabled value with On</summary>
    ```xml
    <SyncML xmlns='SYNCML:SYNCML1.2'>
@ -1098,8 +1023,6 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
      </SyncBody>
    </SyncML>
    ```
 </details>
 <!-- Device-StatusConfiguration-Examples-End -->
 <!-- Device-StatusConfiguration-End -->
@ -1108,9 +1031,7 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
 <!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
 ## AssignedAccessConfiguration XSD
-<br>
+- Schema for AssignedAccessConfiguration.
 <details>
  <summary>Schema for AssignedAccessConfiguration.</summary>
    ```xml
    <?xml version="1.0" encoding="utf-8"?>
@ -1308,11 +1229,7 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
    </xs:schema>);
    ```
-</details>
+- Schema for features introduced in Windows 10, version 1909 which added support for Microsoft Edge kiosk mode and breakout key sequence customization.
 <br>
 <details>
  <summary>Schema for features introduced in Windows 10, version 1909 which added support for Microsoft Edge kiosk mode and breakout key sequence customization.</summary>
    ```xml
    <?xml version="1.0" encoding="utf-8"?>
@ -1338,11 +1255,7 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
    </xs:schema>
    ```
-</details>
+- Schema for new features introduced in Windows 10 1809 release.
 <br>
 <details>
  <summary>Schema for new features introduced in Windows 10 1809 release.</summary>
    ```xml
    <?xml version="1.0" encoding="utf-8"?>
@ -1388,11 +1301,7 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
    </xs:schema>
    ```
-</details>
+- Schema for Windows 10 prerelease.
 <br>
 <details>
  <summary>Schema for Windows 10 prerelease.</summary>
    ```xml
    <?xml version="1.0" encoding="utf-8"?>
@ -1423,8 +1332,6 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
    </xs:schema>
    ```
 </details>
 ## AssignedAccessConfiguration examples
 > [!NOTE]
@ -1444,9 +1351,7 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
 > </AssignedAccessConfiguration>
 > ```
-<br>
+- Example XML configuration for a multi-app kiosk for Windows 10.
 <details>
  <summary>Example XML configuration for a multi-app kiosk for Windows 10.</summary>
    ```xml
    <?xml version="1.0" encoding="utf-8" ?>
@ -1499,11 +1404,7 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
    </AssignedAccessConfiguration>
    ```
-</details>
+- Example XML configuration for a Microsoft Edge kiosk. This Microsoft Edge kiosk is configured to launch www.bing.com on startup in a public browsing mode.
 <br>
 <details>
  <summary>Example XML configuration for a Microsoft Edge kiosk. This Microsoft Edge kiosk is configured to launch www.bing.com on startup in a public browsing mode.</summary>
    ```xml
    <?xml version="1.0" encoding="utf-8" ?>
@ -1526,11 +1427,7 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
    </AssignedAccessConfiguration>
    ```
-</details>
+- Example XML configuration for setting a breakout sequence to be Ctrl+A on a Microsoft Edge kiosk.
 <br>
 <details>
  <summary>Example XML configuration for setting a breakout sequence to be Ctrl+A on a Microsoft Edge kiosk.</summary>
    > [!NOTE]
    > **BreakoutSequence** can be applied to any kiosk type, not just an Edge kiosk.
@ -1563,10 +1460,6 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
 This example configures the following apps: Skype, Learning, Feedback Hub, and Calibration, for first line workers. Use this XML in a provisioning package using Windows Configuration Designer. For instructions, see [Configure HoloLens using a provisioning package](/hololens/hololens-provisioning).
 <br>
 <details>
  <summary>Expand this section to see the example.</summary>
 ```xml
 <?xml version="1.0" encoding="utf-8" ?>
 <!--
@ -1623,8 +1516,6 @@ This example configures the following apps: Skype, Learning, Feedback Hub, and C
 </AssignedAccessConfiguration>
 ```
 </details>
 ## Handling XML in Configuration
 XML encoding (escaped) and CDATA of the XML in the Data node will both ensure that DM client can properly interpret the SyncML and send the configuration xml as string (in original format, unescaped) to AssignedAccess CSP to handle.
@ -1633,9 +1524,7 @@ Similarly, the StartLayout xml inside the configuration xml is using the same fo
 Escape and CDATA are mechanisms used when handling xml in xml. Consider that it's a transportation channel to send the configuration xml as payload from server to client. It's transparent to both, the end user who configures the CSP and to our CSP. Both the customer on the server side and our CSP must only see the original configuration XML.
-<br>
+- This example shows escaped XML of the Data node.
 <details>
  <summary>This example shows escaped XML of the Data node.</summary>
    ```xml
    <SyncML xmlns='SYNCML:SYNCML1.2'>
@ -1709,9 +1598,7 @@ Escape and CDATA are mechanisms used when handling xml in xml. Consider that it'
 </details>
-<br>
+- This example shows CData for the XML.
 <details>
  <summary>This example shows CData for the XML.</summary>
    ```xml
    <SyncML xmlns='SYNCML:SYNCML1.2'>
@ -1782,8 +1669,6 @@ Escape and CDATA are mechanisms used when handling xml in xml. Consider that it'
        </SyncBody>
    </SyncML>
    ```
 </details>
 <!-- AssignedAccess-CspMoreInfo-End -->
 <!-- AssignedAccess-End -->
--- a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
@ -107,10 +107,7 @@ For **single policy format WDAC policies**, in addition to the two locations abo
 Then restart the computer.
-#### Sample script
+#### Sample script to delete a single WDAC policy
 <details>
  <summary>Expand this section to see a sample script to delete a single WDAC policy</summary>
 ```powershell
 # Set PolicyId GUID to the PolicyId from your WDAC policy XML
@ -158,8 +155,6 @@ Then restart the computer.
 mountvol $MountPoint /D
 ```
 </Details>
 > [!NOTE]
 > You must run the script as administrator to remove WDAC policies on your computer.
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@ -113,9 +113,7 @@ If you wish to use this blocklist policy on Windows Server 2016, locate the deny
 The blocklist policy below includes "Allow all" rules for both kernel and user mode that make it safe to deploy as a standalone WDAC policy. On Windows versions 1903 and above, Microsoft recommends converting this policy to multiple policy format using the *Set-CiPolicyIdInfo* cmdlet with the *-ResetPolicyId* switch. Then, you can deploy it as a Base policy side-by-side with any other policies in your environment. To instead add these rules to an existing Base policy, you can merge the policy below using the *Merge-CIPolicy* cmdlet. If merging into an existing policy that includes an explicit allowlist, you should first remove the two "Allow all" rules and their corresponding FileRuleRefs from the sample policy below.
-<br>
+**WDAC policy XML**:
 <details>
  <summary>Expand this section to see the WDAC policy XML</summary>
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
@ -1512,8 +1510,6 @@ The blocklist policy below includes "Allow all" rules for both kernel and user m
 </SiPolicy>
 ```
 </details>
 ## More information
 - [Merge WDAC policies](merge-windows-defender-application-control-policies.md)
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
@ -61,14 +61,39 @@ Customers who always want the most up-to-date driver blocklist can also use Wind
 ## Blocking vulnerable drivers using WDAC
-Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this setting isn't possible, Microsoft recommends blocking this list of drivers within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can cause devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies) and review the audit block events.
+Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this setting isn't possible, Microsoft recommends blocking [this list of drivers](#vulnerable-driver-blocklist-xml) within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can cause devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies) and review the audit block events.
 > [!IMPORTANT]
 > Microsoft also recommends enabling Attack Surface Reduction (ASR) rule [**Block abuse of exploited vulnerable signed drivers**](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#block-abuse-of-exploited-vulnerable-signed-drivers) to prevent an application from writing a vulnerable signed driver to disk. The ASR rule doesn't block a driver already existing on the system from loading, however enabling **Microsoft vulnerable driver blocklist** or applying this WDAC policy will prevent the existing driver from loading.
-<br>
+## Steps to download and apply the vulnerable driver blocklist binary
-<details>
+
-  <summary>Expand this section to see the blocklist WDAC policy XML</summary>
+If you prefer to apply the [vulnerable driver blocklist](#vulnerable-driver-blocklist-xml) exactly as shown, follow these steps:
 1. Download the [WDAC policy refresh tool](https://aka.ms/refreshpolicy)
 2. Download and extract the [vulnerable driver blocklist binaries](https://aka.ms/VulnerableDriverBlockList)
 3. Select either the audit only version or the enforced version and rename the file to SiPolicy.p7b
 4. Copy SiPolicy.p7b to %windir%\system32\CodeIntegrity
 5. Run the WDAC policy refresh tool you downloaded in Step 1 above to activate and refresh all WDAC policies on your computer
 To check that the policy was successfully applied on your computer:
 1. Open Event Viewer
 2. Browse to **Applications and Services Logs - Microsoft - Windows - CodeIntegrity - Operational**
 3. Select **Filter Current Log...**
 4. Replace "&lt;All Event IDs&gt;" with "3099" and select OK.
 5. Look for a 3099 event where the PolicyNameBuffer and PolicyIdBuffer match the Name and Id PolicyInfo settings found at the bottom of the blocklist WDAC Policy XML in this article. NOTE: Your computer may have more than one 3099 event if other WDAC policies are also present.
 > [!NOTE]
 > If any vulnerable drivers are already running that would be blocked by the policy, you must reboot your computer for those drivers to be blocked. Running processes aren't shutdown when activating a new WDAC policy without reboot.
 ## Vulnerable driver blocklist XML
 > [!IMPORTANT]
 > The policy listed below contains **Allow All** rules. If your version of Windows supports WDAC multiple policies, we recommend deploying this policy alongside any existing WDAC policies. If you do plan to merge this policy with another policy, you may need to remove the **Allow All** rules before merging it if the other policy applies an explicit allow list. For more information, see [Create a WDAC Deny Policy](/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy#single-policy-considerations).
 > [!NOTE]
 > To use this policy with Windows Server 2016, you must convert the policy XML on a device running a newer operating system.
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
@ -2879,35 +2904,6 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
 </SiPolicy>
 ```
 </details>
 > [!NOTE]
 > The policy listed above contains **Allow All** rules. If your version of Windows supports WDAC multiple policies, we recommend deploying this policy alongside any existing WDAC policies. If you do plan to merge this policy with another policy, you may need to remove the **Allow All** rules before merging it if the other policy applies an explicit allow list. For more information, see [Create a WDAC Deny Policy](/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy#single-policy-considerations).
 > [!NOTE]
 > To use the policy above with Windows Server 2016, you must convert the policy XML on a device running a newer operating system.
 ## Steps to download and apply the vulnerable driver blocklist binary
 If you prefer to apply the vulnerable driver blocklist exactly as shown above, follow these steps:
 1. Download the [WDAC policy refresh tool](https://aka.ms/refreshpolicy)
 2. Download and extract the [vulnerable driver blocklist binaries](https://aka.ms/VulnerableDriverBlockList)
 3. Select either the audit only version or the enforced version and rename the file to SiPolicy.p7b
 4. Copy SiPolicy.p7b to %windir%\system32\CodeIntegrity
 5. Run the WDAC policy refresh tool you downloaded in Step 1 above to activate and refresh all WDAC policies on your computer
 To check that the policy was successfully applied on your computer:
 1. Open Event Viewer
 2. Browse to **Applications and Services Logs - Microsoft - Windows - CodeIntegrity - Operational**
 3. Select **Filter Current Log...**
 4. Replace "&lt;All Event IDs&gt;" with "3099" and select OK.
 5. Look for a 3099 event where the PolicyNameBuffer and PolicyIdBuffer match the Name and Id PolicyInfo settings found at the bottom of the blocklist WDAC Policy XML in this article. NOTE: Your computer may have more than one 3099 event if other WDAC policies are also present.
 > [!NOTE]
 > If any vulnerable drivers are already running that would be blocked by the policy, you must reboot your computer for those drivers to be blocked. Running processes aren't shutdown when activating a new WDAC policy without reboot.
 ## More information
 - [Merge Windows Defender Application Control policies](/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies)